From 9ad5bdfb93e25953f316a90451454691b69664e9 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Tue, 13 Jun 2023 11:13:34 -0400 Subject: [PATCH] backport of commit 649e551f7dead2e5b661924ec845564abf5fe40c (#17697) Co-authored-by: Chris Thain --- .../builtin/ext-authz/ext_authz.go | 21 +++++++++++-- .../builtin/ext-authz/structs.go | 23 +++----------- ...uthz-http-local-grpc-service.latest.golden | 31 ++++++++++--------- ...uthz-http-local-http-service.latest.golden | 3 ++ ...z-http-upstream-grpc-service.latest.golden | 3 +- ...z-http-upstream-http-service.latest.golden | 3 +- ...authz-tcp-local-grpc-service.latest.golden | 16 +++++----- 7 files changed, 54 insertions(+), 46 deletions(-) diff --git a/agent/envoyextensions/builtin/ext-authz/ext_authz.go b/agent/envoyextensions/builtin/ext-authz/ext_authz.go index 67d93cd2b..7400aef13 100644 --- a/agent/envoyextensions/builtin/ext-authz/ext_authz.go +++ b/agent/envoyextensions/builtin/ext-authz/ext_authz.go @@ -68,6 +68,8 @@ func (a *extAuthz) PatchFilters(cfg *ext_cmn.RuntimeConfig, filters []*envoy_lis return filters, nil } + a.configureInsertOptions(cfg.Protocol) + switch cfg.Protocol { case "grpc", "http2", "http": extAuthzFilter, err := a.Config.toEnvoyHttpFilter(cfg) @@ -107,13 +109,26 @@ func (a *extAuthz) fromArguments(args map[string]any) error { return a.validate() } +func (a *extAuthz) configureInsertOptions(protocol string) { + // If the insert options have been expressly configured, then use them. + if a.InsertOptions.Location != "" { + return + } + + // Configure the default, insert the filter immediately before the terminal filter. + a.InsertOptions.Location = ext_cmn.InsertBeforeFirstMatch + switch protocol { + case "grpc", "http2", "http": + a.InsertOptions.FilterName = "envoy.filters.http.router" + default: + a.InsertOptions.FilterName = "envoy.filters.network.tcp_proxy" + } +} + func (a *extAuthz) normalize() { if a.ProxyType == "" { a.ProxyType = api.ServiceKindConnectProxy } - if a.InsertOptions.Location == "" { - a.InsertOptions.Location = ext_cmn.InsertFirst - } a.Config.normalize() } diff --git a/agent/envoyextensions/builtin/ext-authz/structs.go b/agent/envoyextensions/builtin/ext-authz/structs.go index 979bc8a86..b64011a99 100644 --- a/agent/envoyextensions/builtin/ext-authz/structs.go +++ b/agent/envoyextensions/builtin/ext-authz/structs.go @@ -31,6 +31,7 @@ import ( const ( LocalExtAuthzClusterName = "local_ext_authz" + defaultMetadataNS = "consul" defaultStatPrefix = "response" defaultStatusOnError = 403 ) @@ -44,7 +45,6 @@ type extAuthzConfig struct { MetadataContextNamespaces []string StatusOnError *int StatPrefix string - TransportApiVersion TransportApiVersion WithRequestBody *BufferSettings failureModeAllow bool @@ -238,8 +238,8 @@ func (c extAuthzConfig) toEnvoyHttpFilter(cfg *cmn.RuntimeConfig) (*envoy_http_v extAuthzFilter := &envoy_http_ext_authz_v3.ExtAuthz{ StatPrefix: c.StatPrefix, WithRequestBody: c.WithRequestBody.toEnvoy(), - TransportApiVersion: c.TransportApiVersion.toEnvoy(), - MetadataContextNamespaces: c.MetadataContextNamespaces, + TransportApiVersion: envoy_core_v3.ApiVersion_V3, + MetadataContextNamespaces: append(c.MetadataContextNamespaces, defaultMetadataNS), FailureModeAllow: c.failureModeAllow, BootstrapMetadataLabelsKey: c.BootstrapMetadataLabelsKey, } @@ -281,7 +281,7 @@ func (c extAuthzConfig) toEnvoyNetworkFilter(cfg *cmn.RuntimeConfig) (*envoy_lis extAuthzFilter := &envoy_ext_authz_v3.ExtAuthz{ GrpcService: grpcSvc, StatPrefix: c.StatPrefix, - TransportApiVersion: c.TransportApiVersion.toEnvoy(), + TransportApiVersion: envoy_core_v3.ApiVersion_V3, FailureModeAllow: c.failureModeAllow, } @@ -672,18 +672,3 @@ func (t *Target) validate() error { } return resultErr } - -type TransportApiVersion string - -func (t TransportApiVersion) toEnvoy() envoy_core_v3.ApiVersion { - switch strings.ToLower(string(t)) { - case "v2": - //nolint:staticcheck - return envoy_core_v3.ApiVersion_V2 - case "auto": - //nolint:staticcheck - return envoy_core_v3.ApiVersion_AUTO - default: - return envoy_core_v3.ApiVersion_V3 - } -} diff --git a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden index 7f0ad9cf1..0448214fe 100644 --- a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden +++ b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden @@ -90,20 +90,6 @@ ] }, "httpFilters": [ - { - "name": "envoy.filters.http.ext_authz", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz", - "grpcService": { - "envoyGrpc": { - "clusterName": "local_ext_authz" - } - }, - "transportApiVersion": "V3", - "failureModeAllow": true, - "statPrefix": "response" - } - }, { "name": "envoy.filters.http.rbac", "typedConfig": { @@ -189,6 +175,23 @@ ] } }, + { + "name": "envoy.filters.http.ext_authz", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz", + "grpcService": { + "envoyGrpc": { + "clusterName": "local_ext_authz" + } + }, + "transportApiVersion": "V3", + "failureModeAllow": true, + "metadataContextNamespaces": [ + "consul" + ], + "statPrefix": "response" + } + }, { "name": "envoy.filters.http.router", "typedConfig": { diff --git a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden index dc2c1e45c..9e3390355 100644 --- a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden +++ b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden @@ -187,6 +187,9 @@ }, "transportApiVersion": "V3", "failureModeAllow": true, + "metadataContextNamespaces": [ + "consul" + ], "statPrefix": "response" } }, diff --git a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden index af4675750..203929ea6 100644 --- a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden +++ b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden @@ -208,7 +208,8 @@ }, "metadataContextNamespaces": [ "test-ns-1", - "test-ns-2" + "test-ns-2", + "consul" ], "includePeerCertificate": true, "statPrefix": "ext_authz_stats", diff --git a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden index ded85e73e..e2bf641ee 100644 --- a/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden +++ b/agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden @@ -206,7 +206,8 @@ }, "metadataContextNamespaces": [ "test-ns-1", - "test-ns-2" + "test-ns-2", + "consul" ], "includePeerCertificate": true, "statPrefix": "ext_authz_stats", diff --git a/agent/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden b/agent/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden index 4f75499ff..61e2ff733 100644 --- a/agent/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden +++ b/agent/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden @@ -63,6 +63,14 @@ "filterChains": [ { "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, { "name": "envoy.filters.network.ext_authz", "typedConfig": { @@ -77,14 +85,6 @@ "transportApiVersion": "V3" } }, - { - "name": "envoy.filters.network.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", - "rules": {}, - "statPrefix": "connect_authz" - } - }, { "name": "envoy.filters.network.tcp_proxy", "typedConfig": {