-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: recomputeRoute field in JWT #2612
Conversation
outlining a few other alternatives
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2612 +/- ##
=======================================
Coverage 63.33% 63.33%
=======================================
Files 119 119
Lines 19211 19211
=======================================
Hits 12168 12168
Misses 6244 6244
Partials 799 799 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
fc1593f
to
eaef9f8
Compare
ptal @guydc @zhaohuabing, I've limited the use of the field to only recalculate route, and not add a fallback/catch-all route, |
also looking at advice on API field naming, this is what ChatGPT said
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to updateRoute
// This field must be enabled if the headers generated from the claim are used for | ||
// route matching decisions. | ||
// | ||
// +optional |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to state something about the impact on other features? e.g. filters that fired prior to jwt (CORS, ExtAuth, Basic, ...) will only execute in the context of the initial match. Also, later filters (Fault, RL, ...) will only execute in the context of the new route.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added a comment around this
recomputeRoute sounds good to me, "updateRoute" is a bit ambiguous. |
Add a field called `useForRouting` that signals to Envoy Gateway that the headers generated from the claims are used to make routing decisions Internally this field will be used to * insert a catch-all route with a 404 direct response identical to envoyproxy#2586 which makes sure the jwt filter with `claimToHeader` is applied before recomputing routing decision * enable `clear_route_cache` to recompute routing decision https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtprovider Relates to envoyproxy#2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Signed-off-by: Arko Dasgupta <arko@tetrate.io>
eaef9f8
to
bc439f0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks!
Add a field called
useForRouting
that signals to Envoy Gateway that the headers generated from the claims are used to make routing decisionsInternally this field will be used to
* insert a catch-all route with a 404 direct response identical to #2586 which makes sure the jwt filter withclaimToHeader
is applied before recomputing routing decisionclear_route_cache
to recompute routing decision https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtproviderRelates to #2452