Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC xds translation #2191

Merged
merged 4 commits into from
Nov 17, 2023
Merged

OIDC xds translation #2191

merged 4 commits into from
Nov 17, 2023

Conversation

zhaohuabing
Copy link
Member

What this PR does:

  • translate OIDC IR to XDS

docs and e2e test will be in a follow-up PRs.

OIDC will be done per-route. The final xds output will look like this example yaml file: https://github.com/zhaohuabing/playground/blob/main/envoy/per-route-oauth2-oidc/envoy.yaml

Related:

@zhaohuabing zhaohuabing requested a review from a team as a code owner November 15, 2023 17:41
@zhaohuabing zhaohuabing marked this pull request as draft November 15, 2023 17:41
@zhaohuabing zhaohuabing force-pushed the oidc-xds branch 2 times, most recently from b581775 to d8780ea Compare November 15, 2023 19:04
Copy link

codecov bot commented Nov 15, 2023

Codecov Report

Attention: 156 lines in your changes are missing coverage. Please review.

Comparison is base (94fe41c) 64.19% compared to head (d875f39) 64.16%.

❗ Current head d875f39 differs from pull request most recent head d72ed07. Consider uploading reports for the commit d72ed07 to get more accurate results

Files Patch % Lines
internal/xds/translator/oidc.go 68.60% 64 Missing and 28 partials ⚠️
internal/gatewayapi/securitypolicy.go 45.45% 13 Missing and 5 partials ⚠️
internal/xds/translator/jwt_authn.go 84.26% 9 Missing and 5 partials ⚠️
internal/xds/translator/translator.go 36.84% 8 Missing and 4 partials ⚠️
internal/xds/translator/shared_types.go 68.96% 6 Missing and 3 partials ⚠️
internal/xds/translator/httpfilters.go 63.63% 4 Missing and 4 partials ⚠️
internal/xds/translator/route.go 50.00% 1 Missing and 1 partial ⚠️
internal/ir/zz_generated.deepcopy.go 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2191      +/-   ##
==========================================
- Coverage   64.19%   64.16%   -0.03%     
==========================================
  Files         107      109       +2     
  Lines       14924    15266     +342     
==========================================
+ Hits         9580     9796     +216     
- Misses       4768     4855      +87     
- Partials      576      615      +39     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing force-pushed the oidc-xds branch 3 times, most recently from 34612dd to c606a93 Compare November 15, 2023 21:41
@zhaohuabing zhaohuabing marked this pull request as ready for review November 16, 2023 02:40
@zhaohuabing
Copy link
Member Author

/retest

1 similar comment
@zhaohuabing
Copy link
Member Author

/retest

Signed-off-by: huabing zhao <[email protected]>
Signed-off-by: huabing zhao <[email protected]>
…o check the oauth2 tokens

Signed-off-by: huabing zhao <[email protected]>
… have non-native per-route support

Signed-off-by: huabing zhao <[email protected]>
@zhaohuabing
Copy link
Member Author

/retest

initialStreamWindowSize: 65536
maxConcurrentStreams: 100
httpFilters:
- name: envoy.filters.http.oauth2_first-route
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need to do anything here that disables processing these at the listener level ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

// patchRouteCfgWithPerRouteConfig appends per-route filter configurations to the
// route config.
// This is a generic way to add per-route filter configurations for all filters
// that has none-native per-route configuration support.
// - For the filter type that without native per-route configuration support, EG
// adds a filter for each route in the HCM filter chain.
// - patchRouteCfgWithPerRouteConfig disables all the filters in the
// typedFilterConfig of the route config.
// - PatchRouteWithPerRouteConfig enables the corresponding oauth2 filter for each
// route in the typedFilterConfig of the route.
//
// The filter types that have non-native per-route support: oauth2, basic authn
// Note: The filter types that have native per-route configuration support should
// use their own native per-route configuration.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

its not clear from the docs https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager

http_filters
(repeated [extensions.filters.network.http_connection_manager.v3.HttpFilter](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpfilter)) A list of individual HTTP filters that make up the filter chain for requests made to the connection manager. [Order matters](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_filters#arch-overview-http-filters-ordering) as the filters are processed sequentially as request events happen.

so although its part of http_filters, it is disabled at per route level, which is interpreted by envoy ? should we also update envoy hcm http_filters docs to explain this ?

Copy link
Member Author

@zhaohuabing zhaohuabing Nov 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so although its part of http_filters, it is disabled at per route level, which is interpreted by envoy ? should we also update envoy hcm http_filters docs to explain this ?

They're disabled in the filter chain and only enabled at the route level by an explicit configuration in that route's typedFilterConfig.

This generic per-route filter config feature is quite new. The Envoy docs actually don't mention it yet.

A workable example can be found here: https://github.com/zhaohuabing/playground/blob/main/envoy/per-route-oauth2-oidc/envoy.yaml

Related Envoy PR: envoyproxy/envoy#30141

@@ -132,7 +132,7 @@ func processClusterForTracing(tCtx *types.ResourceVersionTable, tracing *ir.Trac
name: clusterName,
settings: []*ir.DestinationSetting{ds},
tSocket: nil,
endpointType: DefaultEndpointType,
endpointType: EndpointTypeDNS,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this always DNS ?

Copy link
Member Author

@zhaohuabing zhaohuabing Nov 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous default one was actually DNS, but the name was unclear, so I changed the name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @zirain who may have more context

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, it's more clear now.

Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@arkodg arkodg requested review from a team and removed request for a team November 17, 2023 16:18
@arkodg arkodg requested review from kflynn, tmsnan and tanujd11 November 17, 2023 16:18
@zirain zirain merged commit 524f7e3 into envoyproxy:main Nov 17, 2023
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants