OIDC xds translation #2191
OIDC xds translation #2191
Conversation
zhaohuabing
force-pushed
the
oidc-xds
branch
2 times, most recently
from
b581775 to
d8780ea
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #2191 +/- ##
==========================================
- Coverage 64.19% 64.16% -0.03%
==========================================
Files 107 109 +2
Lines 14924 15266 +342
==========================================
+ Hits 9580 9796 +216
- Misses 4768 4855 +87
- Partials 576 615 +39 ☔ View full report in Codecov by Sentry. |
zhaohuabing
force-pushed
the
oidc-xds
branch
3 times, most recently
from
34612dd to
c606a93
Compare
zhaohuabing
force-pushed
the
oidc-xds
branch
from
c606a93 to
3f8f557
Compare
|
/retest |
1 similar comment
|
/retest |
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
…o check the oauth2 tokens Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
… have non-native per-route support Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
zhaohuabing
force-pushed
the
oidc-xds
branch
from
3c1be45 to
1afd0b7
Compare
zhaohuabing
force-pushed
the
oidc-xds
branch
from
d875f39 to
d72ed07
Compare
|
/retest |
| initialStreamWindowSize: 65536 | ||
| maxConcurrentStreams: 100 | ||
| httpFilters: | ||
| - name: envoy.filters.http.oauth2_first-route |
There was a problem hiding this comment.
do we need to do anything here that disables processing these at the listener level ?
There was a problem hiding this comment.
// patchRouteCfgWithPerRouteConfig appends per-route filter configurations to the
// route config.
// This is a generic way to add per-route filter configurations for all filters
// that has none-native per-route configuration support.
// - For the filter type that without native per-route configuration support, EG
// adds a filter for each route in the HCM filter chain.
// - patchRouteCfgWithPerRouteConfig disables all the filters in the
// typedFilterConfig of the route config.
// - PatchRouteWithPerRouteConfig enables the corresponding oauth2 filter for each
// route in the typedFilterConfig of the route.
//
// The filter types that have non-native per-route support: oauth2, basic authn
// Note: The filter types that have native per-route configuration support should
// use their own native per-route configuration.
There was a problem hiding this comment.
its not clear from the docs https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager
http_filters
(repeated [extensions.filters.network.http_connection_manager.v3.HttpFilter](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-msg-extensions-filters-network-http-connection-manager-v3-httpfilter)) A list of individual HTTP filters that make up the filter chain for requests made to the connection manager. [Order matters](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_filters#arch-overview-http-filters-ordering) as the filters are processed sequentially as request events happen.
so although its part of http_filters, it is disabled at per route level, which is interpreted by envoy ? should we also update envoy hcm http_filters docs to explain this ?
There was a problem hiding this comment.
so although its part of http_filters, it is disabled at per route level, which is interpreted by envoy ? should we also update envoy hcm http_filters docs to explain this ?
They're disabled in the filter chain and only enabled at the route level by an explicit configuration in that route's typedFilterConfig.
This generic per-route filter config feature is quite new. The Envoy docs actually don't mention it yet.
A workable example can be found here: https://github.com/zhaohuabing/playground/blob/main/envoy/per-route-oauth2-oidc/envoy.yaml
Related Envoy PR: envoyproxy/envoy#30141
| @@ -132,7 +132,7 @@ func processClusterForTracing(tCtx *types.ResourceVersionTable, tracing *ir.Trac | |||
| name: clusterName, | |||
| settings: []*ir.DestinationSetting{ds}, | |||
| tSocket: nil, | |||
| endpointType: DefaultEndpointType, | |||
| endpointType: EndpointTypeDNS, | |||
There was a problem hiding this comment.
The previous default one was actually DNS, but the name was unclear, so I changed the name.
There was a problem hiding this comment.
cc @zirain who may have more context
What this PR does:
docs and e2e test will be in a follow-up PRs.
OIDC will be done per-route. The final xds output will look like this example yaml file: https://github.com/zhaohuabing/playground/blob/main/envoy/per-route-oauth2-oidc/envoy.yaml
Related: