Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add body to ext auth #4671

Merged
merged 17 commits into from
Dec 5, 2024
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions api/v1alpha1/ext_auth_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ type ExtAuth struct {
// +optional
HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`

// BodyToExtAuth defines the Body to Ext Auth configuration.
// +optional
BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`
AurelienPillevesse marked this conversation as resolved.
Show resolved Hide resolved
AurelienPillevesse marked this conversation as resolved.
Show resolved Hide resolved

// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
// If FailOpen is set to true, the system allows the traffic to pass through.
// Otherwise, if it is set to false or not set (defaulting to false),
Expand Down Expand Up @@ -85,3 +89,23 @@ type HTTPExtAuthService struct {
// +optional
HeadersToBackend []string `json:"headersToBackend,omitempty"`
}

// BodyToExtAuth defines the Body to Ext Auth configuration
type BodyToExtAuth struct {
// MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
// Envoy will return HTTP 413 and will not initiate the authorization process when buffer
// reaches the number set in this field.
// Note that this setting will have precedence over failureModeAllow.
AurelienPillevesse marked this conversation as resolved.
Show resolved Hide resolved
MaxRequestBytes uint32 `json:"maxRequestBytes"`

// When AllowPartialMessage is true, Envoy will buffer the message until MaxRequestBytes is reached.
// The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
AllowPartialMessage bool `json:"allowPartialMessage"`

// If PackAsBytes is true, the body sent to the external authorization service is set with raw bytes,
// it sets the raw_body field of HTTP request attribute context. Otherwise, body will be
// filled with UTF-8 string request body.
// This field only affects configurations using a grpcService. In configurations that use
// an httpService, this has no effect.
PackAsBytes bool `json:"packAsBytes"`
}
20 changes: 20 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -933,6 +933,15 @@ func (t *Translator) buildExtAuth(
Authority: authority,
}
}

if policy.Spec.ExtAuth.BodyToExtAuth != nil {
extAuth.BodyToExtAuth = &ir.BodyToExtAuth{
MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes,
AllowPartialMessage: policy.Spec.ExtAuth.BodyToExtAuth.AllowPartialMessage,
PackAsBytes: policy.Spec.ExtAuth.BodyToExtAuth.PackAsBytes,
}
}

return extAuth, nil
}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: default
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- www.foo.com
parentRefs:
- namespace: default
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: /foo1
backendRefs:
- name: service-1
port: 8080
- matches:
- path:
value: /foo2
backendRefs:
- name: service-2
port: 8080
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-2
spec:
hostnames:
- www.bar.com
parentRefs:
- namespace: default
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: /bar
backendRefs:
- name: service-3
port: 8080
backends:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
name: backend-fqdn
namespace: default
spec:
endpoints:
- fqdn:
hostname: 'primary.foo.com'
port: 3000
referenceGrants:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: ReferenceGrant
metadata:
namespace: envoy-gateway
name: referencegrant-1
spec:
from:
- group: gateway.envoyproxy.io
kind: SecurityPolicy
namespace: default
to:
- group: ""
kind: Service
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: policy-for-http-route-1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
extAuth:
failOpen: true
headersToExtAuth:
- header1
- header2
bodyToExtAuth: {}
grpc:
backendRefs:
- name: service-2
kind: Service
port: 8080
- name: backend-fqdn
kind: Backend
group: gateway.envoyproxy.io
port: 3000
Loading