feat(extauth): add support for context extensions #7383
Conversation
maxbrunet
force-pushed
the
feat/extauth/context-extensions
branch
5 times, most recently
from
e1d8c4c to
d485d82
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #7383 +/- ##
==========================================
- Coverage 72.30% 71.27% -1.04%
==========================================
Files 231 274 +43
Lines 33939 34990 +1051
==========================================
+ Hits 24539 24938 +399
- Misses 7632 8257 +625
- Partials 1768 1795 +27 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Maxime Brunet <[email protected]>
maxbrunet
force-pushed
the
feat/extauth/context-extensions
branch
from
d485d82 to
0939490
Compare
api/v1alpha1/ext_auth_types.go
Outdated
| // | ||
| // +optional | ||
| // +unionMember | ||
| Inline string `json:"inline"` |
There was a problem hiding this comment.
should be ptr with a omitempty tag since its optional
There was a problem hiding this comment.
Good catch, fixed!
btw, I named it Inline for consistency with Lua, but it does sound a little odd to me, maybe just Value would be more appropriate? It'd be consistent with gatewayv1.HTTPHeader
There was a problem hiding this comment.
we've used Inline and ValueRef in Lua and Custom Response and Direct Response APIs
I'm not sure which one is better - Value and ValueRef or Inline and ValueRef
ptal @envoyproxy/gateway-maintainers @envoyproxy/gateway-reviewers
| // without modifying the proto definition. It maps to the internal opaque | ||
| // context in the filter chain. | ||
| // +optional | ||
| ContextExtensions map[string]PrivateBytes `json:"contextExtensions,omitempty"` |
There was a problem hiding this comment.
this needs to be a struct slice to retain deterministic order
we lose order with map and the same content will trigger further translation which can be avoided
There was a problem hiding this comment.
I would like to understand the problem better, where does that lost of order triggering translation happen?
FYI The final data structure is a map: extauthv3.CheckSettings.ContextExtensions
I see APIKeyAuth.Credentials is map and translates to a list, is this one a problem?
Lines 1219 to 1221 in 75f42e5
I could understand map to map to list would cause problems with ordering, but I am not clean about why that would be the case with list to map to map
There was a problem hiding this comment.
ah, I'll raise a GH issue to fix Credentials
this is a pub sub system where, if the message is equal, the system avoids sending the message to the subcriber saving on cpu and mem and a redundant translation https://github.com/telepresenceio/watchable/blob/9bb86f92afa73d51a5e3e97aaf2959282d21818f/map.go#L23
There was a problem hiding this comment.
Thank you for that 1st bread crumb. This doc helped me on the high level as well: https://gateway.envoyproxy.io/contributions/design/watching/
I guess this is important here for the object refs from ValueRef, this is a list, so it should be all good:
A sort of Gateway resources by creationTimestamp/Namespace/Name happen here
After that I don't see any indication that order matters, especially at the field level.
DeepEqual would always be performed on the entire resource, no? (with reflect.DeepEqual for maps and slices)
When received, it translates everything (entire API SecurityPolicy) to IR
gateway/internal/gatewayapi/runner/runner.go
Line 176 in c10dcf2
The order is lost here when translating to IR:
gateway/internal/gatewayapi/securitypolicy.go
Line 1846 in c10dcf2
But updates still seem to be triggered at the resource level, translation of everything (entire IR SecurityPolicy) to Envoy resources:
gateway/internal/xds/runner/runner.go
Line 300 in c10dcf2
And in the final translation, it is map to map, so order does not matter:
gateway/internal/xds/translator/extauth.go
Line 300 in c10dcf2
Similar when building the indexes from ValueRef, it is a list, the order is still stable
Am I still missing something?
There was a problem hiding this comment.
the issue is the IR map, I dont think watchable will be able to detect that the map is same if the content ( key, value) pairs haven't changed , you can try to confirm that with a test in https://github.com/envoyproxy/gateway/blob/main/internal/gatewayapi/runner/runner_test.go
also any YAML tests added in https://github.com/envoyproxy/gateway/tree/main/internal/gatewayapi/testdata will break because map order cannot be garunteed
api/v1alpha1/ext_auth_types.go
Outdated
| // | ||
| // +optional | ||
| // +unionMember | ||
| Inline string `json:"inline"` |
There was a problem hiding this comment.
Good catch, fixed!
btw, I named it Inline for consistency with Lua, but it does sound a little odd to me, maybe just Value would be more appropriate? It'd be consistent with gatewayv1.HTTPHeader
| // without modifying the proto definition. It maps to the internal opaque | ||
| // context in the filter chain. | ||
| // +optional | ||
| ContextExtensions map[string]PrivateBytes `json:"contextExtensions,omitempty"` |
There was a problem hiding this comment.
I would like to understand the problem better, where does that lost of order triggering translation happen?
FYI The final data structure is a map: extauthv3.CheckSettings.ContextExtensions
I see APIKeyAuth.Credentials is map and translates to a list, is this one a problem?
Lines 1219 to 1221 in 75f42e5
I could understand map to map to list would cause problems with ordering, but I am not clean about why that would be the case with list to map to map
Signed-off-by: Maxime Brunet <[email protected]>
maxbrunet
force-pushed
the
feat/extauth/context-extensions
branch
from
75f42e5 to
c10dcf2
Compare
2 participants
What type of PR is this?
Feature
What this PR does / why we need it:
Add support for ExtAuth context extensions in
SecurityPolicy:Which issue(s) this PR fixes:
Closes #6592
Release Notes: Yes