From 666bb36168929599ef8c266cbdd35c5f5b3d69e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Thu, 5 Dec 2024 15:57:07 +0100 Subject: [PATCH] update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- api/v1alpha1/ext_auth_types.go | 15 +++------------ .../gateway.envoyproxy.io_securitypolicies.yaml | 15 +++++++++++++++ internal/gatewayapi/securitypolicy.go | 4 +--- .../securitypolicy-with-extauth-body.in.yaml | 3 ++- .../securitypolicy-with-extauth-body.out.yaml | 12 +++--------- internal/ir/xds.go | 13 +------------ internal/xds/translator/extauth.go | 4 +--- .../testdata/in/xds-ir/ext-auth-body.yaml | 2 -- .../out/xds-ir/ext-auth-body.listeners.yaml | 1 - site/content/en/latest/api/extension_types.md | 4 +--- site/content/zh/latest/api/extension_types.md | 4 +--- 11 files changed, 28 insertions(+), 49 deletions(-) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 4a6bdd98ef3..16652c9fd28 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -95,17 +95,8 @@ type BodyToExtAuth struct { // MaxRequestBytes is the maximum size of a message body that the filter will hold in memory. // Envoy will return HTTP 413 and will not initiate the authorization process when buffer // reaches the number set in this field. - // Note that this setting will have precedence over failureModeAllow. + // Note that this setting will have precedence over failOpen mode. + // + // +kubebuilder:validation:Minimum=1 MaxRequestBytes uint32 `json:"maxRequestBytes"` - - // When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached. - // The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. - AllowPartialMessage bool `json:"allowPartialMessage"` - - // If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes, - // it sets the raw_body field of HTTP request attribute context. Otherwise, body will be - // filled with UTF-8 string request body. - // This field only affects configurations using a grpcService. In configurations that use - // an httpService, this has no effect. - PackAsBytes bool `json:"packAsBytes"` } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 840c8d59d30..e611a00ce10 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -336,6 +336,21 @@ spec: extAuth: description: ExtAuth defines the configuration for External Authorization. properties: + bodyToExtAuth: + description: BodyToExtAuth defines the Body to Ext Auth configuration. + properties: + maxRequestBytes: + description: |- + MaxRequestBytes is the maximum size of a message body that the filter will hold in memory. + Envoy will return HTTP 413 and will not initiate the authorization process when buffer + reaches the number set in this field. + Note that this setting will have precedence over failOpen mode. + format: int32 + minimum: 1 + type: integer + required: + - maxRequestBytes + type: object failOpen: default: false description: |- diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index f88658fe227..d21f240f1fa 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -936,9 +936,7 @@ func (t *Translator) buildExtAuth( if policy.Spec.ExtAuth.BodyToExtAuth != nil { extAuth.BodyToExtAuth = &ir.BodyToExtAuth{ - MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes, - AllowPartialMessage: policy.Spec.ExtAuth.BodyToExtAuth.AllowPartialMessage, - PackAsBytes: policy.Spec.ExtAuth.BodyToExtAuth.PackAsBytes, + MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes, } } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml index a33f1c72964..d45b50c8835 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml @@ -99,7 +99,8 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: {} + bodyToExtAuth: + maxRequestBytes: 32768 grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml index 9ca7c6fbabd..ac4dfe7f306 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml @@ -167,9 +167,7 @@ securityPolicies: spec: extAuth: bodyToExtAuth: - allowPartialMessage: false - maxRequestBytes: 0 - packAsBytes: false + maxRequestBytes: 32768 failOpen: true grpc: backendRefs: @@ -246,9 +244,7 @@ xdsIR: security: extAuth: bodyToExtAuth: - allowPartialMessage: false - maxRequestBytes: 0 - packAsBytes: false + maxRequestBytes: 32768 failOpen: true grpc: authority: service-2.default:8080 @@ -294,9 +290,7 @@ xdsIR: security: extAuth: bodyToExtAuth: - allowPartialMessage: false - maxRequestBytes: 0 - packAsBytes: false + maxRequestBytes: 32768 failOpen: true grpc: authority: service-2.default:8080 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 9b573142e1a..55afed6e007 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -1033,19 +1033,8 @@ type BodyToExtAuth struct { // MaxRequestBytes is the maximum size of a message body that the filter will hold in memory. // Envoy will return HTTP 413 and will not initiate the authorization process when buffer // reaches the number set in this field. - // Note that this setting will have precedence over failureModeAllow. + // Note that this setting will have precedence over failOpen mode. MaxRequestBytes uint32 `json:"maxRequestBytes"` - - // When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached. - // The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. - AllowPartialMessage bool `json:"allowPartialMessage"` - - // If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes, - // it sets the raw_body field of HTTP request attribute context. Otherwise, body will be - // filled with UTF-8 string request body. - // This field only affects configurations using a grpcService. In configurations that use - // an httpService, this has no effect. - PackAsBytes bool `json:"packAsBytes"` } // HTTPExtAuthService defines the HTTP External Authorization service diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index a0d2d34aef7..f65cc0875f3 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -119,9 +119,7 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { if extAuth.BodyToExtAuth != nil { config.WithRequestBody = &extauthv3.BufferSettings{ - MaxRequestBytes: extAuth.BodyToExtAuth.MaxRequestBytes, - AllowPartialMessage: extAuth.BodyToExtAuth.AllowPartialMessage, - PackAsBytes: extAuth.BodyToExtAuth.PackAsBytes, + MaxRequestBytes: extAuth.BodyToExtAuth.MaxRequestBytes, } } diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml index cb322f51d5c..f3ce1bd3477 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml @@ -108,8 +108,6 @@ http: failOpen: true bodyToExtAuth: maxRequestBytes: 32768 - allowPartialMessage: false - packAsBytes: true http: authority: primary.foo.com destination: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml index 81d9c39a7be..84bea029d0b 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml @@ -51,7 +51,6 @@ transportApiVersion: V3 withRequestBody: maxRequestBytes: 32768 - packAsBytes: true - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 25929c76903..c6a7121d7ca 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -479,9 +479,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failureModeAllow. | -| `allowPartialMessage` | _boolean_ | true | When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. | -| `packAsBytes` | _boolean_ | true | If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,
it sets the raw_body field of HTTP request attribute context. Otherwise, body will be
filled with UTF-8 string request body.
This field only affects configurations using a grpcService. In configurations that use
an httpService, this has no effect. | +| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. | #### BootstrapType diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 25929c76903..c6a7121d7ca 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -479,9 +479,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failureModeAllow. | -| `allowPartialMessage` | _boolean_ | true | When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. | -| `packAsBytes` | _boolean_ | true | If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,
it sets the raw_body field of HTTP request attribute context. Otherwise, body will be
filled with UTF-8 string request body.
This field only affects configurations using a grpcService. In configurations that use
an httpService, this has no effect. | +| `maxRequestBytes` | _integer_ | true | MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode. | #### BootstrapType