Skip to content

Adds AuthenticationFilter Support to Kubernetes Provider#791

Merged
danehans merged 1 commit into
envoyproxy:mainfrom
danehans:authen_api_kube
Dec 19, 2022
Merged

Adds AuthenticationFilter Support to Kubernetes Provider#791
danehans merged 1 commit into
envoyproxy:mainfrom
danehans:authen_api_kube

Conversation

@danehans
Copy link
Copy Markdown
Contributor

@danehans danehans commented Dec 9, 2022
edited
Loading

Adds AuthenticationFilter API support to the Kubernetes provider:

  • api/v1alpha1/authenticationfilter_types.go: Adds missing Authentication -> AuthenticationFilter changes from Adds Request Authentication API #733.
  • api/v1alpha1/zz_generated.deepcopy.go: Regenerates DeepCopy methods due to AuthenticationFilter API changes.
  • internal/envoygateway/scheme.go: Adds the v1alpha1, e.g. AuthenticationFilter, group to the scheme.
  • internal/gatewayapi/helpers.go: Adds ValidateAuthenticationFilterRef() helper function to validate AuthenticationFilter references from an HTTPRoute.
  • internal/gatewayapi/helpers_test.go: Adds ValidateAuthenticationFilterRef() unit tests.
  • internal/gatewayapi/translator.go: Adds AuthenticationFilter to the gatewayapi Resources type. Adds NewResources() helper function.
  • internal/gatewayapi/zz_generated.deepcopy.go: Regenerates DeepCopy methods due to API changes.
  • internal/provider/kubernetes/config/crd/kustomization.yaml: Adds AuthenticationFilter CRD to the list of installed CRDs.
  • internal/provider/kubernetes/config/rbac/role.yaml: Generated by make manifests, updating EG RBAC for AuthenticationFilter.
  • internal/provider/kubernetes/controller.go: Add a watch for instances of AuthenticationFilter. Updates the resourceMappings type to map HTTPRoutes<>AuthenticationFilters. Adds AuthenticationFilters referenced by managed HTTPRoutes to the resourceTree.
  • internal/provider/kubernetes/rbac.go: Updates EG RBAC kubebuilder tags for managing instances of AuthenticationFilter.
  • internal/provider/kubernetes/helpers.go: Removes namespace check from validateBackendRef(). Now that [provider] refactoring kubernetes provider to single reconciler #702 adds full ReferenceGrant support, an HTTPRoute backend should be allowed to reference a Service in a different namespace if the necessary ReferenceGrant exists (xref).
  • internal/provider/kubernetes/kubernetes_test.go: Adds AuthenticationFilter test case to Kube provider integration tests.
  • internal/provider/kubernetes/predicates.go Adds predicate to filter AuthenticationFilter instancess from the controller's watch.
  • internal/provider/kubernetes/routes.go: Updates processHTTPRoutes() to process AuthenticationFilters referenced by managed HTTPRoutes.
  • internal/provider/kubernetes/routes_test.go: Renamed from route_test.go to match routes.go. Adds a unit test for processHTTPRoutes()`.

xref:#790

Signed-off-by: danehans daneyonhansen@gmail.com

@danehans danehans requested a review from a team as a code owner December 9, 2022 18:11
@danehans
Copy link
Copy Markdown
Contributor Author

danehans commented Dec 9, 2022

Marking as Draft while I resolve the conformance test failure.

@danehans danehans marked this pull request as draft December 9, 2022 18:57
@danehans danehans marked this pull request as ready for review December 9, 2022 19:31
@danehans
Copy link
Copy Markdown
Contributor Author

danehans commented Dec 9, 2022
edited
Loading

Commit 2f01f4d removes the following changes from the initial commit:

`internal/provider/kubernetes/helpers.go`: Removes namespace check from `validateBackendRef()`. Now that #702 adds full ReferenceGrant support, an HTTPRoute backend should be allowed to reference a Service in a different namespace if the necessary ReferenceGrant exists ([xref](https://github.com/envoyproxy/gateway/blob/main/internal/provider/kubernetes/routes.go#L101-L111)).`

Due to failed conformance test:

...
helpers.go:301: Route gateway-conformance-infra/invalid-nonexistent-backend-ref expected 1 Parents got 0
    httproute-invalid-backendref-nonexistent.go:44: 
        	Error Trace:	/home/runner/work/gateway/gateway/test/conformance/helpers.go:303
        	            				/home/runner/work/gateway/gateway/test/conformance/helpers.go:174
        	            				/home/runner/work/gateway/gateway/test/conformance/httproute-invalid-backendref-nonexistent.go:44
        	            				/home/runner/work/gateway/gateway/test/conformance/suite.go:206
        	            				/home/runner/work/gateway/gateway/test/conformance/suite.go:170
        	Error:      	Received unexpected error:
        	            	timed out waiting for the condition
        	Test:       	TestGatewayAPIConformance/HTTPRouteInvalidNonExistentBackendRef
        	Messages:   	error waiting for HTTPRoute to have parents matching expectations

xref: #792

@danehans danehans mentioned this pull request Dec 9, 2022
Closed
arkodg
arkodg reviewed Dec 9, 2022
View reviewed changes
Comment thread internal/envoygateway/scheme.go Outdated
Copy link
Copy Markdown
Contributor

@arkodg arkodg Dec 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we combine these two into one ?

Copy link
Copy Markdown
Contributor Author

@danehans danehans Dec 12, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we keep them separate to simplify moving the Gateway API extensions, e.g. AuthenticationFilter, out of EG into a separate repo in the future? If we decide to remove the config API group, I think that should be done in a separate PR.

Copy link
Copy Markdown
Contributor

@arkodg arkodg Dec 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trying to highlight the fact that current dir structure is confusing - either we have api/extensions/v1alpha1 or just api/v1alpha1 .

Copy link
Copy Markdown
Contributor Author

@danehans danehans Dec 13, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Per your request, I removed the security group from the Request Authentication design. I'll add this to the community meeting agenda to get input from other maintainers.

Copy link
Copy Markdown
Contributor Author

@danehans danehans Dec 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xref #809 to make a decision on API type grouping. IMO a separate PR should be submitted to resolve this issue.

arkodg
arkodg reviewed Dec 9, 2022
View reviewed changes
Comment thread internal/provider/kubernetes/controller.go Outdated
@danehans danehans force-pushed the authen_api_kube branch 2 times, most recently from 4086819 to 8039e92 Compare December 12, 2022 18:50
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Dec 12, 2022
edited by codecov Bot
Loading

Codecov Report

❌ Patch coverage is 54.78261% with 52 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.95%. Comparing base (d56ea6a) to head (16b425d).
⚠️ Report is 4034 commits behind head on main.

Files with missing lines Patch % Lines
internal/provider/kubernetes/controller.go 64.58% 14 Missing and 3 partials ⚠️
internal/gatewayapi/translator.go 0.00% 11 Missing ⚠️
internal/gatewayapi/zz_generated.deepcopy.go 0.00% 9 Missing ⚠️
internal/provider/kubernetes/predicates.go 46.66% 6 Missing and 2 partials ⚠️
internal/provider/kubernetes/routes.go 73.33% 3 Missing and 1 partial ⚠️
internal/gatewayapi/helpers.go 82.35% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #791      +/-   ##
==========================================
- Coverage   63.31%   62.95%   -0.36%     
==========================================
  Files          46       46              
  Lines        6157     6257     +100     
==========================================
+ Hits         3898     3939      +41     
- Misses       2019     2070      +51     
- Partials      240      248       +8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

arkodg
arkodg reviewed Dec 12, 2022
View reviewed changes
Comment thread .gitignore Outdated
arkodg
arkodg reviewed Dec 12, 2022
View reviewed changes
Comment thread internal/provider/kubernetes/controller.go Outdated
@danehans danehans force-pushed the authen_api_kube branch 3 times, most recently from 13b9626 to 4f479ec Compare December 13, 2022 19:02
@danehans danehans mentioned this pull request Dec 13, 2022
Merged
@danehans
Adds AuthenticationFilter Support to Kube Provider
16b425d 
Signed-off-by: danehans <daneyonhansen@gmail.com>
@danehans danehans mentioned this pull request Dec 15, 2022
Merged
arkodg
arkodg reviewed Dec 15, 2022
View reviewed changes
Comment thread internal/provider/kubernetes/predicates.go
arkodg
arkodg approved these changes Dec 15, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@danehans danehans merged commit f420fe1 into envoyproxy:main Dec 19, 2022
@danehans danehans deleted the authen_api_kube branch December 19, 2022 20:08
arkodg pushed a commit to arkodg/gateway that referenced this pull request Dec 19, 2022
Fix package import for HTTPRouteFilterExtensionRef
cfe2c28 
Caused by merging envoyproxy#791
without rebasing envoyproxy#816

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
@arkodg arkodg mentioned this pull request Dec 19, 2022
Merged
danehans pushed a commit that referenced this pull request Dec 19, 2022
@arkodg
Fix package import for HTTPRouteFilterExtensionRef (#821)
1762820 
* Fix package import for HTTPRouteFilterExtensionRef

Caused by merging #791
without rebasing #816

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

* fix test

was failing with below error
```
    --- FAIL: TestProcessHTTPRoutes/httproute_with_one_authenticationfilter (0.00s)
        routes_test.go:221:
            	Error Trace:	/Users/arkodebdasgupta/go-workspace/src/github.com/envoyproxy/gateway/internal/provider/kubernetes/routes_test.go:221
            	Error:      	Received unexpected error:
            	            	List on GroupVersionKind gateway.networking.k8s.io/v1beta1, Kind=HTTPRoute specifies selector on field gatewayHTTPRouteIndex, but no index with name gatewayHTTPRouteIndex has been registered for GroupVersionKind gateway.networking.k8s.io/v1beta1, Kind=HTTPRoute
            	Test:       	TestProcessHTTPRoutes/httproute_with_one_authenticationfilter
```

Signed-off-by: Arko Dasgupta <arko@tetrate.io>

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkodg arkodg arkodg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@danehans @codecov-commenter @arkodg