Skip to content

APISIX Consumer Naming Conflict with Hyphenated Namespaces #2379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lkoniecz opened this issue Apr 6, 2025 · 0 comments
Open

APISIX Consumer Naming Conflict with Hyphenated Namespaces #2379

lkoniecz opened this issue Apr 6, 2025 · 0 comments

Comments

@lkoniecz
Copy link

lkoniecz commented Apr 6, 2025
edited
Loading

Current Behavior

If both the namespace and the consumer have hyphens, plugin does not work at all, for instance: namespace kube-system and comsumer jack-sparrow result in the following entry:

"list": [
      {
          "createdIndex": 266984,
          "modifiedIndex": 266984,
          "key": "/apisix/consumers/kube_system_jack_sparrow",
          "value": {
              "create_time": 1743951405,
              "labels": {
                  "managed-by": "apisix-ingress-controller"
              },
              "plugins": {
                  "key-auth": {
                      "key": "v1-api-key"
                  }
              },
              "username": "kube_system_jack_sparrow",
              "desc": "Created by apisix-ingress-controller, DO NOT modify it manually",
              "update_time": 1743951405
          }
      }

every request to the route with applied consumer-restriction is rejected with 401, {"message":"The consumer_name is forbidden."}

On top of that, APISIX currently flattens consumer names by replacing hyphens with underscores. However, this implementation doesn't properly handle hyphenated namespace names, leading to potential naming conflicts. For example, consider these two valid consumers:

  1. Consumer consumer1 in namespace foo-bar becomes foo_bar_consumer1
  2. Consumer bar-consumer1 in namespace foo would also become foo_bar_consumer1

The controller does not reject it, but blindly reconciles the consumer updating the entry even though the data comes from a different custom resource

There are few issues related to the problem:

however no real solution was provided

Expected Behavior

I expect the first scenario to work normally. I cannot control namespaces names, so the only workaround I found is to use consumer names without an underscore in its name.

For the second issue I would expect the controller not to reconcile the other ApisixConsumer as it would conflict with existing one.

Error Logs

No response

Steps to Reproduce

apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
  name: my-route
  namespace: my-namespace
spec:
  http:
    - name: some-route
      match:
        hosts:
          - localhost
        paths:
          - /api/v1
      backends:
        - serviceName: simple-http-server
          servicePort: 80
      authentication:
        enable: true
        type: keyAuth
        keyAuth:
          header: x-api-key
      plugins:
        - name: consumer-restriction
          enable: true
          config:
            whitelist:
              - my_namespace_some_consumer
---
apiVersion: apisix.apache.org/v2
kind: ApisixConsumer
metadata:
  name: some-consumer
  namespace: my-namespace
spec:
  authParameter:
    keyAuth:
     value:
      key: some-api-key

just kubectl apply -f this and notice 401s

Environment

  • APISIX Ingress controller version 1.8
  • Kubernetes cluster version 1.30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lkoniecz