Skip to content

Fix protected-ingress auth cache key colliding for Authorization-header clients#446

Draft
mhotan wants to merge 1 commit into
mainfrom
mike/fix-protected-ingress-auth-cache-key
Draft

Fix protected-ingress auth cache key colliding for Authorization-header clients#446
mhotan wants to merge 1 commit into
mainfrom
mike/fix-protected-ingress-auth-cache-key

Conversation

@mhotan

@mhotan mhotan commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Overview

The REST and console protected-ingress annotations key their nginx auth-request
cache on $http_flyte_authorization$http_cookie. A client that authenticates
with the standard Authorization header and no cookie produces an empty,
shared
cache key, so every such request collapses into one auth-cache entry.

A /me auth subrequest that returns 401 (an unauthenticated probe, an expired
session) then gets cached and served back to valid requests as a 302 → /login
for the cache TTL — intermittent auth failures uncorrelated with the caller's
token. The inverse is a cached 200 under the empty key letting a token-less
request through with another caller's identity headers.

This prefixes the three REST/console cache keys with $http_authorization so
each bearer credential gets its own cache entry, matching
protectedIngressAnnotationsGrpc, which already includes it.

Test

make generate-expected && make test — green. Only auth-cache-key lines
change in the controlplane snapshots.

Rollout

Values-only default change; picked up on the next chart render / ArgoCD sync.
No template or resource-shape changes.

Rollback

Revert the commit; the cache key returns to its prior value.

…er clients

The REST and console protected-ingress annotations key their nginx
auth-request cache on `$http_flyte_authorization$http_cookie`. A client that
authenticates with the standard `Authorization` header and no cookie produces
an empty, shared cache key, so every such request collapses into one
auth-cache entry.

That single entry is then served to all of them for the cache TTL. A `/me`
subrequest that returns 401 (an unauthenticated probe, an expired session)
gets cached and handed back to valid requests as a 302 redirect to /login,
producing intermittent auth failures uncorrelated with the caller's token. The
inverse is a cached 200 under the same empty key, which can let a token-less
request through and serve it another caller's cached identity headers.

Prefix the three REST/console cache keys with `$http_authorization` so each
distinct bearer credential gets its own cache entry, matching
`protectedIngressAnnotationsGrpc`, which already includes it. Regenerated the
controlplane snapshot fixtures.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@aviator-app

aviator-app Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Current Aviator status

Aviator will automatically update this comment as the status of the PR changes.
Comment /aviator refresh to force Aviator to re-examine your PR (or learn about other /aviator commands).

This pull request is currently open (not queued).

How to merge

To merge this PR, comment /aviator merge or add the mergequeue label.


See the real-time status of this PR on the Aviator webapp.
Use the Aviator Chrome Extension to see the status of your PR within GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant