Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External Authorization #2392

Closed
wants to merge 31 commits into from
Closed

External Authorization #2392

wants to merge 31 commits into from

Conversation

zhaohuabing
Copy link
Member

This PR continues the work by @akhenakh in #2313 to add per-route external authorization support.

Related: #1059

akhenakh added 26 commits January 3, 2024 10:49
@akhenakh @zhaohuabing
enable external authorizations
41589ca
@akhenakh @zhaohuabing
gen docs and apis
6e7f60f
@akhenakh @zhaohuabing
deepcopies and helm
ce92525
@akhenakh @zhaohuabing
added missing transportAPIVersion v3
ab8cf41
@akhenakh @zhaohuabing
fix per route
fe4eecc
@akhenakh @zhaohuabing
add validation for security policy with ext authz
5b7a0ef
@akhenakh @zhaohuabing
validate the proto before using it
97cf83d
@akhenakh @zhaohuabing
explicitely set failure mode allow false
cca2c9f
@akhenakh @zhaohuabing
status on error if unavailable
4a4c163
@akhenakh @zhaohuabing
support clear gRPC ext authz
8108a61
@akhenakh @zhaohuabing
added doc
a9494d5
@akhenakh @zhaohuabing
added e2e tests
4001ad9
@akhenakh @zhaohuabing
disable ext authz using per route config if needed
c36631c
@akhenakh @zhaohuabing
using patchRouteCfgWithExtAuthzFilter to disable the routes only when…
b2f83ad 
… needed
@akhenakh @zhaohuabing
typos
c6cabf0
@akhenakh @zhaohuabing
lint
38671a9
@akhenakh @zhaohuabing
handle errors when more than one grpc uri is requested from config
6b79ab2
@akhenakh @zhaohuabing
added a test where one route where ext authz is disabled
85484e4
@akhenakh @zhaohuabing
lint yaml
73f330f
@akhenakh @zhaohuabing
test inputs
b5a3d10
@akhenakh @zhaohuabing
rebase
687b656
@akhenakh @zhaohuabing
comment
c9fc562
@akhenakh @zhaohuabing
enable back missing tests
c5efcd7
@akhenakh @zhaohuabing
tests cover TLS case
0f2b001
@akhenakh @zhaohuabing
ptr change from rebase
79c03e7
@akhenakh @zhaohuabing
fix deployment for e2e
3b72ebf
@zhaohuabing zhaohuabing requested a review from a team as a code owner January 3, 2024 03:38
@zhaohuabing zhaohuabing marked this pull request as draft January 3, 2024 03:38
@codecov Codecov
Copy link

codecov bot commented Jan 3, 2024
edited
Loading

Codecov Report

Attention: 96 lines in your changes are missing coverage. Please review.

Comparison is base (90f1905) 64.64% compared to head (fd334c1) 64.59%.
Report is 24 commits behind head on main.

❗ Current head fd334c1 differs from pull request most recent head d2fae5a. Consider uploading reports for the commit d2fae5a to get more accurate results

Files Patch % Lines
internal/xds/translator/ext_authz.go 64.08% 44 Missing and 21 partials ⚠️
internal/ir/zz_generated.deepcopy.go 0.00% 13 Missing and 1 partial ⚠️
internal/gatewayapi/securitypolicy.go 54.54% 8 Missing and 2 partials ⚠️
internal/ir/xds.go 50.00% 5 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2392      +/-   ##
==========================================
- Coverage   64.64%   64.59%   -0.05%     
==========================================
  Files         114      115       +1     
  Lines       16618    16858     +240     
==========================================
+ Hits        10742    10889     +147     
- Misses       5197     5265      +68     
- Partials      679      704      +25

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing mentioned this pull request Jan 4, 2024
Closed
@zhaohuabing
API for external auth
e8d1258 
Signed-off-by: huabing zhao <[email protected]>
zhaohuabing
zhaohuabing commented Jan 11, 2024
View reviewed changes
api/v1alpha1/ext_authz_type.go
}

// TLSConfig describes a TLS configuration.
type TLSConfig struct {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be used for other external services as well, e.g, jwt providers.

@zhaohuabing zhaohuabing requested a review from arkodg January 11, 2024 05:25
@zhaohuabing
some API change
d2fae5a 
Signed-off-by: huabing zhao <[email protected]>
zhaohuabing
zhaohuabing commented Jan 11, 2024
View reviewed changes
api/v1alpha1/ext_authz_type.go
// TLS defines the TLS configuration for the gRPC External Authorization service.
// Note: If not specified, the proxy will talk to the gRPC External
// Authorization service in plaintext.
TLS *TLSConfig `json:"tlsSettings,omitempty" yaml:"tlsSettings"`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existence of TLS indicates that the Envoy should talk to the GRPC service with tls.

zhaohuabing
zhaohuabing commented Jan 12, 2024
View reviewed changes
api/v1alpha1/ext_authz_type.go
)

// ExtAuth defines the configuration for External Authorization.
type ExtAuth struct {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arkodg @envoyproxy/gateway-maintainers Could you please take a look at the ext auth API? I'd like to reach agreement on the API before moving forward with this

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you open an API only PR so that PR can be marked as ready and can be reviewed by others as well ? tia

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#2435 @arkodg

@zhaohuabing
Copy link
Member Author

Close this one because the commit history is a bit messy and it's hard to rebase/merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkodg arkodg Awaiting requested review from arkodg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zhaohuabing @arkodg @akhenakh