Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apply ExtAuthz configuration to direct response routes #5962

Closed
wants to merge 2 commits into from
Closed

apply ExtAuthz configuration to direct response routes #5962

wants to merge 2 commits into from

Conversation

shadialtarsha
Copy link
Contributor

Currently, disabling external auth on direct responses doesn't work because we handle the case of direct responses in a different branch of the code while creating the Envoy route.

This PR fixes this bug.

P.S: For rate limiting it turns out it is an issue because direct responses don't care about the rate limit filter. I added tests to confirm that as well.

@shadialtarsha shadialtarsha requested a review from a team as a code owner November 14, 2023 14:22
@shadialtarsha shadialtarsha requested review from tsaarni and stevesloka and removed request for a team November 14, 2023 14:22
@codecov Codecov
Copy link

codecov bot commented Nov 14, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (dba50bc) 78.56% compared to head (aebe4fa) 78.57%.
Report is 40 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #5962   +/-   ##
=======================================
  Coverage   78.56%   78.57%           
=======================================
  Files         139      139           
  Lines       19615    19623    +8     
=======================================
+ Hits        15411    15419    +8     
  Misses       3901     3901           
  Partials      303      303
Files Coverage Δ
internal/envoy/v3/route.go 80.67% <100.00%> (+0.19%) ⬆️

@shadialtarsha shadialtarsha force-pushed the TypedPerFilterConfigForDirectResp branch from 651b624 to 230fba2 Compare November 14, 2023 15:51
davinci26
davinci26 reviewed Nov 14, 2023
View reviewed changes
Copy link
Contributor

@davinci26 davinci26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we add release note as well? Or mark the pr as not need one

@shadialtarsha
Copy link
Contributor Author

shadialtarsha commented Nov 14, 2023
edited
Loading

@davinci26 I don't have permissions to do that

@davinci26 davinci26 added the release-note/small A small change that needs one line of explanation in the release notes. label Nov 14, 2023
@davinci26
Copy link
Contributor

@shadialtarsha done

configure TypedPerFilterConfig with direct responses
27c73bc 
Signed-off-by: shadi-altarsha <shadi.altarsha@reddit.com>
@shadialtarsha shadialtarsha force-pushed the TypedPerFilterConfigForDirectResp branch from 02f0045 to 27c73bc Compare November 14, 2023 16:46
Fix a message
aebe4fa 
Signed-off-by: shadi-altarsha <shadi.altarsha@reddit.com>
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 14d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

  • Ensure your PR is passing all CI checks. PRs that are fully green are more likely to be reviewed. If you are having trouble with CI checks, reach out to the #contour channel in the Kubernetes Slack workspace.
  • Mark this PR as fresh by commenting or pushing a commit
  • Close this PR
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 29, 2023
@shadialtarsha
Copy link
Contributor Author

Still fresh

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 9, 2023
sunjayBhatia
sunjayBhatia reviewed Dec 11, 2023
View reviewed changes
internal/envoy/v3/route.go Show resolved Hide resolved
changelogs/unreleased/5962-shadialtarsha-small.md
@@ -0,0 +1,2 @@
## Configure TypedPerFilterConfig with direct responses
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: since this is a small change, can make this a single line with no title

something like Fixes bug where external authorization configuration was ignored on HTTPRoute rules configured with direct responses.

test/e2e/httpproxy/external_auth_test.go

f.Certs.CreateSelfSignedCert(namespace, "testserver-cert", "testserver-cert", "testserver")

// auth testserver
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like we can pull all this setup logic into a BeforeEach in httpproxy_test.go and use it for existing tests as well?

test/e2e/httpproxy/external_auth_test.go
@@ -283,4 +283,232 @@ func testExternalAuth(namespace string) {
assert.Equal(t, "default", body.RequestHeaders.Get("Auth-Context-Target"))
assert.Equal(t, "externalauth.projectcontour.io", body.RequestHeaders.Get("Auth-Context-Hostname"))
})

Specify("external auth can be configured on a direct response route", func() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets move this one into its own namespacedtest wrapper for debugability

test/e2e/httpproxy/external_auth_test.go
Disabled: true,
},
DirectResponsePolicy: &contourv1.HTTPDirectResponsePolicy{
StatusCode: 200,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe use a different status code here to be precise

test/e2e/httpproxy/external_auth_test.go
"target": "first",
},
},
Services: []contourv1.Service{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we use a directresponsepolicy here instead?

@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 14d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

  • Ensure your PR is passing all CI checks. PRs that are fully green are more likely to be reviewed. If you are having trouble with CI checks, reach out to the #contour channel in the Kubernetes Slack workspace.
  • Mark this PR as fresh by commenting or pushing a commit
  • Close this PR
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 29, 2023
@shadialtarsha
Copy link
Contributor Author

refresh

@skriss skriss requested review from skriss and removed request for stevesloka January 4, 2024 17:49
@skriss
Copy link
Member

skriss commented Jan 4, 2024

@shadialtarsha if you can address @sunjayBhatia's comments we should be able to get this into the upcoming release.

@skriss skriss changed the title Configure TypedPerFilterConfig with direct responses apply ExtAuthz configuration to direct response routes Jan 4, 2024
@davinci26
Copy link
Contributor

@skriss when is the next release? @shadialtarsha is on PTO till next week, so I wanted to see if I should push the changes myself or we can wait for it

@skriss
Copy link
Member

skriss commented Jan 4, 2024

Release will be end of Jan (est. 1/31), with an RC a week or so beforehand. I'll leave it up to you but there should be time.

@davinci26
Copy link
Contributor

We got time then I guess, will leave it to @shadialtarsha when he comes back

@skriss skriss added this to the 1.28.0 milestone Jan 4, 2024
@skriss
Copy link
Member

skriss commented Jan 19, 2024

@davinci26 @shadialtarsha just a reminder that the release date is approaching, it'd be great to get this PR updated so we can include it.

@skriss
Copy link
Member

skriss commented Feb 7, 2024

Bumping to 1.29.

@skriss skriss modified the milestones: 1.28.0, 1.29.0 Feb 7, 2024
@skriss skriss removed this from the 1.29.0 milestone May 2, 2024
@skriss skriss mentioned this pull request May 8, 2024
Merged
@skriss
Copy link
Member

skriss commented May 8, 2024

Merged #6426, closing this one out.

@skriss skriss closed this May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sunjayBhatia sunjayBhatia sunjayBhatia left review comments

@davinci26 davinci26 davinci26 approved these changes

@tsaarni tsaarni Awaiting requested review from tsaarni tsaarni is a code owner automatically assigned from projectcontour/maintainers

@skriss skriss Awaiting requested review from skriss

Assignees
No one assigned
Labels
release-note/small A small change that needs one line of explanation in the release notes.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shadialtarsha @davinci26 @skriss @sunjayBhatia