contour: adds global ext auth support to fallback certificates

[erikflores7]

When using IP to connect, no SNI is sent so the Fallback certificate has to be used in these cases. But when using Fallback certificate, there is currently no support for auth. This change adds the auth filter to add support for the fallback certificate.

Fixes #6512

Signed-off-by: Erik Flores [email protected]

[github-actions]

Hi @erikflores7! Welcome to our community and thank you for opening your first Pull Request. Someone will review it soon. Thank you for committing to making Contour better. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.67%. Comparing base (260151f) to head (d819dfe).
Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6558      +/-   ##
==========================================
+ Coverage   81.64%   81.67%   +0.03%     
==========================================
  Files         133      133              
  Lines       15873    15901      +28     
==========================================
+ Hits        12959    12987      +28     
  Misses       2620     2620              
  Partials      294      294              

Files	Coverage Δ
internal/featuretests/v3/envoy.go	99.28% <100.00%> (+0.04%)	⬆️
internal/xdscache/v3/listener.go	92.12% <100.00%> (+0.10%)	⬆️

... and 2 files with indirect coverage changes

[skriss]

Thanks for the PR! Code change LGTM, just need to add a test case. You'll also need to make sure all of your commits have DCO signoff.

[skriss]

Thanks @erikflores7, LGTM!

[erikflores7]

Thank you for the quick reviews!

By the way, would you happen to know what the lift is to get this added at the HTTPProxy level? There's a comment about the different connection managers: https://github.com/projectcontour/contour/blob/main/internal/dag/httpproxy_processor.go#L280-L290

I have to look into this more, but I believe when using the Global Ext Auth that the auth check fires before an HTTP -> HTTPS redirect happens where as when setting auth at proxy level that doesn't seem to be an issue

[skriss]

By the way, would you happen to know what the lift is to get this added at the HTTPProxy level? There's a comment about the different connection managers: https://github.com/projectcontour/contour/blob/main/internal/dag/httpproxy_processor.go#L280-L290

I have to look into this more, but I believe when using the Global Ext Auth that the auth check fires before an HTTP -> HTTPS redirect happens where as when setting auth at proxy level that doesn't seem to be an issue

Just to clarify, the use case that isn't working for you is when global ExtAuthz is enabled, and you have TLS-enabled HTTPProxies, and insecure HTTP requests being made to them? Because I would expect global ext auth to already work correctly for both (a) HTTPProxies without TLS (this was what the feature was originally implemented for), and (b) HTTPProxies with TLS, and requests made over HTTPS/TLS.