Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: support for external authz #2435

Merged
merged 35 commits into from
Jan 30, 2024
Merged
Show file tree
Hide file tree
Changes from 29 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
f9857e2
API for external auth
zhaohuabing Jan 12, 2024
4954d41
address comments
zhaohuabing Jan 16, 2024
869866e
kube gen
zhaohuabing Jan 16, 2024
dd86ea8
Update api/v1alpha1/ext_auth_types.go
zhaohuabing Jan 17, 2024
847ba38
address comments
zhaohuabing Jan 17, 2024
f73986f
merge main
zhaohuabing Jan 17, 2024
c70b262
add validation
zhaohuabing Jan 17, 2024
de62d99
test for validation
zhaohuabing Jan 17, 2024
d010fbd
fix test
zhaohuabing Jan 17, 2024
8d531de
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 17, 2024
916f09f
fix test
zhaohuabing Jan 17, 2024
8995519
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 18, 2024
271f050
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 22, 2024
1123f10
rename AllowedHeaders to AllowedClientHeaders
zhaohuabing Jan 23, 2024
a1217d2
fix lint
zhaohuabing Jan 23, 2024
86637f1
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 23, 2024
3532abc
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 24, 2024
15a34de
address comments
zhaohuabing Jan 24, 2024
b74bd4a
use host and port instead of URL to represent HTTP ExtAuth service
zhaohuabing Jan 26, 2024
d653479
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 26, 2024
017da1f
fix test
zhaohuabing Jan 26, 2024
e3f50a4
address comments
zhaohuabing Jan 26, 2024
b6039b4
address comments
zhaohuabing Jan 26, 2024
42372f5
fix test
zhaohuabing Jan 26, 2024
b4e37b5
fix test
zhaohuabing Jan 26, 2024
36da3b4
fix test
zhaohuabing Jan 26, 2024
db09774
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 27, 2024
aa6ae0d
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 27, 2024
b5d7301
fix check
zhaohuabing Jan 27, 2024
cdab2e7
add CACert
zhaohuabing Jan 29, 2024
b310129
add CACert
zhaohuabing Jan 29, 2024
0510fe5
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 30, 2024
d6cbffa
Merge branch 'main' into ext_auth_api
zhaohuabing Jan 30, 2024
212895f
clean TLSConfig
zhaohuabing Jan 30, 2024
eb7997f
fix gen
zhaohuabing Jan 30, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 115 additions & 0 deletions api/v1alpha1/ext_auth_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

import (
gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
)

// ExtAuthServiceType specifies the types of External Authorization.
// +kubebuilder:validation:Enum=GRPC;HTTP
type ExtAuthServiceType string

const (
// GRPC external authorization service.
GRPCExtAuthServiceType ExtAuthServiceType = "GRPC"

// HTTP external authorization service.
HTTPExtAuthServiceType ExtAuthServiceType = "HTTP"
)

// +kubebuilder:validation:XValidation:message="http must be specified if type is HTTP",rule="self.type == 'HTTP' ? has(self.http) : true"
// +kubebuilder:validation:XValidation:message="grpc must be specified if type is GRPC",rule="self.type == 'GRPC' ? has(self.grpc) : true"
// +kubebuilder:validation:XValidation:message="only one of grpc or http can be specified",rule="!(has(self.grpc) && has(self.http))"
//
// ExtAuth defines the configuration for External Authorization.
type ExtAuth struct {
// Type decides the type of External Authorization.
// Valid ExtAuthServiceType values are "GRPC" or "HTTP".
// +kubebuilder:validation:Enum=GRPC;HTTP
// +unionDiscriminator
Type ExtAuthServiceType `json:"type"`

// GRPC defines the gRPC External Authorization service.
// Only one of GRPCService or HTTPService may be specified.
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
GRPC *GRPCExtAuthService `json:"grpc,omitempty"`

// HTTP defines the HTTP External Authorization service.
// Only one of GRPCService or HTTPService may be specified.
HTTP *HTTPExtAuthService `json:"http,omitempty"`

// HeadersToExtAuth defines the client request headers that will be included
// in the request to the external authorization service.
// Note: If not specified, the default behavior for gRPC and HTTP external
// authorization services is different due to backward compatibility reasons.
// All headers will be included in the check request to a gRPC authorization server.
// Only the following headers will be included in the check request to an HTTP
// authorization server: Host, Method, Path, Content-Length, and Authorization.
// And these headers will always be included to the check request to an HTTP
// authorization server by default, no matter whether they are specified
// in HeadersToExtAuth or not.
// +optional
HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
}

// GRPCExtAuthService defines the gRPC External Authorization service
// The authorization request message is defined in
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
type GRPCExtAuthService struct {
// Host is the hostname of the gRPC External Authorization service.
Host gwapiv1a2.Hostname `json:"host"`

// Port is the network port of the gRPC External Authorization service.
Port gwapiv1a2.PortNumber `json:"port"`

// TLS defines the TLS configuration for the gRPC External Authorization service.
// Note: If not specified, the proxy will talk to the gRPC External Authorization
// service in plaintext.
// +optional
TLS *TLSConfig `json:"tls,omitempty"`
}

// HTTPExtAuthService defines the HTTP External Authorization service
type HTTPExtAuthService struct {
// Host is the hostname of the HTTP External Authorization service.
Host gwapiv1a2.Hostname `json:"host"`

// Port is the network port of the HTTP External Authorization service.
// If port is not specified, 80 for http and 443 for https are assumed.
Port *gwapiv1a2.PortNumber `json:"port,omitempty"`

// Path is the path of the HTTP External Authorization service.
// If path is specified, the authorization request will be sent to that path,
// or else the authorization request will be sent to the root path.
Path *string `json:"path,omitempty"`

// TLS defines the TLS configuration for the HTTP External Authorization service.
// Note: If not specified, the proxy will talk to the HTTP External Authorization
// service in plaintext.
// +optional
TLS *TLSConfig `json:"tls,omitempty"`

// HeadersToBackend are the authorization response headers that will be added
// to the original client request before sending it to the backend server.
// Note that coexisting headers will be overridden.
// If not specified, no authorization response headers will be added to the
// original client request.
// +optional
HeadersToBackend []string `json:"headersToBackend,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Documentation note: there are some headers that end up always needing to be included, whether they're in HeadersToBackend or not. We should document those.

Copy link
Member Author

@zhaohuabing zhaohuabing Jan 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kflynn I haven't found these default headers in the Envoy Config: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-authorizationresponse

I guess you are referring allowed_client_headers? Do you think we should add a HeadersToClient now, or later when we get requirements from end users?

}

// TLSConfig describes a TLS configuration.
type TLSConfig struct {
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
// CertificateRefs contains a series of references to Kubernetes objects that
// contains TLS certificates and private keys. These certificates are used to
// establish a TLS handshake with the external authorization server.
//
// If this field is not specified, the proxy will not present a client certificate
// and will use the system default certificate pool to verify the server certificate.
// +optional
// +kubebuilder:validation:MaxItems=64
CertificateRefs []gwapiv1a2.SecretObjectReference `json:"certificateRefs,omitempty"`
}
5 changes: 5 additions & 0 deletions api/v1alpha1/securitypolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,11 @@ type SecurityPolicySpec struct {
//
// +optional
OIDC *OIDC `json:"oidc,omitempty"`

// ExtAuth defines the configuration for External Authorization.
//
// +optional
ExtAuth *ExtAuth `json:"extAuth,omitempty"`
}

// SecurityPolicyStatus defines the state of SecurityPolicy
Expand Down
112 changes: 112 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading