more tests, changelog and site docs

Signed-off-by: claytonig <claytonivorgonsalves@gmail.com>

apis/projectcontour/v1/helpers.go

@@ -52,7 +52,7 @@ func (v *VirtualHost) AuthorizationContext() map[string]string {
 }
 
 // DisableGlobalAuthorization returns true if this virtual host disables
-// global authorization. If a global authorization config present, the default
+// global authorization. If a global authorization config is present, the default
 // policy is to not disable.
 func (v *VirtualHost) DisableGlobalAuthorization() bool {
 	return v.Authorization != nil && v.Authorization.GlobalExternalAuthorizationDisabled

apis/projectcontour/v1/httpproxy.go

@@ -193,9 +193,10 @@ type ExtensionServiceReference struct {
 // external authorization GRPC protocol (https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto).
 type AuthorizationServer struct {
 	// ExtensionServiceRef specifies the extension resource that will authorize client requests.
+	// One of globalExtAuthDisabled or extensionRef must be set.
 	//
-	// +required
-	ExtensionServiceRef ExtensionServiceReference `json:"extensionRef,,omitempty"`
+	// +optional
+	ExtensionServiceRef ExtensionServiceReference `json:"extensionRef,omitempty"`
 
 	// AuthPolicy sets a default authorization policy for client requests.
 	// This policy will be used unless overridden by individual routes.
@@ -225,6 +226,9 @@ type AuthorizationServer struct {
 	WithRequestBody *AuthorizationServerBufferSettings `json:"withRequestBody,omitempty"`
 
 	// GlobalExternalAuthorizationDisabled optionally disables the global external authorization on the virtual host.
+	// One of globalExtAuthDisabled or extensionRef must be set.
+	//
+	// +optional
 	GlobalExternalAuthorizationDisabled bool `json:"globalExtAuthDisabled,omitempty"`
 }
 

apis/projectcontour/v1alpha1/contourconfig.go

@@ -63,7 +63,7 @@ type ContourConfigurationSpec struct {
 	EnableExternalNameService *bool `json:"enableExternalNameService,omitempty"`
 
 	// GlobalExternalAuthorization allows envoys external authorization filter
-	// to be enabled for all HTTP requests.
+	// to be enabled for all virtual hosts.
 	// +optional
 	GlobalExternalAuthorization *GlobalExternalAuthorizationConfig `json:"globalExtAuth,omitempty"`
 
@@ -628,7 +628,7 @@ type NetworkParameters struct {
 	EnvoyAdminPort *int `json:"adminPort,omitempty"`
 }
 
-// GlobalExternalAuthorizationConfig defines properties of global HTTP external authorization.
+// GlobalExternalAuthorizationConfig defines properties of global external authorization.
 type GlobalExternalAuthorizationConfig struct {
 	// ExtensionService identifies the extension service responsible for the authorization.
 	// formatted as <namespace>/<name>.

changelogs/unreleased/4994-clayton-gonsalves-minor.md

@@ -0,0 +1 @@
+Add support for Global External Authorization for HTTPProxy.

cmd/contour/servecontext.go

@@ -406,6 +406,7 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
 
 		if ctx.Config.GlobalExternalAuthorization.WithRequestBody != nil {
 			globalExtAuth.WithRequestBody = &contour_api_v1alpha1.GlobalAuthorizationServerBufferSettings{
+				MaxRequestBytes:     ctx.Config.GlobalExternalAuthorization.WithRequestBody.MaxRequestBytes,
 				AllowPartialMessage: ref.To(ctx.Config.GlobalExternalAuthorization.WithRequestBody.AllowPartialMessage),
 				PackAsBytes:         ref.To(ctx.Config.GlobalExternalAuthorization.WithRequestBody.PackAsBytes),
 			}

cmd/contour/servecontext_test.go

@@ -481,8 +481,9 @@ func TestConvertServeContext(t *testing.T) {
 				DisablePermitInsecure: ref.To(false),
 				FallbackCertificate:   nil,
 			},
-			EnableExternalNameService: ref.To(false),
-			RateLimitService:          nil,
+			EnableExternalNameService:   ref.To(false),
+			RateLimitService:            nil,
+			GlobalExternalAuthorization: nil,
 			Policy: &contour_api_v1alpha1.PolicyConfig{
 				RequestHeadersPolicy:  &contour_api_v1alpha1.HeadersPolicy{},
 				ResponseHeadersPolicy: &contour_api_v1alpha1.HeadersPolicy{},
@@ -699,6 +700,43 @@ func TestConvertServeContext(t *testing.T) {
 				return cfg
 			},
 		},
+		"global external authorization": {
+			getServeContext: func(ctx *serveContext) *serveContext {
+				ctx.Config.GlobalExternalAuthorization = config.GlobalExternalAuthorization{
+					ExtensionService: "extauthns/extauthtext",
+					FailOpen:         true,
+					AuthPolicy: &config.GlobalAuthorizationPolicy{
+						Context: map[string]string{
+							"foo": "bar",
+						},
+					},
+					WithRequestBody: &config.GlobalAuthorizationServerBufferSettings{
+						MaxRequestBytes:     512,
+						PackAsBytes:         true,
+						AllowPartialMessage: true,
+					},
+				}
+				return ctx
+			},
+			getContourConfiguration: func(cfg contour_api_v1alpha1.ContourConfigurationSpec) contour_api_v1alpha1.ContourConfigurationSpec {
+				cfg.GlobalExternalAuthorization = &contour_api_v1alpha1.GlobalExternalAuthorizationConfig{
+					ExtensionService: "extauthns/extauthtext",
+					FailOpen:         ref.To(true),
+					AuthPolicy: &contour_api_v1alpha1.GlobalAuthorizationPolicy{
+						Context: map[string]string{
+							"foo": "bar",
+						},
+						Disabled: ref.To(false),
+					},
+					WithRequestBody: &contour_api_v1alpha1.GlobalAuthorizationServerBufferSettings{
+						MaxRequestBytes:     512,
+						PackAsBytes:         ref.To(true),
+						AllowPartialMessage: ref.To(true),
+					},
+				}
+				return cfg
+			},
+		},
 	}
 
 	for name, tc := range cases {

examples/contour/01-crds.yaml

@@ -413,7 +413,7 @@ spec:
                 type: object
               globalExtAuth:
                 description: GlobalExternalAuthorization allows envoys external authorization
-                  filter to be enabled for all HTTP requests.
+                  filter to be enabled for all virtual hosts.
                 properties:
                   extensionService:
                     description: ExtensionService identifies the extension service
@@ -3498,7 +3498,7 @@ spec:
                     type: object
                   globalExtAuth:
                     description: GlobalExternalAuthorization allows envoys external
-                      authorization filter to be enabled for all HTTP requests.
+                      authorization filter to be enabled for all virtual hosts.
                     properties:
                       extensionService:
                         description: ExtensionService identifies the extension service
@@ -5864,7 +5864,8 @@ spec:
                         type: object
                       extensionRef:
                         description: ExtensionServiceRef specifies the extension resource
-                          that will authorize client requests.
+                          that will authorize client requests. One of globalExtAuthDisabled
+                          or extensionRef must be set.
                         properties:
                           apiVersion:
                             description: API version of the referent. If this field
@@ -5893,7 +5894,8 @@ spec:
                       globalExtAuthDisabled:
                         description: GlobalExternalAuthorizationDisabled optionally
                           disables the global external authorization on the virtual
-                          host.
+                          host. One of globalExtAuthDisabled or extensionRef must
+                          be set.
                         type: boolean
                       responseTimeout:
                         description: ResponseTimeout configures maximum time to wait

examples/render/contour-deployment.yaml

@@ -626,7 +626,7 @@ spec:
                 type: object
               globalExtAuth:
                 description: GlobalExternalAuthorization allows envoys external authorization
-                  filter to be enabled for all HTTP requests.
+                  filter to be enabled for all virtual hosts.
                 properties:
                   extensionService:
                     description: ExtensionService identifies the extension service
@@ -3711,7 +3711,7 @@ spec:
                     type: object
                   globalExtAuth:
                     description: GlobalExternalAuthorization allows envoys external
-                      authorization filter to be enabled for all HTTP requests.
+                      authorization filter to be enabled for all virtual hosts.
                     properties:
                       extensionService:
                         description: ExtensionService identifies the extension service
@@ -6077,7 +6077,8 @@ spec:
                         type: object
                       extensionRef:
                         description: ExtensionServiceRef specifies the extension resource
-                          that will authorize client requests.
+                          that will authorize client requests. One of globalExtAuthDisabled
+                          or extensionRef must be set.
                         properties:
                           apiVersion:
                             description: API version of the referent. If this field
@@ -6106,7 +6107,8 @@ spec:
                       globalExtAuthDisabled:
                         description: GlobalExternalAuthorizationDisabled optionally
                           disables the global external authorization on the virtual
-                          host.
+                          host. One of globalExtAuthDisabled or extensionRef must
+                          be set.
                         type: boolean
                       responseTimeout:
                         description: ResponseTimeout configures maximum time to wait

examples/render/contour-gateway-provisioner.yaml

@@ -427,7 +427,7 @@ spec:
                 type: object
               globalExtAuth:
                 description: GlobalExternalAuthorization allows envoys external authorization
-                  filter to be enabled for all HTTP requests.
+                  filter to be enabled for all virtual hosts.
                 properties:
                   extensionService:
                     description: ExtensionService identifies the extension service
@@ -3512,7 +3512,7 @@ spec:
                     type: object
                   globalExtAuth:
                     description: GlobalExternalAuthorization allows envoys external
-                      authorization filter to be enabled for all HTTP requests.
+                      authorization filter to be enabled for all virtual hosts.
                     properties:
                       extensionService:
                         description: ExtensionService identifies the extension service
@@ -5878,7 +5878,8 @@ spec:
                         type: object
                       extensionRef:
                         description: ExtensionServiceRef specifies the extension resource
-                          that will authorize client requests.
+                          that will authorize client requests. One of globalExtAuthDisabled
+                          or extensionRef must be set.
                         properties:
                           apiVersion:
                             description: API version of the referent. If this field
@@ -5907,7 +5908,8 @@ spec:
                       globalExtAuthDisabled:
                         description: GlobalExternalAuthorizationDisabled optionally
                           disables the global external authorization on the virtual
-                          host.
+                          host. One of globalExtAuthDisabled or extensionRef must
+                          be set.
                         type: boolean
                       responseTimeout:
                         description: ResponseTimeout configures maximum time to wait