feat: add body to ext auth (envoyproxy#4671)

* add BodyToExtAuth

Signed-off-by: Aurélien Pillevesse <[email protected]>

api/v1alpha1/ext_auth_types.go

@@ -33,6 +33,10 @@ type ExtAuth struct {
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
 
+	// BodyToExtAuth defines the Body to Ext Auth configuration.
+	// +optional
+	BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`
+
 	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
 	// If FailOpen is set to true, the system allows the traffic to pass through.
 	// Otherwise, if it is set to false or not set (defaulting to false),
@@ -85,3 +89,14 @@ type HTTPExtAuthService struct {
 	// +optional
 	HeadersToBackend []string `json:"headersToBackend,omitempty"`
 }
+
+// BodyToExtAuth defines the Body to Ext Auth configuration
+type BodyToExtAuth struct {
+	// MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
+	// Envoy will return HTTP 413 and will not initiate the authorization process when buffer
+	// reaches the number set in this field.
+	// Note that this setting will have precedence over failOpen mode.
+	//
+	// +kubebuilder:validation:Minimum=1
+	MaxRequestBytes uint32 `json:"maxRequestBytes"`
+}

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -336,6 +336,21 @@ spec:
               extAuth:
                 description: ExtAuth defines the configuration for External Authorization.
                 properties:
+                  bodyToExtAuth:
+                    description: BodyToExtAuth defines the Body to Ext Auth configuration.
+                    properties:
+                      maxRequestBytes:
+                        description: |-
+                          MaxRequestBytes is the maximum size of a message body that the filter will hold in memory.
+                          Envoy will return HTTP 413 and will not initiate the authorization process when buffer
+                          reaches the number set in this field.
+                          Note that this setting will have precedence over failOpen mode.
+                        format: int32
+                        minimum: 1
+                        type: integer
+                    required:
+                    - maxRequestBytes
+                    type: object
                   failOpen:
                     default: false
                     description: |-

internal/gatewayapi/securitypolicy.go

@@ -933,6 +933,13 @@ func (t *Translator) buildExtAuth(
 			Authority:   authority,
 		}
 	}
+
+	if policy.Spec.ExtAuth.BodyToExtAuth != nil {
+		extAuth.BodyToExtAuth = &ir.BodyToExtAuth{
+			MaxRequestBytes: policy.Spec.ExtAuth.BodyToExtAuth.MaxRequestBytes,
+		}
+	}
+
 	return extAuth, nil
 }
 

internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml

@@ -0,0 +1,112 @@
+gateways:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: Gateway
+    metadata:
+      namespace: default
+      name: gateway-1
+    spec:
+      gatewayClassName: envoy-gateway-class
+      listeners:
+        - name: http
+          protocol: HTTP
+          port: 80
+          allowedRoutes:
+            namespaces:
+              from: All
+httpRoutes:
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-1
+    spec:
+      hostnames:
+        - www.foo.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /foo1
+          backendRefs:
+            - name: service-1
+              port: 8080
+        - matches:
+            - path:
+                value: /foo2
+          backendRefs:
+            - name: service-2
+              port: 8080
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: httproute-2
+    spec:
+      hostnames:
+        - www.bar.com
+      parentRefs:
+        - namespace: default
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                value: /bar
+          backendRefs:
+            - name: service-3
+              port: 8080
+backends:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: Backend
+    metadata:
+      name: backend-fqdn
+      namespace: default
+    spec:
+      endpoints:
+        - fqdn:
+            hostname: 'primary.foo.com'
+            port: 3000
+referenceGrants:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: ReferenceGrant
+    metadata:
+      namespace: envoy-gateway
+      name: referencegrant-1
+    spec:
+      from:
+        - group: gateway.envoyproxy.io
+          kind: SecurityPolicy
+          namespace: default
+      to:
+        - group: ""
+          kind: Service
+securityPolicies:
+  - apiVersion: gateway.envoyproxy.io/v1alpha1
+    kind: SecurityPolicy
+    metadata:
+      namespace: default
+      name: policy-for-http-route-1
+    spec:
+      targetRef:
+        group: gateway.networking.k8s.io
+        kind: HTTPRoute
+        name: httproute-1
+      extAuth:
+        failOpen: true
+        headersToExtAuth:
+          - header1
+          - header2
+        bodyToExtAuth:
+          maxRequestBytes: 32768
+        grpc:
+          backendRefs:
+            - name: service-2
+              kind: Service
+              port: 8080
+            - name: backend-fqdn
+              kind: Backend
+              group: gateway.envoyproxy.io
+              port: 3000