Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP support for External Auth is not working #5237

Closed
kahirokunn opened this issue Mar 31, 2023 · 2 comments · Fixed by #5260
Closed

HTTP support for External Auth is not working #5237

kahirokunn opened this issue Mar 31, 2023 · 2 comments · Fixed by #5260
Assignees
@skriss
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
1.25.0

Comments

@kahirokunn
Copy link

kahirokunn commented Mar 31, 2023
edited
Loading

What steps did you take and what happened:

I have set up authorization, but the backend service is accessible without querying authorization.
Of course, we monitored the authentication server packets, but none were received.

virtualhost:
  authorization:
    extensionRef:
      name: htpasswd
      namespace: projectcontour-auth
  fqdn: xxxx.xxxxx.com

What did you expect to happen:

Authorization must work over HTTP.

#4994

What I tried.

Specifying a nonexistent ExtensionService in extensionRef passes without generating any error.
Of course, all requests are granted as if authentication does not exist.

virtualhost:
  authorization:
    extensionRef:
      name: does-not-exists
      namespace: default
  fqdn: xxxx.xxxxx.com

There is a difference between the test code here and my run results and I am not sure what is causing it.

https://github.com/projectcontour/contour/pull/4994/files#diff-5c8caa7e2f07cab15315ea619d08ac64babb067f3aeafad2c4663fc2d30578ce

Anything else you would like to add:

Here's a yaml I tried.

apiVersion: projectcontour.io/v1alpha1
kind: ExtensionService
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: contour-htpasswd:projectcontour.io/ExtensionService:projectcontour-auth/htpasswd
  creationTimestamp: "2023-03-31T13:54:20Z"
  generation: 1
  labels:
    argocd.argoproj.io/instance: contour-htpasswd
  name: htpasswd
  namespace: projectcontour-auth
  resourceVersion: "16048965"
  uid: c968b0a8-08c7-458a-97f5-076f52234e20
spec:
  protocol: h2c
  services:
  - name: htpasswd
    port: 9443
  timeoutPolicy:
    response: 100ms
status:
  conditions:
  - lastTransitionTime: "2023-03-31T13:54:20Z"
    message: Valid ExtensionService
    observedGeneration: 1
    reason: Valid
    status: "True"
    type: Valid
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: contour-htpasswd:apps/Deployment:projectcontour-auth/htpasswd
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2023-03-31T13:54:20Z"
  generation: 1
  labels:
    app.kubernetes.io/name: htpasswd
    argocd.argoproj.io/instance: contour-htpasswd
  name: htpasswd
  namespace: projectcontour-auth
  resourceVersion: "16049058"
  uid: 8cc9891a-69c3-4335-bf0e-24fbfd854df1
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/name: htpasswd
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/name: htpasswd
    spec:
      containers:
      - args:
        - htpasswd
        - --address=:9443
        command:
        - /contour-authserver
        image: projectcontour/contour-authserver:v2
        imagePullPolicy: IfNotPresent
        name: htpasswd
        ports:
        - containerPort: 9443
          name: auth
          protocol: TCP
        resources:
          limits:
            cpu: 100m
            memory: 90Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: htpasswd
      serviceAccountName: htpasswd
      terminationGracePeriodSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: contour-htpasswd:/Service:projectcontour-auth/htpasswd
    service.kubernetes.io/topology-aware-hints: auto
  creationTimestamp: "2023-03-31T13:54:20Z"
  labels:
    app.kubernetes.io/name: htpasswd
    argocd.argoproj.io/instance: contour-htpasswd
  name: htpasswd
  namespace: projectcontour-auth
  resourceVersion: "16048951"
  uid: c6baae10-15b3-4f31-8dca-9a34e49390ed
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: auth
    port: 9443
    protocol: TCP
    targetPort: 9443
  selector:
    app.kubernetes.io/name: htpasswd
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: contour-htpasswd:/ServiceAccount:projectcontour-auth/htpasswd
  creationTimestamp: "2023-03-31T13:54:19Z"
  labels:
    argocd.argoproj.io/instance: contour-htpasswd
  name: htpasswd
  namespace: projectcontour-auth
  resourceVersion: "16048944"
  uid: 8cea7285-c429-4268-8f5f-941de3c988e7
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: contour-htpasswd:rbac.authorization.k8s.io/ClusterRole:projectcontour-auth/contour:authserver:htpasswd
  creationTimestamp: "2023-03-31T10:12:54Z"
  labels:
    argocd.argoproj.io/instance: contour-htpasswd
  name: contour:authserver:htpasswd
  resourceVersion: "16048947"
  uid: 35628f52-f994-49f3-af51-443ccbbf9f59
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: contour-htpasswd:rbac.authorization.k8s.io/ClusterRoleBinding:projectcontour-auth/contour:authserver:htpasswd
  creationTimestamp: "2023-03-31T10:18:57Z"
  labels:
    argocd.argoproj.io/instance: contour-htpasswd
  name: contour:authserver:htpasswd
  resourceVersion: "16048948"
  uid: 5f78d4f8-88fe-46d6-b16f-33189e13421f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: contour:authserver:htpasswd
subjects:
- kind: ServiceAccount
  name: htpasswd
  namespace: projectcontour-auth
---
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  annotations:
    argocd.argoproj.io/tracking-id: argocd-expose:projectcontour.io/HTTPProxy:argocd/xxxxx.xxxxxx.com
    projectcontour.io/ingress.class: contour-clustermesh
  creationTimestamp: "2023-03-31T13:34:13Z"
  generation: 3
  labels:
    argocd.argoproj.io/instance: argocd-expose
  name: xxxxx.xxxxxx.com
  namespace: argocd
  resourceVersion: "16048941"
  uid: cbc342f5-2620-4f3f-afe0-8f713019e06b
spec:
  routes:
  - conditions:
    - prefix: /
    services:
    - name: argocd-server
      port: 80
  virtualhost:
    authorization:
      extensionRef:
        name: htpasswd
        namespace: projectcontour-auth
    fqdn: xxxxx.xxxxxx.com
status:
  conditions:
  - lastTransitionTime: "2023-03-31T13:54:19Z"
    message: Valid HTTPProxy
    observedGeneration: 3
    reason: Valid
    status: "True"
    type: Valid
  currentStatus: valid
  description: Valid HTTPProxy
  loadBalancer:
    ingress:
    - hostname: xxxxxx.xxxx.elb.amazonaws.com

Environment:

  • Contour version: docker.io/kahiro/contour:3a85420d I built this commit.
  • Kubernetes version: (use kubectl version): Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.6-eks-48e63af", GitCommit:"9f22d4ae876173884749c0701f01340879ab3f95", GitTreeState:"clean", BuildDate:"2023-01-24T19:19:02Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}
  • Kubernetes installer & version: EKS
  • Cloud provider or hardware configuration: EKS 1.25
  • OS (e.g. from /etc/os-release): Bottlerocket OS 1.12.0 (aws-k8s-1.25)
  • Envoy version: v1.25.2
@kahirokunn kahirokunn added kind/bug Categorizes issue or PR as related to a bug. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Mar 31, 2023
@sunjayBhatia
Copy link
Member

HTTPProxies with HTTP (no tls setting) virtualhosts do not support configuring external auth servers in-line, you must configure a global external auth server, see: https://projectcontour.io/docs/main/guides/external-authorization/#global-external-authorization (there is a note that You can only override the global external configuration on a HTTPS virtual host.)

@sunjayBhatia
Copy link
Member

we may want to decide to add an error condition to HTTPProxies with no TLS configuration that attempt to also configure the external auth server so that this confusion does not arise cc @clayton-gonsalves

@sunjayBhatia sunjayBhatia added kind/question Categorizes an issue as a user question. and removed kind/bug Categorizes issue or PR as related to a bug. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Mar 31, 2023
@skriss skriss self-assigned this Apr 7, 2023
@skriss skriss added this to the 1.25.0 milestone Apr 7, 2023
@skriss skriss added this to Contour Apr 7, 2023
@skriss skriss added kind/bug Categorizes issue or PR as related to a bug. and removed kind/question Categorizes an issue as a user question. labels Apr 7, 2023
@skriss skriss moved this to In Progress in Contour Apr 7, 2023
skriss added a commit to skriss/contour that referenced this issue Apr 7, 2023
@skriss
internal/dag: set condition for HTTP vhost with ExtAuth configured
dd26b45 
Sets Valid=false on an HTTP vhost with
External Auth configured. Note that it
is still valid to explicitly disable
ExtAuth for an HTTP vhost.

Closes projectcontour#5237.

Signed-off-by: Steve Kriss <krisss@vmware.com>
@skriss skriss mentioned this issue Apr 7, 2023
Merged
skriss added a commit that referenced this issue Apr 7, 2023
@skriss
internal/dag: set condition for HTTP vhost with ExtAuth configured (#…
c34d514 
…5260)

Sets Valid=false on an HTTP vhost with
External Auth configured. Note that it
is still valid to explicitly disable
ExtAuth for an HTTP vhost.

Closes #5237.

Signed-off-by: Steve Kriss <krisss@vmware.com>
@github-project-automation github-project-automation bot moved this from In Progress to Done in Contour Apr 7, 2023
padlar pushed a commit to padlar/contour that referenced this issue Apr 20, 2023
@skriss
internal/dag: set condition for HTTP vhost with ExtAuth configured (p…
f13035f 
…rojectcontour#5260)

Sets Valid=false on an HTTP vhost with
External Auth configured. Note that it
is still valid to explicitly disable
ExtAuth for an HTTP vhost.

Closes projectcontour#5237.

Signed-off-by: Steve Kriss <krisss@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skriss skriss

Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Contour
Status: Done
Milestone
1.25.0
Development

Successfully merging a pull request may close this issue.

internal/dag: set condition for HTTP vhost with ExtAuth configured skriss/contour
3 participants
@skriss @sunjayBhatia @kahirokunn