mirror of https://github.com/status-im/consul.git
ENT merge of ext-authz extension updates (#17684)
This commit is contained in:
parent
d54d5fb85c
commit
a8f1350835
|
@ -68,6 +68,8 @@ func (a *extAuthz) PatchFilters(cfg *ext_cmn.RuntimeConfig, filters []*envoy_lis
|
|||
return filters, nil
|
||||
}
|
||||
|
||||
a.configureInsertOptions(cfg.Protocol)
|
||||
|
||||
switch cfg.Protocol {
|
||||
case "grpc", "http2", "http":
|
||||
extAuthzFilter, err := a.Config.toEnvoyHttpFilter(cfg)
|
||||
|
@ -107,13 +109,26 @@ func (a *extAuthz) fromArguments(args map[string]any) error {
|
|||
return a.validate()
|
||||
}
|
||||
|
||||
func (a *extAuthz) configureInsertOptions(protocol string) {
|
||||
// If the insert options have been expressly configured, then use them.
|
||||
if a.InsertOptions.Location != "" {
|
||||
return
|
||||
}
|
||||
|
||||
// Configure the default, insert the filter immediately before the terminal filter.
|
||||
a.InsertOptions.Location = ext_cmn.InsertBeforeFirstMatch
|
||||
switch protocol {
|
||||
case "grpc", "http2", "http":
|
||||
a.InsertOptions.FilterName = "envoy.filters.http.router"
|
||||
default:
|
||||
a.InsertOptions.FilterName = "envoy.filters.network.tcp_proxy"
|
||||
}
|
||||
}
|
||||
|
||||
func (a *extAuthz) normalize() {
|
||||
if a.ProxyType == "" {
|
||||
a.ProxyType = api.ServiceKindConnectProxy
|
||||
}
|
||||
if a.InsertOptions.Location == "" {
|
||||
a.InsertOptions.Location = ext_cmn.InsertFirst
|
||||
}
|
||||
a.Config.normalize()
|
||||
}
|
||||
|
||||
|
|
|
@ -31,6 +31,7 @@ import (
|
|||
const (
|
||||
LocalExtAuthzClusterName = "local_ext_authz"
|
||||
|
||||
defaultMetadataNS = "consul"
|
||||
defaultStatPrefix = "response"
|
||||
defaultStatusOnError = 403
|
||||
)
|
||||
|
@ -44,7 +45,6 @@ type extAuthzConfig struct {
|
|||
MetadataContextNamespaces []string
|
||||
StatusOnError *int
|
||||
StatPrefix string
|
||||
TransportApiVersion TransportApiVersion
|
||||
WithRequestBody *BufferSettings
|
||||
|
||||
failureModeAllow bool
|
||||
|
@ -238,8 +238,8 @@ func (c extAuthzConfig) toEnvoyHttpFilter(cfg *cmn.RuntimeConfig) (*envoy_http_v
|
|||
extAuthzFilter := &envoy_http_ext_authz_v3.ExtAuthz{
|
||||
StatPrefix: c.StatPrefix,
|
||||
WithRequestBody: c.WithRequestBody.toEnvoy(),
|
||||
TransportApiVersion: c.TransportApiVersion.toEnvoy(),
|
||||
MetadataContextNamespaces: c.MetadataContextNamespaces,
|
||||
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
|
||||
MetadataContextNamespaces: append(c.MetadataContextNamespaces, defaultMetadataNS),
|
||||
FailureModeAllow: c.failureModeAllow,
|
||||
BootstrapMetadataLabelsKey: c.BootstrapMetadataLabelsKey,
|
||||
}
|
||||
|
@ -281,7 +281,7 @@ func (c extAuthzConfig) toEnvoyNetworkFilter(cfg *cmn.RuntimeConfig) (*envoy_lis
|
|||
extAuthzFilter := &envoy_ext_authz_v3.ExtAuthz{
|
||||
GrpcService: grpcSvc,
|
||||
StatPrefix: c.StatPrefix,
|
||||
TransportApiVersion: c.TransportApiVersion.toEnvoy(),
|
||||
TransportApiVersion: envoy_core_v3.ApiVersion_V3,
|
||||
FailureModeAllow: c.failureModeAllow,
|
||||
}
|
||||
|
||||
|
@ -672,18 +672,3 @@ func (t *Target) validate() error {
|
|||
}
|
||||
return resultErr
|
||||
}
|
||||
|
||||
type TransportApiVersion string
|
||||
|
||||
func (t TransportApiVersion) toEnvoy() envoy_core_v3.ApiVersion {
|
||||
switch strings.ToLower(string(t)) {
|
||||
case "v2":
|
||||
//nolint:staticcheck
|
||||
return envoy_core_v3.ApiVersion_V2
|
||||
case "auto":
|
||||
//nolint:staticcheck
|
||||
return envoy_core_v3.ApiVersion_AUTO
|
||||
default:
|
||||
return envoy_core_v3.ApiVersion_V3
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,20 +90,6 @@
|
|||
]
|
||||
},
|
||||
"httpFilters": [
|
||||
{
|
||||
"name": "envoy.filters.http.ext_authz",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
|
||||
"grpcService": {
|
||||
"envoyGrpc": {
|
||||
"clusterName": "local_ext_authz"
|
||||
}
|
||||
},
|
||||
"transportApiVersion": "V3",
|
||||
"failureModeAllow": true,
|
||||
"statPrefix": "response"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "envoy.filters.http.rbac",
|
||||
"typedConfig": {
|
||||
|
@ -189,6 +175,23 @@
|
|||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "envoy.filters.http.ext_authz",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
|
||||
"grpcService": {
|
||||
"envoyGrpc": {
|
||||
"clusterName": "local_ext_authz"
|
||||
}
|
||||
},
|
||||
"transportApiVersion": "V3",
|
||||
"failureModeAllow": true,
|
||||
"metadataContextNamespaces": [
|
||||
"consul"
|
||||
],
|
||||
"statPrefix": "response"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "envoy.filters.http.router",
|
||||
"typedConfig": {
|
||||
|
|
|
@ -187,6 +187,9 @@
|
|||
},
|
||||
"transportApiVersion": "V3",
|
||||
"failureModeAllow": true,
|
||||
"metadataContextNamespaces": [
|
||||
"consul"
|
||||
],
|
||||
"statPrefix": "response"
|
||||
}
|
||||
},
|
||||
|
|
|
@ -208,7 +208,8 @@
|
|||
},
|
||||
"metadataContextNamespaces": [
|
||||
"test-ns-1",
|
||||
"test-ns-2"
|
||||
"test-ns-2",
|
||||
"consul"
|
||||
],
|
||||
"includePeerCertificate": true,
|
||||
"statPrefix": "ext_authz_stats",
|
||||
|
|
|
@ -206,7 +206,8 @@
|
|||
},
|
||||
"metadataContextNamespaces": [
|
||||
"test-ns-1",
|
||||
"test-ns-2"
|
||||
"test-ns-2",
|
||||
"consul"
|
||||
],
|
||||
"includePeerCertificate": true,
|
||||
"statPrefix": "ext_authz_stats",
|
||||
|
|
|
@ -63,6 +63,14 @@
|
|||
"filterChains": [
|
||||
{
|
||||
"filters": [
|
||||
{
|
||||
"name": "envoy.filters.network.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
|
||||
"rules": {},
|
||||
"statPrefix": "connect_authz"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "envoy.filters.network.ext_authz",
|
||||
"typedConfig": {
|
||||
|
@ -77,14 +85,6 @@
|
|||
"transportApiVersion": "V3"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "envoy.filters.network.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
|
||||
"rules": {},
|
||||
"statPrefix": "connect_authz"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "envoy.filters.network.tcp_proxy",
|
||||
"typedConfig": {
|
||||
|
|
Loading…
Reference in New Issue