Skip to content

Commit

Permalink
use BackendObjectReference to represent the ext auth service (envoypr…
Browse files Browse the repository at this point in the history 
…oxy#2553)

* use BackendObjectReference to represent the ext auth service

Signed-off-by: huabing zhao <[email protected]>

* remove type

Signed-off-by: huabing zhao <[email protected]>

* fix gen

Signed-off-by: huabing zhao <[email protected]>

* fix gen

Signed-off-by: huabing zhao <[email protected]>

* fix test

Signed-off-by: huabing zhao <[email protected]>

---------

Signed-off-by: huabing zhao <[email protected]>
  • Loading branch information
@zhaohuabing
zhaohuabing authored Feb 2, 2024
1 parent 1754679 commit ca4657c
Show file tree
Hide file tree
Showing 5 changed files with 173 additions and 176 deletions.
66 changes: 15 additions & 51 deletions api/v1alpha1/ext_auth_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,39 +6,22 @@
package v1alpha1

import (
gwapiv1a2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
)

// ExtAuthServiceType specifies the types of External Authorization.
// +kubebuilder:validation:Enum=GRPC;HTTP
type ExtAuthServiceType string

const (
// GRPC external authorization service.
GRPCExtAuthServiceType ExtAuthServiceType = "GRPC"

// HTTP external authorization service.
HTTPExtAuthServiceType ExtAuthServiceType = "HTTP"
)

// +kubebuilder:validation:XValidation:message="http must be specified if type is HTTP",rule="self.type == 'HTTP' ? has(self.http) : true"
// +kubebuilder:validation:XValidation:message="grpc must be specified if type is GRPC",rule="self.type == 'GRPC' ? has(self.grpc) : true"
// +kubebuilder:validation:XValidation:message="only one of grpc or http can be specified",rule="!(has(self.grpc) && has(self.http))"
// +kubebuilder:validation:XValidation:message="one of grpc or http must be specified",rule="(has(self.grpc) || has(self.http))"
// +kubebuilder:validation:XValidation:message="only one of grpc or http can be specified",rule="(has(self.grpc) && !has(self.http)) || (!has(self.grpc) && has(self.http))"
//
// ExtAuth defines the configuration for External Authorization.
type ExtAuth struct {
// Type decides the type of External Authorization.
// Valid ExtAuthServiceType values are "GRPC" or "HTTP".
// +kubebuilder:validation:Enum=GRPC;HTTP
// +unionDiscriminator
Type ExtAuthServiceType `json:"type"`

// GRPC defines the gRPC External Authorization service.
// Only one of GRPCService or HTTPService may be specified.
// Either GRPCService or HTTPService must be specified,
// and only one of them can be provided.
GRPC *GRPCExtAuthService `json:"grpc,omitempty"`

// HTTP defines the HTTP External Authorization service.
// Only one of GRPCService or HTTPService may be specified.
// Either GRPCService or HTTPService must be specified,
// and only one of them can be provided.
HTTP *HTTPExtAuthService `json:"http,omitempty"`

// HeadersToExtAuth defines the client request headers that will be included
Expand All @@ -59,39 +42,24 @@ type ExtAuth struct {
// The authorization request message is defined in
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
type GRPCExtAuthService struct {
// Host is the hostname of the gRPC External Authorization service.
Host gwapiv1a2.PreciseHostname `json:"host"`

// Port is the network port of the gRPC External Authorization service.
Port gwapiv1a2.PortNumber `json:"port"`

// TLS defines the TLS configuration for the gRPC External Authorization service.
// Note: If not specified, the proxy will talk to the gRPC External Authorization
// service in plaintext.
// +optional
TLS *TLSConfig `json:"tls,omitempty"`
// BackendObjectReference references a Kubernetes object that represents the
// backend server to which the authorization request will be sent.
// Only service Kind is supported for now.
gwapiv1.BackendObjectReference `json:",inline"`
}

// HTTPExtAuthService defines the HTTP External Authorization service
type HTTPExtAuthService struct {
// Host is the hostname of the HTTP External Authorization service.
Host gwapiv1a2.PreciseHostname `json:"host"`

// Port is the network port of the HTTP External Authorization service.
// If port is not specified, 80 for http and 443 for https are assumed.
Port *gwapiv1a2.PortNumber `json:"port,omitempty"`
// BackendObjectReference references a Kubernetes object that represents the
// backend server to which the authorization request will be sent.
// Only service Kind is supported for now.
gwapiv1.BackendObjectReference `json:",inline"`

// Path is the path of the HTTP External Authorization service.
// If path is specified, the authorization request will be sent to that path,
// or else the authorization request will be sent to the root path.
Path *string `json:"path,omitempty"`

// TLS defines the TLS configuration for the HTTP External Authorization service.
// Note: If not specified, the proxy will talk to the HTTP External Authorization
// service in plaintext.
// +optional
TLS *TLSConfig `json:"tls,omitempty"`

// HeadersToBackend are the authorization response headers that will be added
// to the original client request before sending it to the backend server.
// Note that coexisting headers will be overridden.
Expand All @@ -100,7 +68,3 @@ type HTTPExtAuthService struct {
// +optional
HeadersToBackend []string `json:"headersToBackend,omitempty"`
}

// TLSConfig describes a TLS configuration.
type TLSConfig struct {
}
32 changes: 2 additions & 30 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

154 changes: 106 additions & 48 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,32 +154,68 @@ spec:
properties:
grpc:
description: GRPC defines the gRPC External Authorization service.
Only one of GRPCService or HTTPService may be specified.
Either GRPCService or HTTPService must be specified, and only
one of them can be provided.
properties:
host:
description: Host is the hostname of the gRPC External Authorization
service.
group:
default: ""
description: Group is the group of the referent. For example,
"gateway.networking.k8s.io". When unspecified or empty string,
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Service
description: "Kind is the Kubernetes resource kind of the
referent. For example \"Service\". \n Defaults to \"Service\"
when not specified. \n ExternalName services can refer to
CNAME DNS records that may live outside of the cluster and
as such are difficult to reason about in terms of conformance.
They also may not be safe to forward to (see CVE-2021-25740
for more information). Implementations SHOULD NOT support
ExternalName Services. \n Support: Core (Services with a
type other than ExternalName) \n Support: Implementation-specific
(Services with type ExternalName)"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace
to allow that namespace's owner to accept the reference.
See the ReferenceGrant documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
port:
description: Port is the network port of the gRPC External
Authorization service.
description: Port specifies the destination port number to
use for this resource. Port is required when the referent
is a Kubernetes Service. In this case, the port number is
the service port number, not the target port. For other
resources, destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
tls:
description: 'TLS defines the TLS configuration for the gRPC
External Authorization service. Note: If not specified,
the proxy will talk to the gRPC External Authorization service
in plaintext.'
type: object
required:
- host
- port
- name
type: object
x-kubernetes-validations:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'') ?
has(self.port) : true'
headersToExtAuth:
description: 'HeadersToExtAuth defines the client request headers
that will be included in the request to the external authorization
Expand All @@ -198,8 +234,17 @@ spec:
type: array
http:
description: HTTP defines the HTTP External Authorization service.
Only one of GRPCService or HTTPService may be specified.
Either GRPCService or HTTPService must be specified, and only
one of them can be provided.
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"gateway.networking.k8s.io". When unspecified or empty string,
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
headersToBackend:
description: HeadersToBackend are the authorization response
headers that will be added to the original client request
Expand All @@ -209,12 +254,38 @@ spec:
items:
type: string
type: array
host:
description: Host is the hostname of the HTTP External Authorization
service.
kind:
default: Service
description: "Kind is the Kubernetes resource kind of the
referent. For example \"Service\". \n Defaults to \"Service\"
when not specified. \n ExternalName services can refer to
CNAME DNS records that may live outside of the cluster and
as such are difficult to reason about in terms of conformance.
They also may not be safe to forward to (see CVE-2021-25740
for more information). Implementations SHOULD NOT support
ExternalName Services. \n Support: Core (Services with a
type other than ExternalName) \n Support: Implementation-specific
(Services with type ExternalName)"
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
namespace:
description: "Namespace is the namespace of the backend. When
unspecified, the local namespace is inferred. \n Note that
when a namespace different than the local namespace is specified,
a ReferenceGrant object is required in the referent namespace
to allow that namespace's owner to accept the reference.
See the ReferenceGrant documentation for details. \n Support:
Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
path:
description: Path is the path of the HTTP External Authorization
Expand All @@ -223,43 +294,30 @@ spec:
will be sent to the root path.
type: string
port:
description: Port is the network port of the HTTP External
Authorization service. If port is not specified, 80 for
http and 443 for https are assumed.
description: Port specifies the destination port number to
use for this resource. Port is required when the referent
is a Kubernetes Service. In this case, the port number is
the service port number, not the target port. For other
resources, destination port might be derived from the referent
resource or this field.
format: int32
maximum: 65535
minimum: 1
type: integer
tls:
description: 'TLS defines the TLS configuration for the HTTP
External Authorization service. Note: If not specified,
the proxy will talk to the HTTP External Authorization service
in plaintext.'
type: object
required:
- host
- name
type: object
type:
allOf:
- enum:
- GRPC
- HTTP
- enum:
- GRPC
- HTTP
description: Type decides the type of External Authorization.
Valid ExtAuthServiceType values are "GRPC" or "HTTP".
type: string
required:
- type
x-kubernetes-validations:
- message: Must have port for Service reference
rule: '(size(self.group) == 0 && self.kind == ''Service'') ?
has(self.port) : true'
type: object
x-kubernetes-validations:
- message: http must be specified if type is HTTP
rule: 'self.type == ''HTTP'' ? has(self.http) : true'
- message: grpc must be specified if type is GRPC
rule: 'self.type == ''GRPC'' ? has(self.grpc) : true'
- message: one of grpc or http must be specified
rule: (has(self.grpc) || has(self.http))
- message: only one of grpc or http can be specified
rule: '!(has(self.grpc) && has(self.http))'
rule: (has(self.grpc) && !has(self.http)) || (!has(self.grpc) &&
has(self.http))
jwt:
description: JWT defines the configuration for JSON Web Token (JWT)
authentication.
Expand Down
Loading

0 comments on commit ca4657c

Please sign in to comment.