feat: ext auth headers on match #7792
Conversation
Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
…-auth-headers-on-match Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Codecov Report❌ Patch coverage is
❌ Your patch check has failed because the patch coverage (43.47%) is below the target coverage (60.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #7792 +/- ##
==========================================
- Coverage 72.83% 72.77% -0.06%
==========================================
Files 236 236
Lines 35190 35228 +38
==========================================
+ Hits 25629 25638 +9
- Misses 7742 7774 +32
+ Partials 1819 1816 -3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
internal/ir/xds.go
Outdated
| // HeadersToExtAuthOnMatch defines the patterns of the client request headers | ||
| // that will be included in the request to the external authorization service. | ||
| // +optional | ||
| HeadersToExtAuthOnMatch []egv1a1.StringMatch `json:"headersToExtAuthOnMatch,omitempty"` |
There was a problem hiding this comment.
Nit: can we use ir.StringMatch here?
There was a problem hiding this comment.
those two structs are indeed quite different and using ir.StringMatch by going over the hassle for the data structure conversion does not really serve any real purpose.
There was a problem hiding this comment.
Ideally, we should avoid using external APIs directly in the IR layer when possible, since the IR is meant to be an intermediate representation that’s independent of Envoy Gateway and the Gateway API.
That said, this isn’t blocking, as we’re already using some external APIs in the IR today.
There was a problem hiding this comment.
Pushed new changes, please review again!
|
/retest |
…ealt/gateway into feat/ext-auth-headers-on-match
…th-headers-on-match Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
…th-headers-on-match
Signed-off-by: Shreemaan Abhishek <shreemaanabhishek@apache.org>
…ealt/gateway into feat/ext-auth-headers-on-match
2 participants
What type of PR is this?
Enhancement 😎
What this PR does / why we need it:
When using ext auth, it is a common scenario that users might need some specific headers (other then the default) to be sent to the auth service. The envoy go control plane supports matching headers based on
StringMatch, we leverage this feature to assign headers to outgoing ext auth API call based on following matching types:Which issue(s) this PR fixes:
Fixes #7703
Release Notes: Yes/No