diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go index d411d646e4d..b1743111f14 100644 --- a/internal/envoy/v3/route.go +++ b/internal/envoy/v3/route.go @@ -596,6 +596,19 @@ func UpgradeHTTPS() *envoy_config_route_v3.Route_Redirect { } } +// DisabledExtAuthConfig returns a route TypedPerFilterConfig that disables ExtAuth +func DisabledExtAuthConfig() map[string]*anypb.Any { + return map[string]*anypb.Any{ + ExtAuthzFilterName: protobuf.MustMarshalAny( + &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{ + Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{ + Disabled: true, + }, + }, + ), + } +} + // headerValueList creates a list of Envoy HeaderValueOptions from the provided map. func headerValueList(hvm map[string]string, app bool) []*envoy_config_core_v3.HeaderValueOption { var hvs []*envoy_config_core_v3.HeaderValueOption diff --git a/internal/featuretests/v3/authorization_test.go b/internal/featuretests/v3/authorization_test.go index fe525d6a678..36e4f3e2fa7 100644 --- a/internal/featuretests/v3/authorization_test.go +++ b/internal/featuretests/v3/authorization_test.go @@ -267,13 +267,6 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont // same authorization enablement as the root proxy, and // the other path should have the opposite enablement. - disabledConfig := withFilterConfig(envoy_v3.ExtAuthzFilterName, - &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{ - Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{ - Disabled: true, - }, - }) - c.Request(routeType).Equals(&envoy_service_discovery_v3.DiscoveryResponse{ TypeUrl: routeType, Resources: resources(t, @@ -287,7 +280,7 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont &envoy_config_route_v3.Route{ Match: routePrefix("/default"), Action: routeCluster("default/app-server/80/da39a3ee5e"), - TypedPerFilterConfig: disabledConfig, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -297,7 +290,7 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont &envoy_config_route_v3.Route{ Match: routePrefix("/disabled"), Action: routeCluster("default/app-server/80/da39a3ee5e"), - TypedPerFilterConfig: disabledConfig, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ Match: routePrefix("/default"), @@ -309,24 +302,26 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont "ingress_http", envoy_v3.VirtualHost(disabled, &envoy_config_route_v3.Route{ - Match: routePrefix("/enabled"), - Action: withRedirect(), + Match: routePrefix("/enabled"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ Match: routePrefix("/default"), Action: withRedirect(), - TypedPerFilterConfig: disabledConfig, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), envoy_v3.VirtualHost(enabled, &envoy_config_route_v3.Route{ Match: routePrefix("/disabled"), Action: withRedirect(), - TypedPerFilterConfig: disabledConfig, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/default"), - Action: withRedirect(), + Match: routePrefix("/default"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -408,16 +403,9 @@ func authzMergeRouteContext(t *testing.T, rh ResourceEventHandlerWrapper, c *Con "ingress_http", envoy_v3.VirtualHost(fqdn, &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: withRedirect(), - TypedPerFilterConfig: withFilterConfig(envoy_v3.ExtAuthzFilterName, - &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{ - Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{ - CheckSettings: &envoy_filter_http_ext_authz_v3.CheckSettings{ - ContextExtensions: context, - }, - }, - }), + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), diff --git a/internal/featuretests/v3/envoy.go b/internal/featuretests/v3/envoy.go index b95c9074c0d..470f0814e6a 100644 --- a/internal/featuretests/v3/envoy.go +++ b/internal/featuretests/v3/envoy.go @@ -166,8 +166,9 @@ func routeHostRewriteHeader(cluster, hostnameHeader string) *envoy_config_route_ func upgradeHTTPS(match *envoy_config_route_v3.RouteMatch) *envoy_config_route_v3.Route { return &envoy_config_route_v3.Route{ - Match: match, - Action: envoy_v3.UpgradeHTTPS(), + Match: match, + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), } } diff --git a/internal/featuretests/v3/global_authorization_test.go b/internal/featuretests/v3/global_authorization_test.go index d4d259bb800..92b77760f4a 100644 --- a/internal/featuretests/v3/global_authorization_test.go +++ b/internal/featuretests/v3/global_authorization_test.go @@ -382,7 +382,7 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc &envoy_config_route_v3.Route{ Match: routePrefix("/"), Action: withRedirect(), - TypedPerFilterConfig: expectedAuthContext, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), diff --git a/internal/featuretests/v3/headerpolicy_test.go b/internal/featuretests/v3/headerpolicy_test.go index f47d32c4852..e3762e9aafc 100644 --- a/internal/featuretests/v3/headerpolicy_test.go +++ b/internal/featuretests/v3/headerpolicy_test.go @@ -184,14 +184,9 @@ func TestHeaderPolicy_ReplaceHeader_HTTProxy(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("hello.world", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }), ), envoy_v3.RouteConfiguration("https/hello.world", @@ -297,14 +292,9 @@ func TestHeaderPolicy_ReplaceHostHeader_HTTProxy(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("hello.world", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }), ), envoy_v3.RouteConfiguration("https/hello.world", diff --git a/internal/featuretests/v3/route_test.go b/internal/featuretests/v3/route_test.go index 719737dbae9..b62e1e82563 100644 --- a/internal/featuretests/v3/route_test.go +++ b/internal/featuretests/v3/route_test.go @@ -310,12 +310,14 @@ func TestEditIngressInPlace(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("hello.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/whoop"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/whoop"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -364,12 +366,14 @@ func TestEditIngressInPlace(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("hello.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/whoop"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/whoop"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -462,8 +466,9 @@ func TestSSLRedirectOverlay(t *testing.T) { Action: routecluster("nginx-ingress/challenge-service/8009/da39a3ee5e"), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/"), // match all - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/"), // match all + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), virtualhosts( @@ -707,8 +712,9 @@ func TestRDSFilter(t *testing.T) { Action: routecluster("nginx-ingress/challenge-service/8009/da39a3ee5e"), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/"), // match all - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/"), // match all + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1126,8 +1132,9 @@ func TestRouteWithTLS(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("test2.test.com", &envoy_config_route_v3.Route{ - Action: envoy_v3.UpgradeHTTPS(), - Match: routePrefix("/a"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), + Match: routePrefix("/a"), }, ), ), @@ -1203,8 +1210,9 @@ func TestRouteWithTLS_InsecurePaths(t *testing.T) { Action: routecluster("default/kuard/80/da39a3ee5e"), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/secure"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/secure"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1289,12 +1297,14 @@ func TestRouteWithTLS_InsecurePaths_DisablePermitInsecureTrue(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("test2.test.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/insecure"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/insecure"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/secure"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/secure"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1482,8 +1492,9 @@ func TestHTTPProxyRouteWithTLS(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("test2.test.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/a"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/a"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1555,8 +1566,9 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths(t *testing.T) { Action: routecluster("default/kuard/80/da39a3ee5e"), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/secure"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/secure"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1637,12 +1649,14 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths_DisablePermitInsecureTrue(t *testin envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("test2.test.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/insecure"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/insecure"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, &envoy_config_route_v3.Route{ - Match: routePrefix("/secure"), - Action: envoy_v3.UpgradeHTTPS(), + Match: routePrefix("/secure"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), diff --git a/internal/featuretests/v3/tcpproxy_test.go b/internal/featuretests/v3/tcpproxy_test.go index 56c83cf3c10..cd556ee24be 100644 --- a/internal/featuretests/v3/tcpproxy_test.go +++ b/internal/featuretests/v3/tcpproxy_test.go @@ -103,14 +103,9 @@ func TestTCPProxy(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("kuard-tcp.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -276,14 +271,9 @@ func TestTCPProxyTLSPassthrough(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("kuard-tcp.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: envoy_v3.UpgradeHTTPS(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), diff --git a/internal/xdscache/v3/route_test.go b/internal/xdscache/v3/route_test.go index 63cff3068b8..fa6498e6d33 100644 --- a/internal/xdscache/v3/route_test.go +++ b/internal/xdscache/v3/route_test.go @@ -451,14 +451,9 @@ func TestRouteVisit(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -598,14 +593,9 @@ func TestRouteVisit(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1627,14 +1617,9 @@ func TestRouteVisit(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -1895,14 +1880,9 @@ func TestRouteVisit(t *testing.T) { AllowMethods: "GET, PUT, POST", }, &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -2787,14 +2767,9 @@ func TestRouteVisit(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -2943,14 +2918,9 @@ func TestRouteVisit(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("projectcontour.io", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), envoy_v3.VirtualHost("www.example.com", @@ -2963,6 +2933,7 @@ func TestRouteVisit(t *testing.T) { }, }, }, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -3137,18 +3108,14 @@ func TestRouteVisit(t *testing.T) { }, }, }, + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -3382,14 +3349,9 @@ func TestRouteVisit(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -3654,27 +3616,9 @@ func TestRouteVisit_GlobalExternalAuthorization(t *testing.T) { envoy_v3.RouteConfiguration("ingress_http", envoy_v3.VirtualHost("www.example.com", &envoy_config_route_v3.Route{ - Match: routePrefix("/"), - Action: &envoy_config_route_v3.Route_Redirect{ - Redirect: &envoy_config_route_v3.RedirectAction{ - SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ - HttpsRedirect: true, - }, - }, - }, - TypedPerFilterConfig: map[string]*anypb.Any{ - envoy_v3.ExtAuthzFilterName: protobuf.MustMarshalAny(&envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{ - Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{ - CheckSettings: &envoy_filter_http_ext_authz_v3.CheckSettings{ - ContextExtensions: map[string]string{ - "header_1": "message_1", - "header_2": "new_message_2", - "header_3": "message_3", - }, - }, - }, - }), - }, + Match: routePrefix("/"), + Action: withRedirect(), + TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(), }, ), ), @@ -4109,6 +4053,16 @@ func withMirrorPolicy(route *envoy_config_route_v3.Route_Route, mirror string) * return route } +func withRedirect() *envoy_config_route_v3.Route_Redirect { + return &envoy_config_route_v3.Route_Redirect{ + Redirect: &envoy_config_route_v3.RedirectAction{ + SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{ + HttpsRedirect: true, + }, + }, + } +} + // buildDAGGlobalExtAuth produces a dag.DAG from the supplied objects with global external authorization configured. func buildDAGGlobalExtAuth(t *testing.T, fallbackCertificate *types.NamespacedName, objs ...any) *dag.DAG { builder := dag.Builder{