contour: adds global auth support to fallback certificates \n When us…

…ing Fallback certificates, the global auth was previously ignored. This is needed when using IP routing with no SNI. \n Fixes projectcontour#6512 \n Signed-off-by: Erik Flores [email protected]
erikflores7 · Jul 16, 2024 · b827942 · b827942
1 parent 260151f
commit b827942
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/internal/xdscache/v3/listener.go b/internal/xdscache/v3/listener.go
@@ -543,8 +543,14 @@ func (c *ListenerCache) OnChange(root *dag.DAG) {
 					alpnProtos...,
 				)
 
+				var authzFilter *envoy_filter_network_http_connection_manager_v3.HttpFilter
+				if vh.ExternalAuthorization != nil {
+					authzFilter = envoy_v3.FilterExternalAuthz(vh.ExternalAuthorization)
+				}
+
 				cm := envoy_v3.HTTPConnectionManagerBuilder().
 					DefaultFilters().
+					AddFilter(authzFilter).
 					RouteConfigName(fallbackCertRouteConfigName(listener)).
 					MetricsPrefix(listener.Name).
 					AccessLoggers(cfg.newSecureAccessLog()).