Merge pull request #5 from ssttehrani/snappcloud

refactor: add http auth support to contour

Makefile

@@ -156,7 +156,6 @@ container: ## Build the Contour container image
 		--build-arg "BUILD_GOEXPERIMENT=$(BUILD_GOEXPERIMENT)" \
 		$(DOCKER_BUILD_LABELS) \
 		$(shell pwd) \
-		--platform linux/amd64 \
 		--tag $(IMAGE):$(VERSION)
 
 push: ## Push the Contour container image to the Docker registry

apis/projectcontour/v1/httpproxy.go

@@ -254,10 +254,10 @@ type AuthorizationServer struct {
 	// +kubebuilder:default=grpc
 	ServiceAPIType AuthorizationServiceAPIType `json:"serviceAPIType,omitempty"`
 
-	// HttpAuthorizationServerSettings defines configurations for interacting with an external HTTP authorization server.
+	// HTTPServerSettings defines configurations for interacting with an external HTTP authorization server.
 	//
 	// +optional
-	HttpServerSettings *HttpAuthorizationServerSettings `json:"httpSettings,omitempty"`
+	HTTPServerSettings *HTTPAuthorizationServerSettings `json:"httpSettings,omitempty"`
 
 	// AuthPolicy sets a default authorization policy for client requests.
 	// This policy will be used unless overridden by individual routes.
@@ -287,8 +287,8 @@ type AuthorizationServer struct {
 	WithRequestBody *AuthorizationServerBufferSettings `json:"withRequestBody,omitempty"`
 }
 
-// HttpAuthorizationServerSettings defines configurations for interacting with an external HTTP authorization server.
-type HttpAuthorizationServerSettings struct {
+// HTTPAuthorizationServerSettings defines configurations for interacting with an external HTTP authorization server.
+type HTTPAuthorizationServerSettings struct {
 	// PathPrefix Sets a prefix to the value of authorization request header Path.
 	//
 	// +optional
@@ -307,21 +307,21 @@ type HttpAuthorizationServerSettings struct {
 	// Note that in addition to the the user’s supplied matchers, Host, Method, Path, Content-Length, and Authorization are additionally included in the list.
 	//
 	// +optional
-	AllowedAuthorizationHeaders []HttpAuthorizationServerAllowedHeaders `json:"allowedAuthorizationHeaders,omitempty"`
+	AllowedAuthorizationHeaders []HTTPAuthorizationServerAllowedHeaders `json:"allowedAuthorizationHeaders,omitempty"`
 
 	// AllowedUpstreamHeaders specifies authorization response headers that will be added to the original client request.
 	// Note that coexistent headers will be overridden.
 	//
 	// +optional
-	AllowedUpstreamHeaders []HttpAuthorizationServerAllowedHeaders `json:"allowedUpstreamHeaders,omitempty"`
+	AllowedUpstreamHeaders []HTTPAuthorizationServerAllowedHeaders `json:"allowedUpstreamHeaders,omitempty"`
 }
 
-// HttpAuthorizationServerAllowedHeaders specifies how to conditionally match against allowed headers
+// HTTPAuthorizationServerAllowedHeaders specifies how to conditionally match against allowed headers
 // in the context of HTTP authorization. It includes options such as Exact, Prefix, Suffix,
 // Contains, and IgnoreCase to customize header matching criteria. However, regex support
 // is intentionally excluded to simplify the user experience and prevent potential issues.
 // One of Prefix, Exact, Suffix or Contains must be provided.
-type HttpAuthorizationServerAllowedHeaders struct {
+type HTTPAuthorizationServerAllowedHeaders struct {
 	// Exact specifies a string that the header name must be equal to.
 	//
 	// +optional

apis/projectcontour/v1alpha1/extensionservice.go

@@ -61,7 +61,7 @@ type ExtensionServiceTarget struct {
 // ExtensionServiceSpec defines the desired state of an ExtensionService resource.
 type ExtensionServiceSpec struct {
 	// Services specifies the set of Kubernetes Service resources that
-	// receive GRPC extension API requests.
+	// receive extension API requests.
 	// If no weights are specified for any of the entries in
 	// this array, traffic will be spread evenly across all the
 	// services.
@@ -77,15 +77,15 @@ type ExtensionServiceSpec struct {
 	UpstreamValidation *contour_api_v1.UpstreamValidation `json:"validation,omitempty"`
 
 	// Protocol may be used to specify (or override) the protocol used to reach this Service.
-	// Values may be h2 or h2c. If omitted, protocol-selection falls back on Service annotations.
+	// Values may be h2, h2c or http/1.1. If omitted, protocol-selection falls back on Service annotations.
 	//
 	// +optional
-	// +kubebuilder:validation:Enum=h1;h2;h2c
+	// +kubebuilder:validation:Enum=http/1.1;h2;h2c
 	Protocol *string `json:"protocol,omitempty"`
 
-	// The policy for load balancing GRPC service requests. Note that the
+	// The policy for load balancing service requests. Note that the
 	// `Cookie` and `RequestHash` load balancing strategies cannot be used
-	// here.
+	// here for GRPC service requests.
 	//
 	// +optional
 	LoadBalancerPolicy *contour_api_v1.LoadBalancerPolicy `json:"loadBalancerPolicy,omitempty"`

cmd/contour/serve.go

@@ -861,10 +861,6 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_
 		context = contourConfiguration.GlobalExternalAuthorization.AuthPolicy.Context
 	}
 
-	if contourConfiguration.GlobalExternalAuthorization.ServiceAPIType == contour_api_v1.AuthorizationHTTPService && contourConfiguration.GlobalExternalAuthorization.HttpServerSettings == nil {
-		return nil, fmt.Errorf("Spec.globalExtAuth.HttpServerSettings is not set and it is required for http type")
-	}
-
 	// Not required due to Kubernetes API server validation.
 	//
 	// if auth.ServiceAPIType == contour_api_v1.AuthorizationHTTPService && auth.HttpServerSettings.ServerURI == "" {
@@ -885,24 +881,28 @@ func (s *Server) setupGlobalExternalAuthentication(contourConfiguration contour_
 		globalExternalAuthConfig.ServiceAPIType = contour_api_v1.AuthorizationGRPCService
 	case contour_api_v1.AuthorizationHTTPService:
 		globalExternalAuthConfig.ServiceAPIType = contour_api_v1.AuthorizationHTTPService
-		globalExternalAuthConfig.HttpPathPrefix = contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.PathPrefix
-		// globalExternalAuthConfig.HttpServerURI = contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.ServerURI
 
-		if contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.AllowedAuthorizationHeaders != nil {
-			if err := dag.ExternalAuthAllowedHeadersValid(contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.AllowedAuthorizationHeaders); err != nil {
-				return nil, err
-			}
+		if contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings != nil {
+			globalExternalAuthConfig.HTTPPathPrefix = contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.PathPrefix
 
-			globalExternalAuthConfig.HttpAllowedAuthorizationHeaders = contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.AllowedAuthorizationHeaders
-		}
+			// globalExternalAuthConfig.HttpServerURI = contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.ServerURI
 
-		if contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.AllowedUpstreamHeaders != nil {
-			if err := dag.ExternalAuthAllowedHeadersValid(contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.AllowedUpstreamHeaders); err != nil {
+			if len(contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.AllowedAuthorizationHeaders) > 0 {
+				if err := dag.ExternalAuthAllowedHeadersValid(contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.AllowedAuthorizationHeaders); err != nil {
+					return nil, err
+				}
 
-				return nil, err
+				globalExternalAuthConfig.HTTPAllowedAuthorizationHeaders = contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.AllowedAuthorizationHeaders
 			}
 
-			globalExternalAuthConfig.HttpAllowedUpstreamHeaders = contourConfiguration.GlobalExternalAuthorization.HttpServerSettings.AllowedUpstreamHeaders
+			if len(contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.AllowedUpstreamHeaders) > 0 {
+				if err := dag.ExternalAuthAllowedHeadersValid(contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.AllowedUpstreamHeaders); err != nil {
+
+					return nil, err
+				}
+
+				globalExternalAuthConfig.HTTPAllowedUpstreamHeaders = contourConfiguration.GlobalExternalAuthorization.HTTPServerSettings.AllowedUpstreamHeaders
+			}
 		}
 	}
 

cmd/contour/servecontext.go

@@ -440,10 +440,15 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_api_v1alpha
 				Name:      nsedName.Name,
 				Namespace: nsedName.Namespace,
 			},
+			ServiceAPIType:  ctx.Config.GlobalExternalAuthorization.ServiceAPIType,
 			ResponseTimeout: ctx.Config.GlobalExternalAuthorization.ResponseTimeout,
 			FailOpen:        ctx.Config.GlobalExternalAuthorization.FailOpen,
 		}
 
+		if ctx.Config.GlobalExternalAuthorization.HTTPServerSettings != nil {
+			globalExtAuth.HTTPServerSettings = ctx.Config.GlobalExternalAuthorization.HTTPServerSettings
+		}
+
 		if ctx.Config.GlobalExternalAuthorization.AuthPolicy != nil {
 			globalExtAuth.AuthPolicy = &contour_api_v1.AuthorizationPolicy{
 				Disabled: ctx.Config.GlobalExternalAuthorization.AuthPolicy.Disabled,

examples/contour/01-crds.yaml

@@ -632,8 +632,8 @@ spec:
                       authorization to Contour external authorization.
                     type: boolean
                   httpSettings:
-                    description: HttpAuthorizationServerSettings defines configurations
-                      for interacting with an external HTTP authorization server.
+                    description: HTTPServerSettings defines configurations for interacting
+                      with an external HTTP authorization server.
                     properties:
                       allowedAuthorizationHeaders:
                         description: AllowedAuthorizationHeaders specifies client
@@ -642,7 +642,7 @@ spec:
                           Host, Method, Path, Content-Length, and Authorization are
                           additionally included in the list.
                         items:
-                          description: HttpAuthorizationServerAllowedHeaders specifies
+                          description: HTTPAuthorizationServerAllowedHeaders specifies
                             how to conditionally match against allowed headers in
                             the context of HTTP authorization. It includes options
                             such as Exact, Prefix, Suffix, Contains, and IgnoreCase
@@ -679,7 +679,7 @@ spec:
                           response headers that will be added to the original client
                           request. Note that coexistent headers will be overridden.
                         items:
-                          description: HttpAuthorizationServerAllowedHeaders specifies
+                          description: HTTPAuthorizationServerAllowedHeaders specifies
                             how to conditionally match against allowed headers in
                             the context of HTTP authorization. It includes options
                             such as Exact, Prefix, Suffix, Contains, and IgnoreCase
@@ -4387,8 +4387,8 @@ spec:
                           from internal authorization to Contour external authorization.
                         type: boolean
                       httpSettings:
-                        description: HttpAuthorizationServerSettings defines configurations
-                          for interacting with an external HTTP authorization server.
+                        description: HTTPServerSettings defines configurations for
+                          interacting with an external HTTP authorization server.
                         properties:
                           allowedAuthorizationHeaders:
                             description: AllowedAuthorizationHeaders specifies client
@@ -4397,7 +4397,7 @@ spec:
                               matchers, Host, Method, Path, Content-Length, and Authorization
                               are additionally included in the list.
                             items:
-                              description: HttpAuthorizationServerAllowedHeaders specifies
+                              description: HTTPAuthorizationServerAllowedHeaders specifies
                                 how to conditionally match against allowed headers
                                 in the context of HTTP authorization. It includes
                                 options such as Exact, Prefix, Suffix, Contains, and
@@ -4436,7 +4436,7 @@ spec:
                               client request. Note that coexistent headers will be
                               overridden.
                             items:
-                              description: HttpAuthorizationServerAllowedHeaders specifies
+                              description: HTTPAuthorizationServerAllowedHeaders specifies
                                 how to conditionally match against allowed headers
                                 in the context of HTTP authorization. It includes
                                 options such as Exact, Prefix, Suffix, Contains, and
@@ -5083,9 +5083,9 @@ spec:
               resource.
             properties:
               loadBalancerPolicy:
-                description: The policy for load balancing GRPC service requests.
-                  Note that the `Cookie` and `RequestHash` load balancing strategies
-                  cannot be used here.
+                description: The policy for load balancing service requests. Note
+                  that the `Cookie` and `RequestHash` load balancing strategies cannot
+                  be used here for GRPC service requests.
                 properties:
                   requestHashPolicies:
                     description: RequestHashPolicies contains a list of hash policies
@@ -5151,10 +5151,10 @@ spec:
                 type: object
               protocol:
                 description: Protocol may be used to specify (or override) the protocol
-                  used to reach this Service. Values may be h2 or h2c. If omitted,
-                  protocol-selection falls back on Service annotations.
+                  used to reach this Service. Values may be h2, h2c or http/1.1. If
+                  omitted, protocol-selection falls back on Service annotations.
                 enum:
-                - h1
+                - http/1.1
                 - h2
                 - h2c
                 type: string
@@ -5168,7 +5168,7 @@ spec:
                 type: string
               services:
                 description: Services specifies the set of Kubernetes Service resources
-                  that receive GRPC extension API requests. If no weights are specified
+                  that receive extension API requests. If no weights are specified
                   for any of the entries in this array, traffic will be spread evenly
                   across all the services. Otherwise, traffic is balanced proportionally
                   to the Weight field in each entry.
@@ -7410,8 +7410,8 @@ spec:
                           from internal authorization to Contour external authorization.
                         type: boolean
                       httpSettings:
-                        description: HttpAuthorizationServerSettings defines configurations
-                          for interacting with an external HTTP authorization server.
+                        description: HTTPServerSettings defines configurations for
+                          interacting with an external HTTP authorization server.
                         properties:
                           allowedAuthorizationHeaders:
                             description: AllowedAuthorizationHeaders specifies client
@@ -7420,7 +7420,7 @@ spec:
                               matchers, Host, Method, Path, Content-Length, and Authorization
                               are additionally included in the list.
                             items:
-                              description: HttpAuthorizationServerAllowedHeaders specifies
+                              description: HTTPAuthorizationServerAllowedHeaders specifies
                                 how to conditionally match against allowed headers
                                 in the context of HTTP authorization. It includes
                                 options such as Exact, Prefix, Suffix, Contains, and
@@ -7459,7 +7459,7 @@ spec:
                               client request. Note that coexistent headers will be
                               overridden.
                             items:
-                              description: HttpAuthorizationServerAllowedHeaders specifies
+                              description: HTTPAuthorizationServerAllowedHeaders specifies
                                 how to conditionally match against allowed headers
                                 in the context of HTTP authorization. It includes
                                 options such as Exact, Prefix, Suffix, Contains, and