You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, bouncer sharing the same API key cannot reliably use the stream mode.
What happens
When a bouncer queries /decisions/stream with startup not set to true, we rely on bouncerInfo.LastPull timestamp to know when the bouncer last pulled and know which data should be returned. the bouncerInfo is fetched from the DB and only relies on the API key provided by the bouncer.
Problem
However, this is problematic when several bouncer instances (ie. nginx-ingress / kube) share the same API key and want to use stream mode: they get inconsistent data as they all share the same entry in the DB and thus LastPull.
Proposed change
The proposed change is the following:
Use combo IP + Api Key as the unique identified for bouncers (instead of just API key)
When a "new" bouncer (existing api key but new IP) comes in, after authentication, we duplicate the existing row (based on api key) and we update last pull, heartbeat etc.
When a bouncer does a queries /decisions/stream with startup not set to true, we rely on the Api key + IP combo to select the relevant row, so that each bouncer instance get its own LastPull
Why is this needed?
Allow several bouncers to share the same API key and use stream mode.
The text was updated successfully, but these errors were encountered:
Check Releases to make sure your agent is on the latest version.
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
@buixor: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.
/kind feature
/kind enhancement
/kind refactoring
/kind bug
/kind packaging
Details
I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.
What would you like to be added?
Currently, bouncer sharing the same API key cannot reliably use the stream mode.
What happens
When a bouncer queries
/decisions/stream
withstartup
not set to true, we rely onbouncerInfo.LastPull
timestamp to know when the bouncer last pulled and know which data should be returned. thebouncerInfo
is fetched from the DB and only relies on the API key provided by the bouncer.Problem
However, this is problematic when several bouncer instances (ie. nginx-ingress / kube) share the same API key and want to use stream mode: they get inconsistent data as they all share the same entry in the DB and thus
LastPull
.Proposed change
The proposed change is the following:
/decisions/stream
withstartup
not set to true, we rely on the Api key + IP combo to select the relevant row, so that each bouncer instance get its ownLastPull
Why is this needed?
Allow several bouncers to share the same API key and use stream mode.
The text was updated successfully, but these errors were encountered: