From 65199ab896aa02b732c267124480f271aaaff727 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Thu, 7 Nov 2024 12:48:58 +0100 Subject: [PATCH 1/8] add BodyToExtAuth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- api/v1alpha1/ext_auth_types.go | 2 ++ internal/gatewayapi/securitypolicy.go | 1 + internal/ir/xds.go | 2 ++ internal/xds/translator/extauth.go | 7 +++++++ 4 files changed, 12 insertions(+) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 0670ed4b676..880d61033dc 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,6 +33,8 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"` + // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. // Otherwise, if it is set to false or not set (defaulting to false), diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 3c2d2af31ed..e2d490fa901 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -888,6 +888,7 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso extAuth := &ir.ExtAuth{ Name: irConfigName(policy), HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, + BodyToExtAuth: policy.Spec.ExtAuth.BodyToExtAuth, FailOpen: policy.Spec.ExtAuth.FailOpen, Traffic: traffic, RecomputeRoute: policy.Spec.ExtAuth.RecomputeRoute, diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5e26af0f479..a861b45a75f 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -994,6 +994,8 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"` + // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. // Otherwise, if it is set to false or not set (defaulting to false), diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 7d7cc6a7227..95f10933259 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -117,6 +117,13 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { }) } + if extAuth.BodyToExtAuth != nil { + config.WithRequestBody = &extauthv3.BufferSettings{ + AllowPartialMessage: false, + PackAsBytes: false, + } + } + if len(headersToExtAuth) > 0 { config.AllowedHeaders = &matcherv3.ListStringMatcher{ Patterns: headersToExtAuth, From 574815d4a06b1161906e05b5e7195a74894535b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Thu, 7 Nov 2024 13:33:34 +0100 Subject: [PATCH 2/8] add test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- .../testdata/securitypolicy-with-extauth-backend.in.yaml | 1 + .../testdata/securitypolicy-with-extauth-backend.out.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml index 78529bf6d73..c9697e4a4e7 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -99,6 +99,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 + bodyToExtAuth: '{"name": "John Doe"}' grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index 05086bae4c8..200b7b105bb 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -179,6 +179,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 + bodyToExtAuth: '{"name": "John Doe"}' targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -262,6 +263,7 @@ xdsIR: headersToExtAuth: - header1 - header2 + bodyToExtAuth: '{"name": "John Doe"}' name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-1/rule/1 @@ -306,6 +308,7 @@ xdsIR: headersToExtAuth: - header1 - header2 + bodyToExtAuth: '{"name": "John Doe"}' name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-2/rule/0 From 9f63579547c70b30c89770865588b8dd8c4d9677 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Fri, 8 Nov 2024 08:38:04 +0100 Subject: [PATCH 3/8] change string to bool pointer variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- api/v1alpha1/ext_auth_types.go | 2 +- .../testdata/securitypolicy-with-extauth-backend.in.yaml | 2 +- .../testdata/securitypolicy-with-extauth-backend.out.yaml | 6 +++--- internal/ir/xds.go | 2 +- internal/xds/translator/extauth.go | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 880d61033dc..671d235180d 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,7 +33,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml index c9697e4a4e7..424ce583e79 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -99,7 +99,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index 200b7b105bb..f4872425e6c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -179,7 +179,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -263,7 +263,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-1/rule/1 @@ -308,7 +308,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: '{"name": "John Doe"}' + bodyToExtAuth: true name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-2/rule/0 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index a861b45a75f..533b1550ada 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -994,7 +994,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *string `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 95f10933259..89c95709b13 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -117,7 +117,7 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { }) } - if extAuth.BodyToExtAuth != nil { + if extAuth.BodyToExtAuth != nil && *extAuth.BodyToExtAuth { config.WithRequestBody = &extauthv3.BufferSettings{ AllowPartialMessage: false, PackAsBytes: false, From 3bd62e3390e49e9d1676992c19591f712a95b905 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Fri, 8 Nov 2024 15:56:24 +0100 Subject: [PATCH 4/8] add specific test file for new feature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- ...ecuritypolicy-with-extauth-backend.in.yaml | 1 - ...curitypolicy-with-extauth-backend.out.yaml | 3 - .../securitypolicy-with-extauth-body.in.yaml | 111 ++++++ .../securitypolicy-with-extauth-body.out.yaml | 332 ++++++++++++++++++ 4 files changed, 443 insertions(+), 4 deletions(-) create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml create mode 100644 internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml index 424ce583e79..78529bf6d73 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.in.yaml @@ -99,7 +99,6 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml index f4872425e6c..05086bae4c8 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-backend.out.yaml @@ -179,7 +179,6 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -263,7 +262,6 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-1/rule/1 @@ -308,7 +306,6 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-2/rule/0 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml new file mode 100644 index 00000000000..424ce583e79 --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml @@ -0,0 +1,111 @@ +gateways: + - apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + namespace: default + name: gateway-1 + spec: + gatewayClassName: envoy-gateway-class + listeners: + - name: http + protocol: HTTP + port: 80 + allowedRoutes: + namespaces: + from: All +httpRoutes: + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-1 + spec: + hostnames: + - www.foo.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /foo1 + backendRefs: + - name: service-1 + port: 8080 + - matches: + - path: + value: /foo2 + backendRefs: + - name: service-2 + port: 8080 + - apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + namespace: default + name: httproute-2 + spec: + hostnames: + - www.bar.com + parentRefs: + - namespace: default + name: gateway-1 + sectionName: http + rules: + - matches: + - path: + value: /bar + backendRefs: + - name: service-3 + port: 8080 +backends: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: 'primary.foo.com' + port: 3000 +referenceGrants: + - apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: ReferenceGrant + metadata: + namespace: envoy-gateway + name: referencegrant-1 + spec: + from: + - group: gateway.envoyproxy.io + kind: SecurityPolicy + namespace: default + to: + - group: "" + kind: Service +securityPolicies: + - apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + namespace: default + name: policy-for-http-route-1 + spec: + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + extAuth: + failOpen: true + headersToExtAuth: + - header1 + - header2 + bodyToExtAuth: true + grpc: + backendRefs: + - name: service-2 + kind: Service + port: 8080 + - name: backend-fqdn + kind: Backend + group: gateway.envoyproxy.io + port: 3000 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml new file mode 100644 index 00000000000..f4872425e6c --- /dev/null +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml @@ -0,0 +1,332 @@ +backends: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: Backend + metadata: + creationTimestamp: null + name: backend-fqdn + namespace: default + spec: + endpoints: + - fqdn: + hostname: primary.foo.com + port: 3000 + status: + conditions: + - lastTransitionTime: null + message: The Backend was accepted + reason: Accepted + status: "True" + type: Accepted +gateways: +- apiVersion: gateway.networking.k8s.io/v1 + kind: Gateway + metadata: + creationTimestamp: null + name: gateway-1 + namespace: default + spec: + gatewayClassName: envoy-gateway-class + listeners: + - allowedRoutes: + namespaces: + from: All + name: http + port: 80 + protocol: HTTP + status: + listeners: + - attachedRoutes: 2 + conditions: + - lastTransitionTime: null + message: Sending translated listener configuration to the data plane + reason: Programmed + status: "True" + type: Programmed + - lastTransitionTime: null + message: Listener has been successfully translated + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Listener references have been resolved + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + name: http + supportedKinds: + - group: gateway.networking.k8s.io + kind: HTTPRoute + - group: gateway.networking.k8s.io + kind: GRPCRoute +httpRoutes: +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-1 + namespace: default + spec: + hostnames: + - www.foo.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-1 + port: 8080 + matches: + - path: + value: /foo1 + - backendRefs: + - name: service-2 + port: 8080 + matches: + - path: + value: /foo2 + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +- apiVersion: gateway.networking.k8s.io/v1 + kind: HTTPRoute + metadata: + creationTimestamp: null + name: httproute-2 + namespace: default + spec: + hostnames: + - www.bar.com + parentRefs: + - name: gateway-1 + namespace: default + sectionName: http + rules: + - backendRefs: + - name: service-3 + port: 8080 + matches: + - path: + value: /bar + status: + parents: + - conditions: + - lastTransitionTime: null + message: Route is accepted + reason: Accepted + status: "True" + type: Accepted + - lastTransitionTime: null + message: Resolved all the Object references for the Route + reason: ResolvedRefs + status: "True" + type: ResolvedRefs + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parentRef: + name: gateway-1 + namespace: default + sectionName: http +infraIR: + default/gateway-1: + proxy: + listeners: + - address: null + name: default/gateway-1/http + ports: + - containerPort: 10080 + name: http-80 + protocol: HTTP + servicePort: 80 + metadata: + labels: + gateway.envoyproxy.io/owning-gateway-name: gateway-1 + gateway.envoyproxy.io/owning-gateway-namespace: default + name: default/gateway-1 +securityPolicies: +- apiVersion: gateway.envoyproxy.io/v1alpha1 + kind: SecurityPolicy + metadata: + creationTimestamp: null + name: policy-for-http-route-1 + namespace: default + spec: + extAuth: + failOpen: true + grpc: + backendRefs: + - kind: Service + name: service-2 + port: 8080 + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + port: 3000 + headersToExtAuth: + - header1 + - header2 + bodyToExtAuth: true + targetRef: + group: gateway.networking.k8s.io + kind: HTTPRoute + name: httproute-1 + status: + ancestors: + - ancestorRef: + group: gateway.networking.k8s.io + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller +xdsIR: + default/gateway-1: + accessLog: + text: + - path: /dev/stdout + http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo1 + security: + extAuth: + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-1/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + bodyToExtAuth: true + name: securitypolicy/default/policy-for-http-route-1 + - destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.foo.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + pathMatch: + distinct: false + name: "" + prefix: /foo2 + security: + extAuth: + failOpen: true + grpc: + authority: service-2.default:8080 + destination: + name: securitypolicy/default/policy-for-http-route-1/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: GRPC + weight: 1 + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + bodyToExtAuth: true + name: securitypolicy/default/policy-for-http-route-1 + - destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: www.bar.com + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-2 + namespace: default + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + pathMatch: + distinct: false + name: "" + prefix: /bar From 336be746f4abf561259ea220a9ee6524835af3f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Tue, 12 Nov 2024 09:15:38 +0100 Subject: [PATCH 5/8] add xds translator test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- .../testdata/in/xds-ir/ext-auth-body.yaml | 124 ++++++++++++++++++ .../out/xds-ir/ext-auth-body.clusters.yaml | 115 ++++++++++++++++ .../out/xds-ir/ext-auth-body.endpoints.yaml | 36 +++++ .../out/xds-ir/ext-auth-body.listeners.yaml | 72 ++++++++++ .../out/xds-ir/ext-auth-body.routes.yaml | 44 +++++++ 5 files changed, 391 insertions(+) create mode 100644 internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml new file mode 100644 index 00000000000..2a86bf2da0c --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml @@ -0,0 +1,124 @@ +http: + - address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo1 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 9000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + hostname: www.foo.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /foo2 + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-1/rule/1 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-http-route-1 + failOpen: false + grpc: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + settings: + - addressType: IP + endpoints: + - host: primary.foo.com + port: 3000 + protocol: GRPC + weight: 1 + headersToExtAuth: + - header1 + - header2 + - name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + hostname: www.bar.com + isHTTP2: false + pathMatch: + distinct: false + name: "" + prefix: /bar + backendWeights: + invalid: 0 + valid: 0 + destination: + name: httproute/default/httproute-2/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + security: + extAuth: + name: securitypolicy/default/policy-for-gateway-1 + failOpen: true + bodyToExtAuth: true + http: + authority: primary.foo.com + destination: + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + settings: + - addressType: FQDN + endpoints: + - host: primary.foo.com + port: 80 + protocol: HTTP + weight: 1 + headersToBackend: + - header1 + - header2 + path: /auth diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml new file mode 100644 index 00000000000..18846488a59 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.clusters.yaml @@ -0,0 +1,115 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/1 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/1 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-2/rule/0 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-2/rule/0 + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 9000 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-http-route-1/default/grpc-backend/backend/0 + name: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS + typedExtensionProtocolOptions: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicitHttpConfig: + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: primary.foo.com + portValue: 80 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend/backend/0 + name: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml new file mode 100644 index 00000000000..bf9f0023789 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.endpoints.yaml @@ -0,0 +1,36 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 +- clusterName: httproute/default/httproute-1/rule/1 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/1/backend/0 +- clusterName: httproute/default/httproute-2/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-2/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml new file mode 100644 index 00000000000..bf11fae6dd5 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml @@ -0,0 +1,72 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + allowedHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + grpcService: + envoyGrpc: + authority: primary.foo.com + clusterName: securitypolicy/default/policy-for-http-route-1/default/grpc-backend + timeout: 10s + transportApiVersion: V3 + - disabled: true + name: envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1 + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + withRequestBody: + allowPartialMessage: false + packAsBytes: false + failureModeAllow: true + httpService: + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: header1 + ignoreCase: true + - exact: header2 + ignoreCase: true + pathPrefix: /auth + serverUri: + cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend + timeout: 10s + uri: http://primary.foo.com/auth + transportApiVersion: V3 + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml new file mode 100644 index 00000000000..08edfc3c406 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.routes.yaml @@ -0,0 +1,44 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - www.foo.com + name: default/gateway-1/http/www_foo_com + routes: + - match: + pathSeparatedPrefix: /foo1 + name: httproute/default/httproute-1/rule/0/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - match: + pathSeparatedPrefix: /foo2 + name: httproute/default/httproute-1/rule/1/match/0/www_foo_com + route: + cluster: httproute/default/httproute-1/rule/1 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-http-route-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} + - domains: + - www.bar.com + name: default/gateway-1/http/www_bar_com + routes: + - match: + pathSeparatedPrefix: /bar + name: httproute/default/httproute-2/rule/0/match/0/www_bar_com + route: + cluster: httproute/default/httproute-2/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.ext_authz/securitypolicy/default/policy-for-gateway-1: + '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig + config: {} From 1b6eb873eb5a996d1c291da3d8bc89e4aaa62c61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Tue, 19 Nov 2024 09:44:20 +0100 Subject: [PATCH 6/8] update bool to struct for bodyToExtAuth field MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- api/v1alpha1/ext_auth_types.go | 5 ++++- internal/gatewayapi/securitypolicy.go | 6 +++++- .../testdata/securitypolicy-with-extauth-body.in.yaml | 2 +- .../testdata/securitypolicy-with-extauth-body.out.yaml | 6 +++--- internal/ir/xds.go | 6 +++++- internal/xds/translator/extauth.go | 3 ++- .../xds/translator/testdata/in/xds-ir/ext-auth-body.yaml | 2 +- .../testdata/out/xds-ir/ext-auth-body.listeners.yaml | 1 + 8 files changed, 22 insertions(+), 9 deletions(-) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 671d235180d..c683656acc2 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,7 +33,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. @@ -89,3 +89,6 @@ type HTTPExtAuthService struct { // +optional HeadersToBackend []string `json:"headersToBackend,omitempty"` } + +// BodyToExtAuth defines the Body to Ext Auth configuration +type BodyToExtAuth struct{} diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index e2d490fa901..f6fdc0e4737 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -888,7 +888,6 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso extAuth := &ir.ExtAuth{ Name: irConfigName(policy), HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, - BodyToExtAuth: policy.Spec.ExtAuth.BodyToExtAuth, FailOpen: policy.Spec.ExtAuth.FailOpen, Traffic: traffic, RecomputeRoute: policy.Spec.ExtAuth.RecomputeRoute, @@ -907,6 +906,11 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso Authority: authority, } } + + if policy.Spec.ExtAuth.BodyToExtAuth != nil { + extAuth.BodyToExtAuth = &ir.BodyToExtAuth{} + } + return extAuth, nil } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml index 424ce583e79..a33f1c72964 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml @@ -99,7 +99,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml index f4872425e6c..03eb8fd7af5 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml @@ -179,7 +179,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -263,7 +263,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-1/rule/1 @@ -308,7 +308,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-2/rule/0 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 533b1550ada..73d7a3a325b 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -994,7 +994,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. @@ -1012,6 +1012,10 @@ type ExtAuth struct { RecomputeRoute *bool `json:"recomputeRoute,omitempty"` } +// BodyToExtAuth defines the Body to Ext Auth configuration +// +k8s:deepcopy-gen=true +type BodyToExtAuth struct{} + // HTTPExtAuthService defines the HTTP External Authorization service // +k8s:deepcopy-gen=true type HTTPExtAuthService struct { diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 89c95709b13..e8641cf2a6e 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -117,8 +117,9 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { }) } - if extAuth.BodyToExtAuth != nil && *extAuth.BodyToExtAuth { + if extAuth.BodyToExtAuth != nil { config.WithRequestBody = &extauthv3.BufferSettings{ + MaxRequestBytes: 1024, AllowPartialMessage: false, PackAsBytes: false, } diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml index 2a86bf2da0c..771aed13805 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml @@ -106,7 +106,7 @@ http: extAuth: name: securitypolicy/default/policy-for-gateway-1 failOpen: true - bodyToExtAuth: true + bodyToExtAuth: {} http: authority: primary.foo.com destination: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml index bf11fae6dd5..f3f20c57082 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml @@ -35,6 +35,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz withRequestBody: + maxRequestBytes: 1024 allowPartialMessage: false packAsBytes: false failureModeAllow: true From f73657bb26c7f2a0307b17967bcd24289ee4267a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Tue, 19 Nov 2024 11:01:43 +0100 Subject: [PATCH 7/8] generate documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- api/v1alpha1/ext_auth_types.go | 2 ++ api/v1alpha1/zz_generated.deepcopy.go | 20 +++++++++++++++++++ internal/ir/xds.go | 2 ++ internal/ir/zz_generated.deepcopy.go | 20 +++++++++++++++++++ site/content/en/latest/api/extension_types.md | 12 +++++++++++ site/content/zh/latest/api/extension_types.md | 12 +++++++++++ 6 files changed, 68 insertions(+) diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index c683656acc2..c086b0072c5 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,6 +33,8 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + // BodyToExtAuth defines the Body to Ext Auth configuration. + // +optional BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 321a143df9c..89e1b154a4a 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -595,6 +595,21 @@ func (in *BasicAuth) DeepCopy() *BasicAuth { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BodyToExtAuth) DeepCopyInto(out *BodyToExtAuth) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BodyToExtAuth. +func (in *BodyToExtAuth) DeepCopy() *BodyToExtAuth { + if in == nil { + return nil + } + out := new(BodyToExtAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CORS) DeepCopyInto(out *CORS) { *out = *in @@ -2115,6 +2130,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.BodyToExtAuth != nil { + in, out := &in.BodyToExtAuth, &out.BodyToExtAuth + *out = new(BodyToExtAuth) + **out = **in + } if in.FailOpen != nil { in, out := &in.FailOpen, &out.FailOpen *out = new(bool) diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 73d7a3a325b..5ed3577d24f 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -994,6 +994,8 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + // BodyToExtAuth defines the Body to Ext Auth configuration. + // +optional BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index 85a26447ecb..fb2f0dd10b3 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -330,6 +330,21 @@ func (in *BasicAuth) DeepCopy() *BasicAuth { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *BodyToExtAuth) DeepCopyInto(out *BodyToExtAuth) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BodyToExtAuth. +func (in *BodyToExtAuth) DeepCopy() *BodyToExtAuth { + if in == nil { + return nil + } + out := new(BodyToExtAuth) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CORS) DeepCopyInto(out *CORS) { *out = *in @@ -893,6 +908,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.BodyToExtAuth != nil { + in, out := &in.BodyToExtAuth, &out.BodyToExtAuth + *out = new(BodyToExtAuth) + **out = **in + } if in.FailOpen != nil { in, out := &in.FailOpen, &out.FailOpen *out = new(bool) diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 8ab8f50c81f..009a01f3231 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -459,6 +459,17 @@ _Appears in:_ | `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | +#### BodyToExtAuth + + + +BodyToExtAuth defines the Body to Ext Auth configuration + +_Appears in:_ +- [ExtAuth](#extauth) + + + #### BootstrapType _Underlying type:_ _string_ @@ -1437,6 +1448,7 @@ _Appears in:_ | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | +| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | BodyToExtAuth defines the Body to Ext Auth configuration. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | | `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 8ab8f50c81f..009a01f3231 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -459,6 +459,17 @@ _Appears in:_ | `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the username-password pairs in
htpasswd format, used to verify user credentials in the "Authorization"
header.

This is an Opaque secret. The username-password pairs should be stored in
the key ".htpasswd". As the key name indicates, the value needs to be the
htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".
Right now, only SHA hash algorithm is supported.
Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html
for more details.

Note: The secret must be in the same namespace as the SecurityPolicy. | +#### BodyToExtAuth + + + +BodyToExtAuth defines the Body to Ext Auth configuration + +_Appears in:_ +- [ExtAuth](#extauth) + + + #### BootstrapType _Underlying type:_ _string_ @@ -1437,6 +1448,7 @@ _Appears in:_ | `grpc` | _[GRPCExtAuthService](#grpcextauthservice)_ | true | GRPC defines the gRPC External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `http` | _[HTTPExtAuthService](#httpextauthservice)_ | true | HTTP defines the HTTP External Authorization service.
Either GRPCService or HTTPService must be specified,
and only one of them can be provided. | | `headersToExtAuth` | _string array_ | false | HeadersToExtAuth defines the client request headers that will be included
in the request to the external authorization service.
Note: If not specified, the default behavior for gRPC and HTTP external
authorization services is different due to backward compatibility reasons.
All headers will be included in the check request to a gRPC authorization server.
Only the following headers will be included in the check request to an HTTP
authorization server: Host, Method, Path, Content-Length, and Authorization.
And these headers will always be included to the check request to an HTTP
authorization server by default, no matter whether they are specified
in HeadersToExtAuth or not. | +| `bodyToExtAuth` | _[BodyToExtAuth](#bodytoextauth)_ | false | BodyToExtAuth defines the Body to Ext Auth configuration. | | `failOpen` | _boolean_ | false | FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
If FailOpen is set to true, the system allows the traffic to pass through.
Otherwise, if it is set to false or not set (defaulting to false),
the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. | | `recomputeRoute` | _boolean_ | false | RecomputeRoute clears the route cache and recalculates the routing decision.
This field must be enabled if the headers added or modified by the ExtAuth are used for
route matching decisions. If the recomputation selects a new route, features targeting
the new matched route will be applied. | From 14251e4bbdfd0ee6584aa27de3a75ee0fbfd229b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Pillevesse?= Date: Fri, 22 Nov 2024 14:37:20 +0100 Subject: [PATCH 8/8] update test file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Pillevesse --- .../translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml index f3f20c57082..1624e2a3b31 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml @@ -36,8 +36,6 @@ '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz withRequestBody: maxRequestBytes: 1024 - allowPartialMessage: false - packAsBytes: false failureModeAllow: true httpService: authorizationResponse: