Merge branch 'main' into fix-btlsp-section-name

Signed-off-by: Huabing Zhao <[email protected]>
envoyproxy · Dec 6, 2024 · 1d5abcd · 1d5abcd
2 parents a0c2b0b + 8cba958
commit 1d5abcd
Show file tree

Hide file tree

Showing 29 changed files with 1,174 additions and 13 deletions.
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -120,10 +120,7 @@ jobs:
         - version: v1.29.8
           ipFamily: ipv4
         - version: v1.30.4
-          ipFamily: ipv4
-        # Enable these after https://github.com/envoyproxy/gateway/issues/4572 fixed
-        # - version: v1.31.0
-        #   ipFamily: ipv6   # only run ipv6 test on latest version to save time
+          ipFamily: ipv6  # only run ipv6 test on this version to save time
         # TODO: this's IPv4 first, need a way to test IPv6 first.
         - version: v1.31.0
           ipFamily: dual  # only run dual test on latest version to save time
@@ -148,6 +145,7 @@ jobs:
         KIND_NODE_TAG: ${{ matrix.target.version }}
         IMAGE_PULL_POLICY: IfNotPresent
         IP_FAMILY: ${{ matrix.target.ipFamily }}
+        E2E_TIMEOUT: 1h
       run: make e2e
 
   benchmark-test:

diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go
@@ -33,6 +33,10 @@ type ExtAuth struct {
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
 
+	// BodyToExtAuth defines the Body to Ext Auth configuration.
+	// +optional
+	BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`
+
 	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
 	// If FailOpen is set to true, the system allows the traffic to pass through.
 	// Otherwise, if it is set to false or not set (defaulting to false),
@@ -85,3 +89,14 @@ type HTTPExtAuthService struct {
 	// +optional
 	HeadersToBackend []string `json:"headersToBackend,omitempty"`
 }
+
+// BodyToExtAuth defines the Body to Ext Auth configuration
+type BodyToExtAuth struct {
+	// MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
+	// Envoy will return HTTP 413 and will not initiate the authorization process when buffer
+	// reaches the number set in this field.
+	// Note that this setting will have precedence over failOpen mode.
+	//
+	// +kubebuilder:validation:Minimum=1
+	MaxRequestBytes uint32 `json:"maxRequestBytes"`
+}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -336,6 +336,21 @@ spec:
               extAuth:
                 description: ExtAuth defines the configuration for External Authorization.
                 properties:
+                  bodyToExtAuth:
+                    description: BodyToExtAuth defines the Body to Ext Auth configuration.
+                    properties:
+                      maxRequestBytes:
+                        description: |-
+                          MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
+                          Envoy will return HTTP 413 and will not initiate the authorization process when buffer
+                          reaches the number set in this field.
+                          Note that this setting will have precedence over failOpen mode.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                    required:
+                    - maxRequestBytes
+                    type: object
                   failOpen:
                     default: false
                     description: |-

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -933,6 +933,13 @@ func (t *Translator) buildExtAuth(
 			Authority:   authority,
 		}
 	}
+
+	if policy.Spec.ExtAuth.BodyToExtAuth != nil {
+		extAuth.BodyToExtAuth = &ir.BodyToExtAuth{
+			MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes,
+		}
+	}
+
 	return extAuth, nil
 }
 

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml
@@ -0,0 +1,112 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: default
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      hostnames:
+        - www.foo.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /foo1
+          backendRefs:
+            - name: service-1
+              port: 8080
+        - matches:
+            - path:
+                value: /foo2
+          backendRefs:
+            - name: service-2
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-2
+    spec:
+      hostnames:
+        - www.bar.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /bar
+          backendRefs:
+            - name: service-3
+              port: 8080
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - fqdn:
+            hostname: 'primary.foo.com'
+            port: 3000
+referenceGrants:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: ReferenceGrant
+    metadata:
+      namespace: envoy-gateway
+      name: referencegrant-1
+    spec:
+      from:
+        - group: gateway.envoyproxy.io
+          kind: SecurityPolicy
+          namespace: default
+      to:
+        - group: ""
+          kind: Service
+securityPolicies:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
+      namespace: default
+      name: policy-for-http-route-1
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: httproute-1
+      extAuth:
+        failOpen: true
+        headersToExtAuth:
+          - header1
+          - header2
+        bodyToExtAuth:
+          maxRequestBytes: 32768
+        grpc:
+          backendRefs:
+            - name: service-2
+              kind: Service
+              port: 8080
+            - name: backend-fqdn
+              kind: Backend
+              group: gateway.envoyproxy.io
+              port: 3000