address review comments

Signed-off-by: claytonig <claytonivorgonsalves@gmail.com>

apis/projectcontour/v1/helpers.go

@@ -20,7 +20,7 @@ import (
 // AuthorizationConfigured returns whether authorization  is
 // configured on this virtual host.
 func (v *VirtualHost) AuthorizationConfigured() bool {
-	return v.TLS != nil && v.Authorization != nil
+	return v.Authorization != nil
 }
 
 // DisableAuthorization returns true if this virtual host disables

apis/projectcontour/v1/httpproxy.go

@@ -194,7 +194,7 @@ type ExtensionServiceReference struct {
 type AuthorizationServer struct {
 	// ExtensionServiceRef specifies the extension resource that will authorize client requests.
 	//
-	// +required
+	// +optional
 	ExtensionServiceRef ExtensionServiceReference `json:"extensionRef,omitempty"`
 
 	// AuthPolicy sets a default authorization policy for client requests.

changelogs/unreleased/4994-clayton-gonsalves-minor.md

@@ -1 +1,17 @@
-Add support for Global External Authorization for HTTPProxy.
+## Add support for Global External Authorization for HTTPProxy.
+
+Contour now supports external authorization for all hosts by setting the config as part of the `contourConfig` like so: 
+
+```yaml
+globalExtAuth:
+  extensionService: projectcontour-auth/htpasswd
+  failOpen: false
+  authPolicy:
+    context:
+      header1: value1
+      header2: value2
+  responseTimeout: 1s
+```
+
+Individual hosts can also override or opt out of this global configuration. 
+You can read more about this feature in detail in the [guide](https://projectcontour.io/docs/v1.25.0/guides/external-authorization/#global-external-authorization). 

config.yaml

@@ -0,0 +1,136 @@
+#
+# server:
+#   determine which XDS Server implementation to utilize in Contour.
+#   xds-server-type: contour
+#
+# Specify the Gateway API configuration.
+# gateway:
+#   controllerName: projectcontour.io/projectcontour/contour
+#
+# should contour expect to be running inside a k8s cluster
+# incluster: true
+#
+# path to kubeconfig (if not running inside a k8s cluster)
+# kubeconfig: /path/to/.kube/config
+#
+# Disable RFC-compliant behavior to strip "Content-Length" header if
+# "Tranfer-Encoding: chunked" is also set.
+# disableAllowChunkedLength: false
+#
+# Disable Envoy's non-standard merge_slashes path transformation option
+# that strips duplicate slashes from request URLs.
+# disableMergeSlashes: false
+#
+# Disable HTTPProxy permitInsecure field
+disablePermitInsecure: false
+tls:
+# minimum TLS version that Contour will negotiate
+# minimum-protocol-version: "1.2"
+# TLS ciphers to be supported by Envoy TLS listeners when negotiating
+# TLS 1.2.
+# cipher-suites:
+# - '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]'
+# - '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]'
+# - 'ECDHE-ECDSA-AES256-GCM-SHA384'
+# - 'ECDHE-RSA-AES256-GCM-SHA384'
+# Defines the Kubernetes name/namespace matching a secret to use
+# as the fallback certificate when requests which don't match the
+# SNI defined for a vhost.
+  fallback-certificate:
+#   name: fallback-secret-name
+#   namespace: projectcontour
+  envoy-client-certificate:
+#   name: envoy-client-cert-secret-name
+#   namespace: projectcontour
+####
+# ExternalName Services are disabled by default due to CVE-2021-XXXXX
+# You can re-enable them by setting this setting to `true`.
+# This is not recommended without understanding the security implications.
+# Please see the advisory at https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc for the details.
+# enableExternalNameService: false
+##
+# Address to be placed in status.loadbalancer field of Ingress objects.
+# May be either a literal IP address or a host name.
+# The value will be placed directly into the relevant field inside the status.loadBalancer struct.
+# ingress-status-address: local.projectcontour.io
+### Logging options
+# Default setting
+accesslog-format: envoy
+# The default access log format is defined by Envoy but it can be customized by setting following variable.
+# accesslog-format-string: "...\n"
+# To enable JSON logging in Envoy
+# accesslog-format: json
+# accesslog-level: info
+# The default fields that will be logged are specified below.
+# To customise this list, just add or remove entries.
+# The canonical list is available at
+# https://godoc.org/github.com/projectcontour/contour/internal/envoy#JSONFields
+# json-fields:
+#   - "@timestamp"
+#   - "authority"
+#   - "bytes_received"
+#   - "bytes_sent"
+#   - "downstream_local_address"
+#   - "downstream_remote_address"
+#   - "duration"
+#   - "method"
+#   - "path"
+#   - "protocol"
+#   - "request_id"
+#   - "requested_server_name"
+#   - "response_code"
+#   - "response_flags"
+#   - "uber_trace_id"
+#   - "upstream_cluster"
+#   - "upstream_host"
+#   - "upstream_local_address"
+#   - "upstream_service_time"
+#   - "user_agent"
+#   - "x_forwarded_for"
+#   - "grpc_status"
+#   - "grpc_status_number"
+#
+# default-http-versions:
+# - "HTTP/2"
+# - "HTTP/1.1"
+#
+# The following shows the default proxy timeout settings.
+# timeouts:
+#   request-timeout: infinity
+#   connection-idle-timeout: 60s
+#   stream-idle-timeout: 5m
+#   max-connection-duration: infinity
+#   delayed-close-timeout: 1s
+#   connection-shutdown-grace-period: 5s
+#   connect-timeout: 2s
+#
+# Envoy cluster settings.
+# cluster:
+#   configure the cluster dns lookup family
+#   valid options are: auto (default), v4, v6
+#   dns-lookup-family: auto
+#
+# Envoy network settings.
+# network:
+#   Configure the number of additional ingress proxy hops from the
+#   right side of the x-forwarded-for HTTP header to trust.
+#   num-trusted-hops: 0
+#   Configure the port used to access the Envoy Admin interface.
+#   admin-port: 9001
+#
+globalExtAuth:
+  # extensionService is the <namespace>/<name>
+  # of the ExtensionService we created in the
+  # previous step.
+  extensionService: projectcontour-auth/htpasswd
+  # failOpen is whether to allow requests through
+  # if there's an error.
+  failOpen: false
+  # Context is a set of key/value pairs that are sent to the authentication server in the check request.
+  authPolicy:
+    context:
+      header1: value1
+      header2: value2
+      routq: global
+    # ResponseTimeout configures maximum time to wait for a check response from the authorization server
+  responseTimeout: 1s

examples/global-external-auth/01-authserver.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: testserver
+  namespace: projectcontour
   labels:
     app.kubernetes.io/name: testserver
 spec:
@@ -38,6 +39,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: testserver
+  namespace: projectcontour
   labels:
     app.kubernetes.io/name: testserver
 spec:

internal/dag/httpproxy_processor.go

@@ -1230,14 +1230,12 @@ func determineExternalAuthTimeout(responseTimeout string, validCond *contour_api
 
 func (p *HTTPProxyProcessor) computeSecureVirtualHostAuthorization(validCond *contour_api_v1.DetailedCondition, httpproxy *contour_api_v1.HTTPProxy, svhost *SecureVirtualHost) bool {
 	if httpproxy.Spec.VirtualHost.AuthorizationConfigured() && !httpproxy.Spec.VirtualHost.DisableAuthorization() {
-		if httpproxy.Spec.VirtualHost.AuthorizationConfigured() {
-			authorization := p.computeVirtualHostAuthorization(httpproxy.Spec.VirtualHost.Authorization, validCond, httpproxy)
-			if authorization == nil {
-				return false
-			}
-
-			svhost.ExternalAuthorization = authorization
+		authorization := p.computeVirtualHostAuthorization(httpproxy.Spec.VirtualHost.Authorization, validCond, httpproxy)
+		if authorization == nil {
+			return false
 		}
+
+		svhost.ExternalAuthorization = authorization
 	} else if p.GlobalExternalAuthorization != nil && !httpproxy.Spec.VirtualHost.DisableAuthorization() {
 		globalAuthorization := p.computeVirtualHostAuthorization(p.GlobalExternalAuthorization, validCond, httpproxy)
 		if globalAuthorization == nil {
@@ -1250,13 +1248,13 @@ func (p *HTTPProxyProcessor) computeSecureVirtualHostAuthorization(validCond *co
 	return true
 }
 
-func (p *HTTPProxyProcessor) GlobalAutorizationConfigured() bool {
+func (p *HTTPProxyProcessor) GlobalAuthorizationConfigured() bool {
 	return p.GlobalExternalAuthorization != nil
 }
 
 // AuthorizationContext returns the authorization policy context (if present).
 func (p *HTTPProxyProcessor) GlobalAuthorizationContext() map[string]string {
-	if p.GlobalAutorizationConfigured() && p.GlobalExternalAuthorization.AuthPolicy != nil {
+	if p.GlobalAuthorizationConfigured() && p.GlobalExternalAuthorization.AuthPolicy != nil {
 		return p.GlobalExternalAuthorization.AuthPolicy.Context
 	}
 	return nil

site/content/docs/main/config/api-reference.html

@@ -355,6 +355,7 @@ <h3 id="projectcontour.io/v1.AuthorizationServer">AuthorizationServer
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>ExtensionServiceRef specifies the extension resource that will authorize client requests.</p>
 </td>
 </tr>