Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth_password in redisproxy working as inline_string but not with filename (seems CRLF issue) #36092

Open
saurabh256 opened this issue Sep 12, 2024 · 1 comment
Open

auth_password in redisproxy working as inline_string but not with filename (seems CRLF issue) #36092

saurabh256 opened this issue Sep 12, 2024 · 1 comment
Labels
area/redis bug

Comments

@saurabh256
Copy link

saurabh256 commented Sep 12, 2024
edited
Loading

Title: auth_password in redisproxy working as inline_string but not with filename (seems CRLF issue)

Description:

When using inline_string in the password , I am able to connect to redis upstream server but when i use the same password putting it in file then it does not work and authentication error return back to calling service.

Repro steps:

Include sample requests, environment, etc. All data and inputs
when password in file has partial termination then it works , if proper termination then does not work. I have noticed same issue on my macbook (envoy running in container) and actual openshift kubernetes environment. So this may not be just specific to Mac OS.

Config:
static_resources:
listeners:

  • name: redis_listener
    address:
    socket_address:
    address: 0.0.0.0
    port_value: 1999

    filter_chains:

    • filters:
      • name: envoy.filters.network.redis_proxy
        typed_config:
        "@type": type.googleapis.com/envoy.extensions.filters.network.redis_proxy.v3.RedisProxy
        stat_prefix: egress_redis
        settings:
        op_timeout: 5s
        prefix_routes:
        catch_all_route:
        cluster: redis_cluster

clusters:

  • name: redis_cluster
    connect_timeout: 1s
    type: strict_dns
    load_assignment:
    cluster_name: redis_cluster
    endpoints:

    • lb_endpoints:
      • endpoint:
        address:
        socket_address:
        address: redis.host
        port_value: 6379
        typed_extension_protocol_options:
        envoy.filters.network.redis_proxy:
        "@type": type.googleapis.com/google.protobuf.Struct
        value:
        auth_password:
        #inline_string: "XXXXXXXX"
        filename: "/etc/redis_password"
        auth_username:
        inline_string: "redis"

    transport_socket:
    name: envoy.transport_sockets.tls
    typed_config:
    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
    sni: redis.host
    common_tls_context:
    validation_context:
    trusted_ca:
    filename: "trusted-ca-certificate.pem"

Logs:

let me know what log level is required and on which module.

In order to reproduce use filename for auth_password instead of inline_string.

Observation when it work & when does not with filename as password.

If password is "XXXXXXXX" without quotes

base64 decoded value of WFhYWFhYWFg= in the file then works (decoded value on Mac is coming as XXXXXXXX%
base64 decoded value of WFhYWFhYWFgK in the file then does not work XXXXXXXX

I am not sure if this is only impacting auth_password in redis-proxy or across. I have validated the above issue with version envoy proxy 1.21.5 but may be present is latest version also.
@saurabh256 saurabh256 added bug triage Issue requires triage labels Sep 12, 2024
@ravenblackx ravenblackx added area/redis and removed triage Issue requires triage labels Sep 12, 2024
@ravenblackx
Copy link
Contributor

@msukalski or @weisisea as redis extension people.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/redis bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ravenblackx @saurabh256