Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

api: support for external authz #2435

Merged
merged 35 commits into from
Jan 30, 2024
Merged

api: support for external authz #2435

merged 35 commits into from
Jan 30, 2024

Conversation

zhaohuabing
Copy link
Member

External authorization API.

Related: #1059

@zhaohuabing zhaohuabing requested a review from a team as a code owner January 12, 2024 03:36
@zhaohuabing zhaohuabing mentioned this pull request Jan 12, 2024
Closed
@codecov Codecov
Copy link

codecov bot commented Jan 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (236cba5) 64.63% compared to head (eb7997f) 64.63%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2435   +/-   ##
=======================================
  Coverage   64.63%   64.63%           
=======================================
  Files         116      116           
  Lines       17797    17797           
=======================================
  Hits        11503    11503           
  Misses       5558     5558           
  Partials      736      736

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing self-assigned this Jan 12, 2024
@zhaohuabing zhaohuabing added area/api API-related issues area/policy labels Jan 12, 2024
@zhaohuabing
API for external auth
f9857e2 
Signed-off-by: huabing zhao <[email protected]>
shawnh2
shawnh2 reviewed Jan 14, 2024
View reviewed changes
api/v1alpha1/ext_auth_types.go Show resolved Hide resolved
api/v1alpha1/ext_auth_types.go Outdated Show resolved Hide resolved
@zhaohuabing
address comments
4954d41 
Signed-off-by: huabing zhao <[email protected]>
@zhaohuabing
kube gen
869866e 
Signed-off-by: huabing zhao <[email protected]>
zhaohuabing and others added 3 commits January 17, 2024 08:37
@zhaohuabing @arkodg
Update api/v1alpha1/ext_auth_types.go
dd86ea8 
Co-authored-by: Arko Dasgupta <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
address comments
847ba38 
Signed-off-by: huabing zhao <[email protected]>
@zhaohuabing
merge main
f73986f 
Signed-off-by: huabing zhao <[email protected]>
@zhaohuabing zhaohuabing requested review from kflynn and arkodg January 27, 2024 00:51
zirain
zirain previously approved these changes Jan 27, 2024
View reviewed changes
Copy link
Member

@zirain zirain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zirain zirain changed the title API for external auth api: support for external authz Jan 27, 2024
@zhaohuabing zhaohuabing requested a review from arkodg January 29, 2024 02:47
@zhaohuabing
add CACert
cdab2e7 
Signed-off-by: huabing zhao <[email protected]>
@zhaohuabing
add CACert
b310129 
Signed-off-by: huabing zhao <[email protected]>
@arkodg
Copy link
Contributor

arkodg commented Jan 29, 2024

@zhaohuabing can you link the envoy config that the tls config here will be translated into for http and grpc ?

@zhaohuabing
Copy link
Member Author

zhaohuabing commented Jan 30, 2024
edited
Loading

@zhaohuabing can you link the envoy config that the tls config here will be translated into for http and grpc ?

TheTLSConfig should be used in the Cluster transport_socket of the GRPC/HTTP ext auth service cluster.

The CertificateRef will be used in tls_certificate_sds_secret_configs , and the CACertRef will be used in validation_context_sds_secret_config .
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-commontlscontext

For gRPC service, the cluster is specified in EnvoyGrpc's cluster_name field.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/grpc_service.proto#envoy-v3-api-msg-config-core-v3-grpcservice-envoygrpc
For HTTP service, the cluster is specified in HttpUri's cluster field.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/http_uri.proto#envoy-v3-api-msg-config-core-v3-httpuri

@arkodg
Copy link
Contributor

arkodg commented Jan 30, 2024

awesome thanks @zhaohuabing ! I brought this up to bring up a common question around proxy identity, do we want to support a unique key/cert for

  • ext auth
  • backend TLS

or should we reuse listener/downstream certs ?

@zhaohuabing
Copy link
Member Author

zhaohuabing commented Jan 30, 2024
edited
Loading

awesome thanks @zhaohuabing ! I brought this up to bring up a common question around proxy identity, do we want to support a unique key/cert for

  • ext auth
  • backend TLS

or should we reuse listener/downstream certs ?

Envoy docs says that Only a single TLS certificate is supported in client contexts

tls_certificates
(repeated extensions.transport_sockets.tls.v3.TlsCertificate) Only a single TLS certificate is supported in client contexts. In server contexts, Multiple TLS certificates can be associated with the same context to allow both RSA and ECDSA certificates and support SNI-based selection.

https://www.envoyproxy.io/docs/envoy/v1.29.0/api-v3/extensions/transport_sockets/tls/v3/tls.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-commontlscontext

We can reuse this for JWT as well.

@zhaohuabing zhaohuabing requested review from arkodg and zirain January 30, 2024 02:57
@zhaohuabing
clean TLSConfig
212895f 
Signed-off-by: huabing zhao <[email protected]>
arkodg
arkodg previously approved these changes Jan 30, 2024
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@zhaohuabing
fix gen
eb7997f 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing merged commit 241e838 into envoyproxy:main Jan 30, 2024
18 of 20 checks passed
@guydc guydc mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkodg arkodg arkodg approved these changes

@zirain zirain zirain approved these changes

@shawnh2 shawnh2 Awaiting requested review from shawnh2

@kflynn kflynn Awaiting requested review from kflynn

Assignees

@zhaohuabing zhaohuabing

Labels
area/api API-related issues area/policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zhaohuabing @arkodg @kflynn @zirain @shawnh2