Skip to content

Commit

Permalink
ENT backport for ext-authz extension updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@cthain
cthain committed Jun 12, 2023
1 parent 28d81ec commit c4b85bf
Show file tree
Hide file tree
Showing 7 changed files with 54 additions and 46 deletions.
21 changes: 18 additions & 3 deletions agent/envoyextensions/builtin/ext-authz/ext_authz.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,8 @@ func (a *extAuthz) PatchFilters(cfg *ext_cmn.RuntimeConfig, filters []*envoy_lis
return filters, nil
}

a.configureInsertOptions(cfg.Protocol)

switch cfg.Protocol {
case "grpc", "http2", "http":
extAuthzFilter, err := a.Config.toEnvoyHttpFilter(cfg)
Expand Down Expand Up @@ -107,13 +109,26 @@ func (a *extAuthz) fromArguments(args map[string]any) error {
return a.validate()
}

func (a *extAuthz) configureInsertOptions(protocol string) {
// If the insert options have been expressly configured, then use them.
if a.InsertOptions.Location != "" {
return
}

// Configure the default, insert the filter immediately before the terminal filter.
a.InsertOptions.Location = ext_cmn.InsertBeforeFirstMatch
switch protocol {
case "grpc", "http2", "http":
a.InsertOptions.FilterName = "envoy.filters.http.router"
default:
a.InsertOptions.FilterName = "envoy.filters.network.tcp_proxy"
}
}

func (a *extAuthz) normalize() {
if a.ProxyType == "" {
a.ProxyType = api.ServiceKindConnectProxy
}
if a.InsertOptions.Location == "" {
a.InsertOptions.Location = ext_cmn.InsertFirst
}
a.Config.normalize()
}

Expand Down
23 changes: 4 additions & 19 deletions agent/envoyextensions/builtin/ext-authz/structs.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
const (
LocalExtAuthzClusterName = "local_ext_authz"

defaultMetadataNS = "consul"
defaultStatPrefix = "response"
defaultStatusOnError = 403
)
Expand All @@ -44,7 +45,6 @@ type extAuthzConfig struct {
MetadataContextNamespaces []string
StatusOnError *int
StatPrefix string
TransportApiVersion TransportApiVersion
WithRequestBody *BufferSettings

failureModeAllow bool
Expand Down Expand Up @@ -238,8 +238,8 @@ func (c extAuthzConfig) toEnvoyHttpFilter(cfg *cmn.RuntimeConfig) (*envoy_http_v
extAuthzFilter := &envoy_http_ext_authz_v3.ExtAuthz{
StatPrefix: c.StatPrefix,
WithRequestBody: c.WithRequestBody.toEnvoy(),
TransportApiVersion: c.TransportApiVersion.toEnvoy(),
MetadataContextNamespaces: c.MetadataContextNamespaces,
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
MetadataContextNamespaces: append(c.MetadataContextNamespaces, defaultMetadataNS),
FailureModeAllow: c.failureModeAllow,
BootstrapMetadataLabelsKey: c.BootstrapMetadataLabelsKey,
}
Expand Down Expand Up @@ -281,7 +281,7 @@ func (c extAuthzConfig) toEnvoyNetworkFilter(cfg *cmn.RuntimeConfig) (*envoy_lis
extAuthzFilter := &envoy_ext_authz_v3.ExtAuthz{
GrpcService: grpcSvc,
StatPrefix: c.StatPrefix,
TransportApiVersion: c.TransportApiVersion.toEnvoy(),
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
FailureModeAllow: c.failureModeAllow,
}

Expand Down Expand Up @@ -672,18 +672,3 @@ func (t *Target) validate() error {
}
return resultErr
}

type TransportApiVersion string

func (t TransportApiVersion) toEnvoy() envoy_core_v3.ApiVersion {
switch strings.ToLower(string(t)) {
case "v2":
//nolint:staticcheck
return envoy_core_v3.ApiVersion_V2
case "auto":
//nolint:staticcheck
return envoy_core_v3.ApiVersion_AUTO
default:
return envoy_core_v3.ApiVersion_V3
}
}
31 changes: 17 additions & 14 deletions .../xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,20 +90,6 @@
]
},
"httpFilters": [
{
"name": "envoy.filters.http.ext_authz",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
"grpcService": {
"envoyGrpc": {
"clusterName": "local_ext_authz"
}
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"statPrefix": "response"
}
},
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
Expand Down Expand Up @@ -189,6 +175,23 @@
]
}
},
{
"name": "envoy.filters.http.ext_authz",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
"grpcService": {
"envoyGrpc": {
"clusterName": "local_ext_authz"
}
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"metadataContextNamespaces": [
"consul"
],
"statPrefix": "response"
}
},
{
"name": "envoy.filters.http.router",
"typedConfig": {
Expand Down
3 changes: 3 additions & 0 deletions .../xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,9 @@
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"metadataContextNamespaces": [
"consul"
],
"statPrefix": "response"
}
},
Expand Down
3 changes: 2 additions & 1 deletion ...s/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,8 @@
},
"metadataContextNamespaces": [
"test-ns-1",
"test-ns-2"
"test-ns-2",
"consul"
],
"includePeerCertificate": true,
"statPrefix": "ext_authz_stats",
Expand Down
3 changes: 2 additions & 1 deletion ...s/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,8 @@
},
"metadataContextNamespaces": [
"test-ns-1",
"test-ns-2"
"test-ns-2",
"consul"
],
"includePeerCertificate": true,
"statPrefix": "ext_authz_stats",
Expand Down
16 changes: 8 additions & 8 deletions ...t/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
},
{
"name": "envoy.filters.network.ext_authz",
"typedConfig": {
Expand All @@ -77,14 +85,6 @@
"transportApiVersion": "V3"
}
},
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
},
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {
Expand Down

0 comments on commit c4b85bf

Please sign in to comment.