Auth: Add new option custom.path (#947)

Auth: Add new option `custom.host.path` `pkg/options/auth.go` --------------------- Add new option to define `path` in `custom.host` as `path`, i.e., `custom.host.path`. `config/default/kustomization.yaml`, `config/manager/configmap.yaml` and `cmd/kusk/cmd/manifest_data.go` -------------------------------------------------------------------------------------------------------- Change `kubeshop/kusk-gateway` to `v1.3.21`, and run: ``` $ (cd cmd/kusk && VERSION=v1.3.21 make build) ``` Signed-off-by: Mohamed Bana <mohamed@bana.io>
kubeshop · Nov 4, 2022 · 7a5d1d9 · 7a5d1d9
1 parent 81431ba
commit 7a5d1d9
Show file tree

Hide file tree

Showing 11 changed files with 51 additions and 29 deletions.
diff --git a/cmd/kusk/cmd/manifest_data.go b/cmd/kusk/cmd/manifest_data.go
diff --git a/config/crd/bases/gateway.kusk.io_staticroutes.yaml b/config/crd/bases/gateway.kusk.io_staticroutes.yaml
@@ -46,6 +46,9 @@ spec:
                           hostname:
                             description: REQUIRED.
                             type: string
+                          path:
+                            description: OPTIONAL.
+                            type: string
                           port:
                             description: REQUIRED.
                             format: int32
@@ -64,6 +67,9 @@ spec:
                           hostname:
                             description: REQUIRED.
                             type: string
+                          path:
+                            description: OPTIONAL.
+                            type: string
                           port:
                             description: REQUIRED.
                             format: int32

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -28,7 +28,7 @@ patchesStrategicMerge:
 images:
 - name: kusk-gateway
   newName: kubeshop/kusk-gateway
-  newTag: v1.3.20
+  newTag: v1.3.21
 - name: kusk-gateway:dev
   newName: kubeshop/kusk-gateway
   newTag: latest
diff --git a/config/manager/configmap.yaml b/config/manager/configmap.yaml
@@ -15,6 +15,6 @@ metadata:
     app.kubernetes.io/component: kusk-gateway-manager
     app.kubernetes.io/instance: kusk-gateway
     app.kubernetes.io/name: kusk-gateway
-    app.kubernetes.io/version: "v1.3.4"
+    app.kubernetes.io/version: "v1.3.21"
   name: kusk-gateway-manager
   namespace: kusk-system
diff --git a/examples/auth/oauth2/static-route/manifests.yaml b/examples/auth/oauth2/static-route/manifests.yaml
@@ -57,7 +57,7 @@ spec:
             - name: HTTP_HEADERS
               value: 'Content-Type: "application/json"'
             - name: HTTP_BODY
-              value: '{ "kusk-gateway-manager": "v1.3.18" }'
+              value: '{ "kusk-gateway-manager": "v1.3.21" }'
 ---
 apiVersion: v1
 kind: Service

diff --git a/internal/envoy/auth/ext_authz_filter.go b/internal/envoy/auth/ext_authz_filter.go
@@ -32,14 +32,17 @@ import (
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 
 	"google.golang.org/protobuf/types/known/anypb"
-	"google.golang.org/protobuf/types/known/durationpb"
 )
 
-func NewFilterHTTPExternalAuthorization(upstreamHostname string, upstreamPort uint32, clusterName string, pathPrefix string, authHeaders []*envoy_config_core_v3.HeaderValue) (*anypb.Any, error) {
+func NewFilterHTTPExternalAuthorization(upstreamHostname string, upstreamPort uint32, clusterName string, pathPrefix string, authHeaders []*envoy_config_core_v3.HeaderValue, path *string) (*anypb.Any, error) {
 	// https://github.com/envoyproxy/envoy/tree/main/examples/ext_authz
 	// https://github.com/envoyproxy/envoy/blob/main/docs/root/configuration/http/http_filters/ext_authz_filter.rst
 	// https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz
 	uri := fmt.Sprintf("%s:%d", upstreamHostname, upstreamPort)
+	// Append `path` to `uri`
+	if path != nil {
+		uri += "/" + *path
+	}
 
 	httpUpstreamType := &envoy_config_core_v3.HttpUri_Cluster{
 		Cluster: clusterName,
@@ -48,9 +51,7 @@ func NewFilterHTTPExternalAuthorization(upstreamHostname string, upstreamPort ui
 	serverUri := &envoy_config_core_v3.HttpUri{
 		Uri:              uri,
 		HttpUpstreamType: httpUpstreamType,
-		Timeout: &durationpb.Duration{
-			Seconds: 60,
-		},
+		Timeout:          timeoutDefault(),
 	}
 	authorizationResponse := &envoy_extensions_filter_http_ext_authz_v3.AuthorizationResponse{
 		AllowedUpstreamHeaders: &envoy_type_matcher_v3.ListStringMatcher{
@@ -106,7 +107,7 @@ func NewFilterHTTPExternalAuthorization(upstreamHostname string, upstreamPort ui
 	}
 	anyAuthorization, err := anypb.New(authorization)
 	if err != nil {
-		return nil, fmt.Errorf("auth.NewFilterHTTPExternalAuthorization: cannot marshal authorization=%+v configuration: %w", authorization, err)
+		return nil, fmt.Errorf("auth.NewFilterHTTPExternalAuthorization: cannot marshal configuration authorization=%+v: %w", authorization, err)
 	}
 
 	return anyAuthorization, nil

diff --git a/internal/envoy/auth/ext_authz_parser.go b/internal/envoy/auth/ext_authz_parser.go
@@ -33,7 +33,7 @@ import (
 	"github.com/kubeshop/kusk-gateway/pkg/options"
 )
 
-func ParseAuthUpstreamOptions(pathPrefix string, host options.AuthUpstreamHost, args *ParseAuthArguments, scheme string) error {
+func ParseAuthUpstreamOptions(pathPrefix string, host options.AuthUpstreamHost, args *ParseAuthArguments, scheme string, path *string) error {
 	upstreamServiceHost := host.Hostname
 	upstreamServicePort := host.Port
 
@@ -77,6 +77,7 @@ func ParseAuthUpstreamOptions(pathPrefix string, host options.AuthUpstreamHost,
 		clusterName,
 		pathPrefix,
 		authHeaders,
+		path,
 	)
 	if err != nil {
 		return err

diff --git a/internal/envoy/auth/filters.go b/internal/envoy/auth/filters.go
@@ -23,6 +23,8 @@
 package auth
 
 import (
+	"time"
+
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	"google.golang.org/protobuf/types/known/durationpb"
 )
@@ -33,10 +35,8 @@ const (
 )
 
 func timeoutDefault() *durationpb.Duration {
-	return &durationpb.Duration{
-		Seconds: 16,
-	}
+	return durationpb.New(time.Second * 32)
 	// Intentionally kept the code below commented out to serve as future documentation.
-	// // Envoy will wait indefinitely for the first xDS config.
+	// // Envoy will wait indefinitely.
 	// return durationpb.New(time.Second * 0)
 }
diff --git a/internal/envoy/auth/parser.go b/internal/envoy/auth/parser.go
@@ -75,7 +75,7 @@ func ParseAuthOptions(auth *options.AuthOptions, args *ParseAuthArguments) error
 		if custom.PathPrefix != nil {
 			pathPrefix = *custom.PathPrefix
 		}
-		err := ParseAuthUpstreamOptions(pathPrefix, custom.Host, args, scheme)
+		err := ParseAuthUpstreamOptions(pathPrefix, custom.Host, args, scheme, custom.Host.Path)
 		if err != nil {
 			return err
 		}
@@ -85,7 +85,7 @@ func ParseAuthOptions(auth *options.AuthOptions, args *ParseAuthArguments) error
 		if cloudentity.PathPrefix != nil {
 			pathPrefix = *custom.PathPrefix
 		}
-		err := ParseAuthUpstreamOptions(pathPrefix, cloudentity.Host, args, scheme)
+		err := ParseAuthUpstreamOptions(pathPrefix, cloudentity.Host, args, scheme, custom.Host.Path)
 		if err != nil {
 			return err
 		}

diff --git a/pkg/options/auth.go b/pkg/options/auth.go
@@ -76,6 +76,8 @@ type AuthUpstreamHost struct {
 	Hostname string `json:"hostname,omitempty" yaml:"hostname,omitempty"`
 	// REQUIRED.
 	Port uint32 `json:"port,omitempty" yaml:"port,omitempty"`
+	// OPTIONAL.
+	Path *string `json:"path,omitempty" yaml:"path,omitempty"`
 }
 
 func (o AuthUpstreamHost) Validate() error {
@@ -223,6 +225,11 @@ func (o Custom) String() string {
 }
 
 func (o Custom) Validate() error {
+	// If both are specified, the error.
+	if o.PathPrefix != nil && o.Host.Path != nil {
+		return fmt.Errorf("`custom` cannot have both `path_prefix` and `host.path` specified")
+	}
+
 	return validation.ValidateStruct(&o,
 		validation.Field(&o.Host, validation.Required),
 	)

diff --git a/pkg/options/zz_generated.deepcopy.go b/pkg/options/zz_generated.deepcopy.go