luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

backport of commit 649e551f7dead2e5b661924ec845564abf5fe40c (#17697) 

Co-authored-by: Chris Thain <chris.m.thain@gmail.com>
This commit is contained in:
hc-github-team-consul-core 2023-06-13 11:13:34 -04:00 committed by GitHub
parent bf6dbcd47b
commit 9ad5bdfb93
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 54 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
agent/envoyextensions/builtin/ext-authz/ext_authz.go
View File

@ -68,6 +68,8 @@ func (a *extAuthz) PatchFilters(cfg *ext_cmn.RuntimeConfig, filters []*envoy_lis
return filters, nil
}
a.configureInsertOptions(cfg.Protocol)
switch cfg.Protocol {
case "grpc", "http2", "http":
extAuthzFilter, err := a.Config.toEnvoyHttpFilter(cfg)
@ -107,13 +109,26 @@ func (a *extAuthz) fromArguments(args map[string]any) error {
return a.validate()
}
func (a *extAuthz) configureInsertOptions(protocol string) {
// If the insert options have been expressly configured, then use them.
if a.InsertOptions.Location != "" {
return
}
// Configure the default, insert the filter immediately before the terminal filter.
a.InsertOptions.Location = ext_cmn.InsertBeforeFirstMatch
switch protocol {
case "grpc", "http2", "http":
a.InsertOptions.FilterName = "envoy.filters.http.router"
default:
a.InsertOptions.FilterName = "envoy.filters.network.tcp_proxy"
}
}
func (a *extAuthz) normalize() {
if a.ProxyType == "" {
a.ProxyType = api.ServiceKindConnectProxy
}
if a.InsertOptions.Location == "" {
a.InsertOptions.Location = ext_cmn.InsertFirst
}
a.Config.normalize()
}

23
agent/envoyextensions/builtin/ext-authz/structs.go
View File

@ -31,6 +31,7 @@ import (
const (
LocalExtAuthzClusterName = "local_ext_authz"
defaultMetadataNS = "consul"
defaultStatPrefix = "response"
defaultStatusOnError = 403
)
@ -44,7 +45,6 @@ type extAuthzConfig struct {
MetadataContextNamespaces []string
StatusOnError *int
StatPrefix string
TransportApiVersion TransportApiVersion
WithRequestBody *BufferSettings
failureModeAllow bool
@ -238,8 +238,8 @@ func (c extAuthzConfig) toEnvoyHttpFilter(cfg *cmn.RuntimeConfig) (*envoy_http_v
extAuthzFilter := &envoy_http_ext_authz_v3.ExtAuthz{
StatPrefix: c.StatPrefix,
WithRequestBody: c.WithRequestBody.toEnvoy(),
TransportApiVersion: c.TransportApiVersion.toEnvoy(),
MetadataContextNamespaces: c.MetadataContextNamespaces,
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
MetadataContextNamespaces: append(c.MetadataContextNamespaces, defaultMetadataNS),
FailureModeAllow: c.failureModeAllow,
BootstrapMetadataLabelsKey: c.BootstrapMetadataLabelsKey,
}
@ -281,7 +281,7 @@ func (c extAuthzConfig) toEnvoyNetworkFilter(cfg *cmn.RuntimeConfig) (*envoy_lis
extAuthzFilter := &envoy_ext_authz_v3.ExtAuthz{
GrpcService: grpcSvc,
StatPrefix: c.StatPrefix,
TransportApiVersion: c.TransportApiVersion.toEnvoy(),
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
FailureModeAllow: c.failureModeAllow,
}
@ -672,18 +672,3 @@ func (t *Target) validate() error {
}
return resultErr
}
type TransportApiVersion string
func (t TransportApiVersion) toEnvoy() envoy_core_v3.ApiVersion {
switch strings.ToLower(string(t)) {
case "v2":
//nolint:staticcheck
return envoy_core_v3.ApiVersion_V2
case "auto":
//nolint:staticcheck
return envoy_core_v3.ApiVersion_AUTO
default:
return envoy_core_v3.ApiVersion_V3
}
}

31
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-grpc-service.latest.golden vendored
View File

@ -90,20 +90,6 @@
]
},
"httpFilters": [
{
"name": "envoy.filters.http.ext_authz",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
"grpcService": {
"envoyGrpc": {
"clusterName": "local_ext_authz"
}
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"statPrefix": "response"
}
},
{
"name": "envoy.filters.http.rbac",
"typedConfig": {
@ -189,6 +175,23 @@
]
}
},
{
"name": "envoy.filters.http.ext_authz",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
"grpcService": {
"envoyGrpc": {
"clusterName": "local_ext_authz"
}
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"metadataContextNamespaces": [
"consul"
],
"statPrefix": "response"
}
},
{
"name": "envoy.filters.http.router",
"typedConfig": {

3
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-local-http-service.latest.golden vendored
View File

@ -187,6 +187,9 @@
},
"transportApiVersion": "V3",
"failureModeAllow": true,
"metadataContextNamespaces": [
"consul"
],
"statPrefix": "response"
}
},

3
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-grpc-service.latest.golden vendored
View File

@ -208,7 +208,8 @@
},
"metadataContextNamespaces": [
"test-ns-1",
"test-ns-2"
"test-ns-2",
"consul"
],
"includePeerCertificate": true,
"statPrefix": "ext_authz_stats",

3
agent/xds/testdata/builtin_extension/listeners/ext-authz-http-upstream-http-service.latest.golden vendored
View File

@ -206,7 +206,8 @@
},
"metadataContextNamespaces": [
"test-ns-1",
"test-ns-2"
"test-ns-2",
"consul"
],
"includePeerCertificate": true,
"statPrefix": "ext_authz_stats",

16
agent/xds/testdata/builtin_extension/listeners/ext-authz-tcp-local-grpc-service.latest.golden vendored
View File

@ -63,6 +63,14 @@
"filterChains": [
{
"filters": [
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
},
{
"name": "envoy.filters.network.ext_authz",
"typedConfig": {
@ -77,14 +85,6 @@
"transportApiVersion": "V3"
}
},
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
},
{
"name": "envoy.filters.network.tcp_proxy",
"typedConfig": {