Skip to content

Commit

Permalink
feat: add body to ext auth (#4671)
Browse files Browse the repository at this point in the history
* add BodyToExtAuth

Signed-off-by: Aurélien Pillevesse <[email protected]>
  • Loading branch information
AurelienPillevesse authored Dec 5, 2024
1 parent 905405e commit ac86045
Show file tree
Hide file tree
Showing 16 changed files with 965 additions and 0 deletions.
15 changes: 15 additions & 0 deletions api/v1alpha1/ext_auth_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ type ExtAuth struct {
// +optional
HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`

// BodyToExtAuth defines the Body to Ext Auth configuration.
// +optional
BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`

// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
// If FailOpen is set to true, the system allows the traffic to pass through.
// Otherwise, if it is set to false or not set (defaulting to false),
Expand Down Expand Up @@ -85,3 +89,14 @@ type HTTPExtAuthService struct {
// +optional
HeadersToBackend []string `json:"headersToBackend,omitempty"`
}

// BodyToExtAuth defines the Body to Ext Auth configuration
type BodyToExtAuth struct {
// MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
// Envoy will return HTTP 413 and will not initiate the authorization process when buffer
// reaches the number set in this field.
// Note that this setting will have precedence over failOpen mode.
//
// +kubebuilder:validation:Minimum=1
MaxRequestBytes uint32 `json:"maxRequestBytes"`
}
20 changes: 20 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -336,6 +336,21 @@ spec:
extAuth:
description: ExtAuth defines the configuration for External Authorization.
properties:
bodyToExtAuth:
description: BodyToExtAuth defines the Body to Ext Auth configuration.
properties:
maxRequestBytes:
description: |-
MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
Envoy will return HTTP 413 and will not initiate the authorization process when buffer
reaches the number set in this field.
Note that this setting will have precedence over failOpen mode.
format: int32
minimum: 1
type: integer
required:
- maxRequestBytes
type: object
failOpen:
default: false
description: |-
Expand Down
7 changes: 7 additions & 0 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -933,6 +933,13 @@ func (t *Translator) buildExtAuth(
Authority: authority,
}
}

if policy.Spec.ExtAuth.BodyToExtAuth != nil {
extAuth.BodyToExtAuth = &ir.BodyToExtAuth{
MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes,
}
}

return extAuth, nil
}

Expand Down
112 changes: 112 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: default
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- www.foo.com
parentRefs:
- namespace: default
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: /foo1
backendRefs:
- name: service-1
port: 8080
- matches:
- path:
value: /foo2
backendRefs:
- name: service-2
port: 8080
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-2
spec:
hostnames:
- www.bar.com
parentRefs:
- namespace: default
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: /bar
backendRefs:
- name: service-3
port: 8080
backends:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
name: backend-fqdn
namespace: default
spec:
endpoints:
- fqdn:
hostname: 'primary.foo.com'
port: 3000
referenceGrants:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferenceGrant
metadata:
namespace: envoy-gateway
name: referencegrant-1
spec:
from:
- group: gateway.envoyproxy.io
kind: SecurityPolicy
namespace: default
to:
- group: ""
kind: Service
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: policy-for-http-route-1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
extAuth:
failOpen: true
headersToExtAuth:
- header1
- header2
bodyToExtAuth:
maxRequestBytes: 32768
grpc:
backendRefs:
- name: service-2
kind: Service
port: 8080
- name: backend-fqdn
kind: Backend
group: gateway.envoyproxy.io
port: 3000
Loading

0 comments on commit ac86045

Please sign in to comment.