Add support for HTTP External Authorization Services

[therealak12]

Envoy external authorization filter supports HTTP and GRPC servers. Contour only supports configuring gRPC services at the moment. The PR adds support for HTTP ext-authz services.

We've been using this in production for >1 year.

1. feat: add http support to authz filter snapp-incubator/contour#4
2. refactor: add http auth support to contour snapp-incubator/contour#5

Closes #6509

[codecov]

Codecov Report

❌ Patch coverage is 72.66187% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.78%. Comparing base (9477aaf) to head (e0bce55).
⚠️ Report is 70 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/contour/serve.go	0.00%	18 Missing ⚠️
internal/envoy/v3/listener.go	77.41%	14 Missing ⚠️
internal/dag/conditions.go	75.00%	2 Missing and 2 partials ⚠️
cmd/contour/servecontext.go	33.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7418      +/-   ##
==========================================
- Coverage   81.85%   81.78%   -0.07%     
==========================================
  Files         130      130              
  Lines       15747    15895     +148     
==========================================
+ Hits        12889    13000     +111     
- Misses       2574     2608      +34     
- Partials      284      287       +3     

Files with missing lines	Coverage Δ
internal/dag/dag.go	98.44% <ø> (ø)
internal/dag/httpproxy_processor.go	91.57% <100.00%> (+0.13%)	⬆️
internal/envoy/v3/cluster.go	96.24% <100.00%> (+0.03%)	⬆️
internal/featuretests/v3/envoy.go	99.36% <100.00%> (+0.01%)	⬆️
internal/xdscache/v3/listener.go	92.09% <100.00%> (+0.16%)	⬆️
pkg/config/parameters.go	87.10% <ø> (ø)
cmd/contour/servecontext.go	86.29% <33.33%> (-0.34%)	⬇️
internal/dag/conditions.go	96.29% <75.00%> (-1.35%)	⬇️
internal/envoy/v3/listener.go	96.03% <77.41%> (-2.14%)	⬇️
cmd/contour/serve.go	23.80% <0.00%> (+0.19%)	⬆️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tsaarni]

Thank you @therealak12 for the contribution!

The changes look good overall but I would like to discuss some of the API aspects and potential error scenarios.

[tsaarni]

Config file is parsed as YAML

Suggested change

	ServiceAPIType contour_v1.AuthorizationServiceAPIType `json:"serviceAPIType,omitempty"`
	ServiceAPIType contour_v1.AuthorizationServiceAPIType `yaml:"serviceAPIType,omitempty"`

[tsaarni]

Config file is parsed as YAML

Suggested change

	HTTPServerSettings *contour_v1.HTTPAuthorizationServerSettings `json:"httpSettings,omitempty"`
	HTTPServerSettings *contour_v1.HTTPAuthorizationServerSettings `yaml:"httpSettings,omitempty"`

[tsaarni]

AuthzTypeHTTPWithContext is not called anywhere. Forgot to call it from TestAuthorization?

[tsaarni]

Is the Uri field mandatory, or can it be left empty? If it is required, we should add an explanation for not to cause confusion for reader.

[tsaarni]

Add a comment stating that httpSettings is used only for HTTP based authorization service.

To enforce this and prevent confusion, we can add a CEL validation rule to the AuthorizationServer struct. Something like below but note that I did not test this yet

// +kubebuilder:validation:XValidation:message="httpSettings can only be set when serviceAPIType is 'http'",rule="!has(self.httpSettings) || self.serviceAPIType == 'http'"

[tsaarni]

Should we have fall back to the gRPC authorization server type here if type is not set?

[tsaarni]

We should refactor the switch-case logic in cmd/contour/serve.go within setupGlobalExternalAuthentication() and the corresponding logic in internal/dag/httpproxy_processor.go within computeVirtualHostAuthorization() into one.

[tsaarni]

We should refactor the switch-case logic in internal/dag/httpproxy_processor.go within computeVirtualHostAuthorization() and the corresponding logic in cmd/contour/serve.go within setupGlobalExternalAuthentication() into one.

[tsaarni]

Minor nit: these test functions do not need to be exported. All of them can start with a lowercase letter.

[tsaarni]

I recommend using serviceType (without API) to align with how Envoy seems to call it.

[tsaarni]

The httpproxy.spec.virtualhost.authorization.responseTimeout parameter is optional in our configuration, and envoy.Timeout() returns nil if the value is not set. However, HttpUri requires a defined value.

For gRPC, the default value is documented as infinite. We should apply the same setting by using 0, as leaving the field empty causes an error.

[tsaarni]

@therealak12 I did some experiments related to my previous comments. You are free to use any of this work: snapp-incubator/contour@http-ext-authz...Nordix:contour:http-based-ext-authz

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 30d of inactivity, lifecycle/stale is applied
• After 60d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Ensure your PR is passing all CI checks. PRs that are fully green are more likely to be reviewed. If you are having trouble with CI checks, reach out to the #contour channel in the Kubernetes Slack workspace.
• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[therealak12]

Hi, thank you for your review and the helpful suggestions.

Apologies for the delay. Due to the recent war affecting my country, I was unable to continue working on this PR for some time. Now that the situation has stabilized, I applied the requested changes.

Please take another look when you have a chance.