add BodyToExtAuth

api/v1alpha1/ext_auth_types.go

@@ -33,6 +33,8 @@ type ExtAuth struct {
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
 
+	BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"`
+
 	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
 	// If FailOpen is set to true, the system allows the traffic to pass through.
 	// Otherwise, if it is set to false or not set (defaulting to false),

internal/gatewayapi/securitypolicy.go

@@ -888,6 +888,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
 	extAuth := &ir.ExtAuth{
 		Name:             irConfigName(policy),
 		HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
+		BodyToExtAuth:    policy.Spec.ExtAuth.BodyToExtAuth,
 		FailOpen:         policy.Spec.ExtAuth.FailOpen,
 		Traffic:          traffic,
 		RecomputeRoute:   policy.Spec.ExtAuth.RecomputeRoute,

internal/ir/xds.go

@@ -994,6 +994,8 @@ type ExtAuth struct {
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
 
+	BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"`
+
 	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
 	// If FailOpen is set to true, the system allows the traffic to pass through.
 	// Otherwise, if it is set to false or not set (defaulting to false),

internal/xds/translator/extauth.go

@@ -117,6 +117,13 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
 		})
 	}
 
+	if extAuth.BodyToExtAuth != nil {
+		config.WithRequestBody = &extauthv3.BufferSettings{
+			AllowPartialMessage: false,
+			PackAsBytes:         false,
+		}
+	}
+
 	if len(headersToExtAuth) > 0 {
 		config.AllowedHeaders = &matcherv3.ListStringMatcher{
 			Patterns: headersToExtAuth,