Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can not disable Global External Authorization by default using authPolicy.disabled #6617

Open
SamMHD opened this issue Aug 18, 2024 · 4 comments · May be fixed by #6661
Open

Can not disable Global External Authorization by default using authPolicy.disabled #6617

SamMHD opened this issue Aug 18, 2024 · 4 comments · May be fixed by #6661
Assignees
@SamMHD
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@SamMHD
Copy link
Contributor

SamMHD commented Aug 18, 2024

What steps did you take and what happened:
We have been trying to setup GlobalExtAuth in our Contour deployment and we wanted to disabled it on all routes by default and ask our clients to enable it if they need to use it on their HTTPProxies.

But, when we configured globalExtAuth and set globalExtAuth.authPolicy.disabled to true the External Authorization is still applied to all HTTPProxies even though they didn't asked for it.

What did you expect to happen:
We expected (according to contour GlobalAuthorizationPolicy API Specification) that when we set globalExtAuth.authPolicy.disabled to true the external authorization is not applied to any routes unless it is specifically configured to be used by either virtualhost.authorization.authPolicy.disabled or route.authPolicy.disabled.

Environment:

  • Contour version: 1.29
  • Kubernetes version: (use kubectl version): 1.27

How to replicate this:
Use the following configs:

in ContourConfiguration:

apiVersion: projectcontour.io/v1alpha1
kind: ContourConfiguration
metadata:
  ...
  name: contour-config
  namespace: contour
spec:
  ...
  globalExtAuth:
    authPolicy:
      disabled: true
    extensionRef:
      name: cerberus-auth
      namespace: cerberus-operator-system
    failOpen: false
    responseTimeout: 1s
  ...

in sample HTTPProxy:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: test-proxy
spec:
  routes:
  - conditions:
    - exact: /
    permitInsecure: true
    services:
    - name: echo
      port: 80
      weight: 100
  virtualhost:
    fqdn: test-route.example.com
    tls:
      minimumProtocolVersion: "1.2"
      secretName: <certificate-secret>

then if you call test-route.example.com envoy will try to authorize using the authorization service specified in ContourConfiguration
@SamMHD SamMHD added kind/bug Categorizes issue or PR as related to a bug. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Aug 18, 2024
@SamMHD
Copy link
Contributor Author

SamMHD commented Aug 18, 2024

@sunjayBhatia Can I have your comment on this please?

@SamMHD
Copy link
Contributor Author

SamMHD commented Aug 28, 2024

if you think we should fix it let us know so we start the merge request. @skriss @sunjayBhatia @stevesloka @tsaarni

@SamMHD SamMHD mentioned this issue Sep 8, 2024
Closed
SamMHD added a commit to SamMHD/contour that referenced this issue Sep 8, 2024
@SamMHD
fix projectcontour#6617 and projectcontour#6659
b0d8e7a 
Changes:
- use dagRoute's AuthContext and AuthDisabled in HTTPS-Upgrade to fix 6659
- Use globalExtAuth.AuthPolicy.Disabled to calculate dagRoute.AuthDisabled
- Fix Tests

Signed-off-by: Saman Mahdanian <[email protected]>
@SamMHD SamMHD linked a pull request Sep 8, 2024 that will close this issue
Open
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 28, 2024
@tsaarni tsaarni removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Oct 28, 2024
@SamMHD
Copy link
Contributor Author

SamMHD commented Oct 29, 2024

thank you @tsaarni for the labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SamMHD SamMHD

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix #6617 and #6659 SamMHD/contour
Fix GlobalExtAuth.AuthPolicy.Disabled SamMHD/contour
2 participants
@tsaarni @SamMHD