From 14084c01d1bb5013bc3d9ec8dd1f9b2791add474 Mon Sep 17 00:00:00 2001 From: claytonig Date: Wed, 8 Mar 2023 19:12:59 +0100 Subject: [PATCH] Address review comments Signed-off-by: claytonig --- config.yaml | 136 ------------------ .../main/guides/external-authorization.md | 2 +- 2 files changed, 1 insertion(+), 137 deletions(-) delete mode 100644 config.yaml diff --git a/config.yaml b/config.yaml deleted file mode 100644 index 3a87a2e3779..00000000000 --- a/config.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# -# server: -# determine which XDS Server implementation to utilize in Contour. -# xds-server-type: contour -# -# Specify the Gateway API configuration. -# gateway: -# controllerName: projectcontour.io/projectcontour/contour -# -# should contour expect to be running inside a k8s cluster -# incluster: true -# -# path to kubeconfig (if not running inside a k8s cluster) -# kubeconfig: /path/to/.kube/config -# -# Disable RFC-compliant behavior to strip "Content-Length" header if -# "Tranfer-Encoding: chunked" is also set. -# disableAllowChunkedLength: false -# -# Disable Envoy's non-standard merge_slashes path transformation option -# that strips duplicate slashes from request URLs. -# disableMergeSlashes: false -# -# Disable HTTPProxy permitInsecure field -disablePermitInsecure: false -tls: -# minimum TLS version that Contour will negotiate -# minimum-protocol-version: "1.2" -# TLS ciphers to be supported by Envoy TLS listeners when negotiating -# TLS 1.2. -# cipher-suites: -# - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]' -# - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]' -# - 'ECDHE-ECDSA-AES256-GCM-SHA384' -# - 'ECDHE-RSA-AES256-GCM-SHA384' -# Defines the Kubernetes name/namespace matching a secret to use -# as the fallback certificate when requests which don't match the -# SNI defined for a vhost. - fallback-certificate: -# name: fallback-secret-name -# namespace: projectcontour - envoy-client-certificate: -# name: envoy-client-cert-secret-name -# namespace: projectcontour -#### -# ExternalName Services are disabled by default due to CVE-2021-XXXXX -# You can re-enable them by setting this setting to `true`. -# This is not recommended without understanding the security implications. -# Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details. -# enableExternalNameService: false -## -# Address to be placed in status.loadbalancer field of Ingress objects. -# May be either a literal IP address or a host name. -# The value will be placed directly into the relevant field inside the status.loadBalancer struct. -# ingress-status-address: local.projectcontour.io -### Logging options -# Default setting -accesslog-format: envoy -# The default access log format is defined by Envoy but it can be customized by setting following variable. -# accesslog-format-string: "...\n" -# To enable JSON logging in Envoy -# accesslog-format: json -# accesslog-level: info -# The default fields that will be logged are specified below. -# To customise this list, just add or remove entries. -# The canonical list is available at -# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields -# json-fields: -# - "@timestamp" -# - "authority" -# - "bytes_received" -# - "bytes_sent" -# - "downstream_local_address" -# - "downstream_remote_address" -# - "duration" -# - "method" -# - "path" -# - "protocol" -# - "request_id" -# - "requested_server_name" -# - "response_code" -# - "response_flags" -# - "uber_trace_id" -# - "upstream_cluster" -# - "upstream_host" -# - "upstream_local_address" -# - "upstream_service_time" -# - "user_agent" -# - "x_forwarded_for" -# - "grpc_status" -# - "grpc_status_number" -# -# default-http-versions: -# - "HTTP/2" -# - "HTTP/1.1" -# -# The following shows the default proxy timeout settings. -# timeouts: -# request-timeout: infinity -# connection-idle-timeout: 60s -# stream-idle-timeout: 5m -# max-connection-duration: infinity -# delayed-close-timeout: 1s -# connection-shutdown-grace-period: 5s -# connect-timeout: 2s -# -# Envoy cluster settings. -# cluster: -# configure the cluster dns lookup family -# valid options are: auto (default), v4, v6 -# dns-lookup-family: auto -# -# Envoy network settings. -# network: -# Configure the number of additional ingress proxy hops from the -# right side of the x-forwarded-for HTTP header to trust. -# num-trusted-hops: 0 -# Configure the port used to access the Envoy Admin interface. -# admin-port: 9001 -# -globalExtAuth: - # extensionService is the / - # of the ExtensionService we created in the - # previous step. - extensionService: projectcontour-auth/htpasswd - # failOpen is whether to allow requests through - # if there's an error. - failOpen: false - # Context is a set of key/value pairs that are sent to the authentication server in the check request. - authPolicy: - context: - header1: value1 - header2: value2 - routq: global - # ResponseTimeout configures maximum time to wait for a check response from the authorization server - responseTimeout: 1s \ No newline at end of file diff --git a/site/content/docs/main/guides/external-authorization.md b/site/content/docs/main/guides/external-authorization.md index 5a5b327ed06..9524a28fb0d 100644 --- a/site/content/docs/main/guides/external-authorization.md +++ b/site/content/docs/main/guides/external-authorization.md @@ -446,7 +446,7 @@ $ curl -k --user user1:password1 https://local.projectcontour.io/test/$((RANDOM) {"TestId":"","Path":"/test/13499","Host":"local.projectcontour.io","Method":"GET","Proto":"HTTP/1.1","Headers":{"Accept":["*/*"],"Auth-Context-Header1":["value1"],"Auth-Context-Header2":["value2"],"Auth-Context-Routq":["global"],"Auth-Handler":["htpasswd"],"Auth-Realm":["default"],"Auth-Username":["user1"],"Authorization":["Basic dXNlcjE6cGFzc3dvcmQx"],"User-Agent":["curl/7.86.0"],"X-Envoy-Expected-Rq-Timeout-Ms":["15000"],"X-Envoy-Internal":["true"],"X-Forwarded-For":["172.18.0.1"],"X-Forwarded-Proto":["https"],"X-Request-Id":["2b3edbed-3c68-44ef-a659-2e1245d7fe13"],"X-Request-Start":["t=1676901557.918"]}} ``` -### excluding a virtual host from global external authorization +### Excluding a virtual host from global external authorization You can exclude a virtual host from the global external authorization policy by setting the `disabled` flag to true under `authPolicy`.