Skip to content

Commit

Permalink
update bool to struct for bodyToExtAuth field
Browse files Browse the repository at this point in the history
  • Loading branch information
AurelienPillevesse committed Nov 19, 2024
1 parent 336be74 commit 34067fd
Show file tree
Hide file tree
Showing 8 changed files with 22 additions and 9 deletions.
5 changes: 4 additions & 1 deletion api/v1alpha1/ext_auth_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type ExtAuth struct {
// +optional
HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`

BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"`
BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`

// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
// If FailOpen is set to true, the system allows the traffic to pass through.
Expand Down Expand Up @@ -89,3 +89,6 @@ type HTTPExtAuthService struct {
// +optional
HeadersToBackend []string `json:"headersToBackend,omitempty"`
}

// BodyToExtAuth defines the Body to Ext Auth configuration
type BodyToExtAuth struct{}
6 changes: 5 additions & 1 deletion internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -888,7 +888,6 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
extAuth := &ir.ExtAuth{
Name: irConfigName(policy),
HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
BodyToExtAuth: policy.Spec.ExtAuth.BodyToExtAuth,
FailOpen: policy.Spec.ExtAuth.FailOpen,
Traffic: traffic,
RecomputeRoute: policy.Spec.ExtAuth.RecomputeRoute,
Expand All @@ -907,6 +906,11 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
Authority: authority,
}
}

if policy.Spec.ExtAuth.BodyToExtAuth != nil {
extAuth.BodyToExtAuth = &ir.BodyToExtAuth{}
}

return extAuth, nil
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ securityPolicies:
headersToExtAuth:
- header1
- header2
bodyToExtAuth: true
bodyToExtAuth: {}
grpc:
backendRefs:
- name: service-2
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,7 @@ securityPolicies:
headersToExtAuth:
- header1
- header2
bodyToExtAuth: true
bodyToExtAuth: {}
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
Expand Down Expand Up @@ -263,7 +263,7 @@ xdsIR:
headersToExtAuth:
- header1
- header2
bodyToExtAuth: true
bodyToExtAuth: {}
name: securitypolicy/default/policy-for-http-route-1
- destination:
name: httproute/default/httproute-1/rule/1
Expand Down Expand Up @@ -308,7 +308,7 @@ xdsIR:
headersToExtAuth:
- header1
- header2
bodyToExtAuth: true
bodyToExtAuth: {}
name: securitypolicy/default/policy-for-http-route-1
- destination:
name: httproute/default/httproute-2/rule/0
Expand Down
6 changes: 5 additions & 1 deletion internal/ir/xds.go
Original file line number Diff line number Diff line change
Expand Up @@ -994,7 +994,7 @@ type ExtAuth struct {
// +optional
HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`

BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"`
BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`

// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
// If FailOpen is set to true, the system allows the traffic to pass through.
Expand All @@ -1012,6 +1012,10 @@ type ExtAuth struct {
RecomputeRoute *bool `json:"recomputeRoute,omitempty"`
}

// BodyToExtAuth defines the Body to Ext Auth configuration
// +k8s:deepcopy-gen=true
type BodyToExtAuth struct{}

// HTTPExtAuthService defines the HTTP External Authorization service
// +k8s:deepcopy-gen=true
type HTTPExtAuthService struct {
Expand Down
3 changes: 2 additions & 1 deletion internal/xds/translator/extauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,8 +117,9 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
})
}

if extAuth.BodyToExtAuth != nil && *extAuth.BodyToExtAuth {
if extAuth.BodyToExtAuth != nil {
config.WithRequestBody = &extauthv3.BufferSettings{
MaxRequestBytes: 1024,
AllowPartialMessage: false,
PackAsBytes: false,
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ http:
extAuth:
name: securitypolicy/default/policy-for-gateway-1
failOpen: true
bodyToExtAuth: true
bodyToExtAuth: {}
http:
authority: primary.foo.com
destination:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
withRequestBody:
maxRequestBytes: 1024
allowPartialMessage: false
packAsBytes: false
failureModeAllow: true
Expand Down

0 comments on commit 34067fd

Please sign in to comment.