diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 880d61033dc..671d235180d 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,7 +33,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml index c9697e4a4e7..424ce583e79 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -99,7 +99,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index 200b7b105bb..f4872425e6c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -179,7 +179,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -263,7 +263,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-1/rule/1 @@ -308,7 +308,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-2/rule/0 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index a861b45a75f..533b1550ada 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -994,7 +994,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 95f10933259..89c95709b13 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -117,7 +117,7 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { }) } - if extAuth.BodyToExtAuth != nil { + if extAuth.BodyToExtAuth != nil && *extAuth.BodyToExtAuth { config.WithRequestBody = &extauthv3.BufferSettings{ AllowPartialMessage: false, PackAsBytes: false,