github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ENT backport for ext-authz extension updates

pull/17684/head
Chris Thain 2023-06-12 16:46:52 -07:00
parent d54d5fb85c
commit 649e551f7d
7 changed files with 54 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
agent/envoyextensions/builtin/ext-authz/ext_authz.go
View File

@ -68,6 +68,8 @@ func (a *extAuthz) PatchFilters(cfg *ext_cmn.RuntimeConfig, filters []*envoy_lis
return filters, nil return filters, nil
} }
a.configureInsertOptions(cfg.Protocol)
switch cfg.Protocol { switch cfg.Protocol {
case "grpc", "http2", "http": case "grpc", "http2", "http":
extAuthzFilter, err := a.Config.toEnvoyHttpFilter(cfg) extAuthzFilter, err := a.Config.toEnvoyHttpFilter(cfg)
@ -107,13 +109,26 @@ func (a *extAuthz) fromArguments(args map[string]any) error {
return a.validate() return a.validate()
} }
func (a *extAuthz) configureInsertOptions(protocol string) {
// If the insert options have been expressly configured, then use them.
if a.InsertOptions.Location != "" {
return
}
// Configure the default, insert the filter immediately before the terminal filter.
a.InsertOptions.Location = ext_cmn.InsertBeforeFirstMatch
switch protocol {
case "grpc", "http2", "http":
a.InsertOptions.FilterName = "envoy.filters.http.router"
default:
a.InsertOptions.FilterName = "envoy.filters.network.tcp_proxy"
}
}
func (a *extAuthz) normalize() { func (a *extAuthz) normalize() {
if a.ProxyType == "" { if a.ProxyType == "" {
a.ProxyType = api.ServiceKindConnectProxy a.ProxyType = api.ServiceKindConnectProxy
} }
if a.InsertOptions.Location == "" {
a.InsertOptions.Location = ext_cmn.InsertFirst
}
a.Config.normalize() a.Config.normalize()
} }

23
agent/envoyextensions/builtin/ext-authz/structs.go
View File

@ -31,6 +31,7 @@ import (
const ( const (
LocalExtAuthzClusterName = "local_ext_authz" LocalExtAuthzClusterName = "local_ext_authz"
defaultMetadataNS = "consul"
defaultStatPrefix = "response" defaultStatPrefix = "response"
defaultStatusOnError = 403 defaultStatusOnError = 403
) )
@ -44,7 +45,6 @@ type extAuthzConfig struct {
MetadataContextNamespaces []string MetadataContextNamespaces []string
StatusOnError *int StatusOnError *int
StatPrefix string StatPrefix string
TransportApiVersion TransportApiVersion
WithRequestBody *BufferSettings WithRequestBody *BufferSettings
failureModeAllow bool failureModeAllow bool
@ -238,8 +238,8 @@ func (c extAuthzConfig) toEnvoyHttpFilter(cfg *cmn.RuntimeConfig) (*envoy_http_v
extAuthzFilter := &envoy_http_ext_authz_v3.ExtAuthz{ extAuthzFilter := &envoy_http_ext_authz_v3.ExtAuthz{
StatPrefix: c.StatPrefix, StatPrefix: c.StatPrefix,
WithRequestBody: c.WithRequestBody.toEnvoy(), WithRequestBody: c.WithRequestBody.toEnvoy(),
TransportApiVersion: c.TransportApiVersion.toEnvoy(), TransportApiVersion: envoy_core_v3.ApiVersion_V3,
MetadataContextNamespaces: c.MetadataContextNamespaces, MetadataContextNamespaces: append(c.MetadataContextNamespaces, defaultMetadataNS),
FailureModeAllow: c.failureModeAllow, FailureModeAllow: c.failureModeAllow,
BootstrapMetadataLabelsKey: c.BootstrapMetadataLabelsKey, BootstrapMetadataLabelsKey: c.BootstrapMetadataLabelsKey,
} }
@ -281,7 +281,7 @@ func (c extAuthzConfig) toEnvoyNetworkFilter(cfg *cmn.RuntimeConfig) (*envoy_lis
extAuthzFilter := &envoy_ext_authz_v3.ExtAuthz{ extAuthzFilter := &envoy_ext_authz_v3.ExtAuthz{
GrpcService: grpcSvc, GrpcService: grpcSvc,
StatPrefix: c.StatPrefix, StatPrefix: c.StatPrefix,
TransportApiVersion: c.TransportApiVersion.toEnvoy(), TransportApiVersion: envoy_core_v3.ApiVersion_V3,
FailureModeAllow: c.failureModeAllow, FailureModeAllow: c.failureModeAllow,
} }
@ -672,18 +672,3 @@ func (t *Target) validate() error {
} }
return resultErr return resultErr
} }
type TransportApiVersion string
func (t TransportApiVersion) toEnvoy() envoy_core_v3.ApiVersion {
switch strings.ToLower(string(t)) {
case "v2":
//nolint:staticcheck
return envoy_core_v3.ApiVersion_V2
case "auto":
//nolint:staticcheck
return envoy_core_v3.ApiVersion_AUTO
default:
return envoy_core_v3.ApiVersion_V3
}
}

31
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden vendored
View File

@ -90,20 +90,6 @@
] ]
}, },
"httpFilters": [ "httpFilters": [
{
"name": "envoy.filters.http.ext_authz",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
"grpcService": {
"envoyGrpc": {
"clusterName": "local_ext_authz"
}
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"statPrefix": "response"
}
},
{ {
"name": "envoy.filters.http.rbac", "name": "envoy.filters.http.rbac",
"typedConfig": { "typedConfig": {
@ -189,6 +175,23 @@
] ]
} }
}, },
{
"name": "envoy.filters.http.ext_authz",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
"grpcService": {
"envoyGrpc": {
"clusterName": "local_ext_authz"
}
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"metadataContextNamespaces": [
"consul"
],
"statPrefix": "response"
}
},
{ {
"name": "envoy.filters.http.router", "name": "envoy.filters.http.router",
"typedConfig": { "typedConfig": {

3
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden vendored
View File

@ -187,6 +187,9 @@
}, },
"transportApiVersion": "V3", "transportApiVersion": "V3",
"failureModeAllow": true, "failureModeAllow": true,
"metadataContextNamespaces": [
"consul"
],
"statPrefix": "response" "statPrefix": "response"
} }
}, },

3
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden vendored
View File

@ -208,7 +208,8 @@
}, },
"metadataContextNamespaces": [ "metadataContextNamespaces": [
"test-ns-1", "test-ns-1",
"test-ns-2" "test-ns-2",
"consul"
], ],
"includePeerCertificate": true, "includePeerCertificate": true,
"statPrefix": "ext_authz_stats", "statPrefix": "ext_authz_stats",

3
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden vendored
View File

@ -206,7 +206,8 @@
}, },
"metadataContextNamespaces": [ "metadataContextNamespaces": [
"test-ns-1", "test-ns-1",
"test-ns-2" "test-ns-2",
"consul"
], ],
"includePeerCertificate": true, "includePeerCertificate": true,
"statPrefix": "ext_authz_stats", "statPrefix": "ext_authz_stats",

16
agent/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden vendored
View File

@ -63,6 +63,14 @@
"filterChains": [ "filterChains": [
{ {
"filters": [ "filters": [
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
},
{ {
"name": "envoy.filters.network.ext_authz", "name": "envoy.filters.network.ext_authz",
"typedConfig": { "typedConfig": {
@ -77,14 +85,6 @@
"transportApiVersion": "V3" "transportApiVersion": "V3"
} }
}, },
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
},
{ {
"name": "envoy.filters.network.tcp_proxy", "name": "envoy.filters.network.tcp_proxy",
"typedConfig": { "typedConfig": {