update

Signed-off-by: Aurélien Pillevesse <[email protected]>

api/v1alpha1/ext_auth_types.go

@@ -95,17 +95,8 @@ type BodyToExtAuth struct {
 	// MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
 	// Envoy will return HTTP 413 and will not initiate the authorization process when buffer
 	// reaches the number set in this field.
-	// Note that this setting will have precedence over failureModeAllow.
+	// Note that this setting will have precedence over failOpen mode.
+	//
+	// +kubebuilder:validation:Minimum=1
 	MaxRequestBytes uint32 `json:"maxRequestBytes"`
-
-	// When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.
-	// The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
-	AllowPartialMessage bool `json:"allowPartialMessage"`
-
-	// If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,
-	// it sets the raw_body field of HTTP request attribute context. Otherwise, body will be
-	// filled with UTF-8 string request body.
-	// This field only affects configurations using a grpcService. In configurations that use
-	// an httpService, this has no effect.
-	PackAsBytes bool `json:"packAsBytes"`
 }

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -336,6 +336,21 @@ spec:
               extAuth:
                 description: ExtAuth defines the configuration for External Authorization.
                 properties:
+                  bodyToExtAuth:
+                    description: BodyToExtAuth defines the Body to Ext Auth configuration.
+                    properties:
+                      maxRequestBytes:
+                        description: |-
+                          MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
+                          Envoy will return HTTP 413 and will not initiate the authorization process when buffer
+                          reaches the number set in this field.
+                          Note that this setting will have precedence over failOpen mode.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                    required:
+                    - maxRequestBytes
+                    type: object
                   failOpen:
                     default: false
                     description: |-

internal/gatewayapi/securitypolicy.go

@@ -936,9 +936,7 @@ func (t *Translator) buildExtAuth(
 
 	if policy.Spec.ExtAuth.BodyToExtAuth != nil {
 		extAuth.BodyToExtAuth = &ir.BodyToExtAuth{
-			MaxRequestBytes:     policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes,
-			AllowPartialMessage: policy.Spec.ExtAuth.BodyToExtAuth.AllowPartialMessage,
-			PackAsBytes:         policy.Spec.ExtAuth.BodyToExtAuth.PackAsBytes,
+			MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes,
 		}
 	}
 

internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml

@@ -99,7 +99,8 @@ securityPolicies:
         headersToExtAuth:
           - header1
           - header2
-        bodyToExtAuth: {}
+        bodyToExtAuth:
+          maxRequestBytes: 32768
         grpc:
           backendRefs:
             - name: service-2

internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml

@@ -167,9 +167,7 @@ securityPolicies:
   spec:
     extAuth:
       bodyToExtAuth:
-        allowPartialMessage: false
-        maxRequestBytes: 0
-        packAsBytes: false
+        maxRequestBytes: 32768
       failOpen: true
       grpc:
         backendRefs:
@@ -246,9 +244,7 @@ xdsIR:
         security:
           extAuth:
             bodyToExtAuth:
-              allowPartialMessage: false
-              maxRequestBytes: 0
-              packAsBytes: false
+              maxRequestBytes: 32768
             failOpen: true
             grpc:
               authority: service-2.default:8080
@@ -294,9 +290,7 @@ xdsIR:
         security:
           extAuth:
             bodyToExtAuth:
-              allowPartialMessage: false
-              maxRequestBytes: 0
-              packAsBytes: false
+              maxRequestBytes: 32768
             failOpen: true
             grpc:
               authority: service-2.default:8080

internal/ir/xds.go

@@ -1033,19 +1033,8 @@ type BodyToExtAuth struct {
 	// MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
 	// Envoy will return HTTP 413 and will not initiate the authorization process when buffer
 	// reaches the number set in this field.
-	// Note that this setting will have precedence over failureModeAllow.
+	// Note that this setting will have precedence over failOpen mode.
 	MaxRequestBytes uint32 `json:"maxRequestBytes"`
-
-	// When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.
-	// The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
-	AllowPartialMessage bool `json:"allowPartialMessage"`
-
-	// If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,
-	// it sets the raw_body field of HTTP request attribute context. Otherwise, body will be
-	// filled with UTF-8 string request body.
-	// This field only affects configurations using a grpcService. In configurations that use
-	// an httpService, this has no effect.
-	PackAsBytes bool `json:"packAsBytes"`
 }
 
 // HTTPExtAuthService defines the HTTP External Authorization service

internal/xds/translator/extauth.go

@@ -119,9 +119,7 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
 
 	if extAuth.BodyToExtAuth != nil {
 		config.WithRequestBody = &extauthv3.BufferSettings{
-			MaxRequestBytes:     extAuth.BodyToExtAuth.MaxRequestBytes,
-			AllowPartialMessage: extAuth.BodyToExtAuth.AllowPartialMessage,
-			PackAsBytes:         extAuth.BodyToExtAuth.PackAsBytes,
+			MaxRequestBytes: extAuth.BodyToExtAuth.MaxRequestBytes,
 		}
 	}
 

internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml

@@ -108,8 +108,6 @@ http:
             failOpen: true
             bodyToExtAuth:
               maxRequestBytes: 32768
-              allowPartialMessage: false
-              packAsBytes: true
             http:
               authority: primary.foo.com
               destination:

internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml

@@ -51,7 +51,6 @@
             transportApiVersion: V3
             withRequestBody:
               maxRequestBytes: 32768
-              packAsBytes: true
         - name: envoy.filters.http.router
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

site/content/en/latest/api/extension_types.md

@@ -479,9 +479,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `maxRequestBytes` | _integer_ |  true  | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.<br />Envoy will return HTTP 413 and will not initiate the authorization process when buffer<br />reaches the number set in this field.<br />Note that this setting will have precedence over failureModeAllow. |
-| `allowPartialMessage` | _boolean_ |  true  | When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.<br />The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. |
-| `packAsBytes` | _boolean_ |  true  | If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,<br />it sets the raw_body field of HTTP request attribute context. Otherwise, body will be<br />filled with UTF-8 string request body.<br />This field only affects configurations using a grpcService. In configurations that use<br />an httpService, this has no effect. |
+| `maxRequestBytes` | _integer_ |  true  | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.<br />Envoy will return HTTP 413 and will not initiate the authorization process when buffer<br />reaches the number set in this field.<br />Note that this setting will have precedence over failOpen mode. |
 
 
 #### BootstrapType

site/content/zh/latest/api/extension_types.md

@@ -479,9 +479,7 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `maxRequestBytes` | _integer_ |  true  | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.<br />Envoy will return HTTP 413 and will not initiate the authorization process when buffer<br />reaches the number set in this field.<br />Note that this setting will have precedence over failureModeAllow. |
-| `allowPartialMessage` | _boolean_ |  true  | When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.<br />The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. |
-| `packAsBytes` | _boolean_ |  true  | If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,<br />it sets the raw_body field of HTTP request attribute context. Otherwise, body will be<br />filled with UTF-8 string request body.<br />This field only affects configurations using a grpcService. In configurations that use<br />an httpService, this has no effect. |
+| `maxRequestBytes` | _integer_ |  true  | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.<br />Envoy will return HTTP 413 and will not initiate the authorization process when buffer<br />reaches the number set in this field.<br />Note that this setting will have precedence over failOpen mode. |
 
 
 #### BootstrapType