update bool to struct for bodyToExtAuth field

Signed-off-by: Aurélien Pillevesse <[email protected]>
envoyproxy · Nov 19, 2024 · 1b6eb87 · 1b6eb87
1 parent 336be74
commit 1b6eb87
Show file tree

Hide file tree

Showing 8 changed files with 22 additions and 9 deletions.
diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go
@@ -33,7 +33,7 @@ type ExtAuth struct {
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
 
-	BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"`
+	BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`
 
 	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
 	// If FailOpen is set to true, the system allows the traffic to pass through.
@@ -89,3 +89,6 @@ type HTTPExtAuthService struct {
 	// +optional
 	HeadersToBackend []string `json:"headersToBackend,omitempty"`
 }
+
+// BodyToExtAuth defines the Body to Ext Auth configuration
+type BodyToExtAuth struct{}
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -888,7 +888,6 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
 	extAuth := &ir.ExtAuth{
 		Name:             irConfigName(policy),
 		HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
-		BodyToExtAuth:    policy.Spec.ExtAuth.BodyToExtAuth,
 		FailOpen:         policy.Spec.ExtAuth.FailOpen,
 		Traffic:          traffic,
 		RecomputeRoute:   policy.Spec.ExtAuth.RecomputeRoute,
@@ -907,6 +906,11 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
 			Authority:   authority,
 		}
 	}
+
+	if policy.Spec.ExtAuth.BodyToExtAuth != nil {
+		extAuth.BodyToExtAuth = &ir.BodyToExtAuth{}
+	}
+
 	return extAuth, nil
 }
 

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml
@@ -99,7 +99,7 @@ securityPolicies:
         headersToExtAuth:
           - header1
           - header2
-        bodyToExtAuth: true
+        bodyToExtAuth: {}
         grpc:
           backendRefs:
             - name: service-2

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml
@@ -179,7 +179,7 @@ securityPolicies:
       headersToExtAuth:
       - header1
       - header2
-      bodyToExtAuth: true
+      bodyToExtAuth: {}
     targetRef:
       group: gateway.networking.k8s.io
       kind: HTTPRoute
@@ -263,7 +263,7 @@ xdsIR:
             headersToExtAuth:
             - header1
             - header2
-            bodyToExtAuth: true
+            bodyToExtAuth: {}
             name: securitypolicy/default/policy-for-http-route-1
       - destination:
           name: httproute/default/httproute-1/rule/1
@@ -308,7 +308,7 @@ xdsIR:
             headersToExtAuth:
             - header1
             - header2
-            bodyToExtAuth: true
+            bodyToExtAuth: {}
             name: securitypolicy/default/policy-for-http-route-1
       - destination:
           name: httproute/default/httproute-2/rule/0

diff --git a/internal/ir/xds.go b/internal/ir/xds.go
@@ -994,7 +994,7 @@ type ExtAuth struct {
 	// +optional
 	HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`
 
-	BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"`
+	BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"`
 
 	// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
 	// If FailOpen is set to true, the system allows the traffic to pass through.
@@ -1012,6 +1012,10 @@ type ExtAuth struct {
 	RecomputeRoute *bool `json:"recomputeRoute,omitempty"`
 }
 
+// BodyToExtAuth defines the Body to Ext Auth configuration
+// +k8s:deepcopy-gen=true
+type BodyToExtAuth struct{}
+
 // HTTPExtAuthService defines the HTTP External Authorization service
 // +k8s:deepcopy-gen=true
 type HTTPExtAuthService struct {

diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go
@@ -117,8 +117,9 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
 		})
 	}
 
-	if extAuth.BodyToExtAuth != nil && *extAuth.BodyToExtAuth {
+	if extAuth.BodyToExtAuth != nil {
 		config.WithRequestBody = &extauthv3.BufferSettings{
+			MaxRequestBytes:     1024,
 			AllowPartialMessage: false,
 			PackAsBytes:         false,
 		}

diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml
@@ -106,7 +106,7 @@ http:
           extAuth:
             name: securitypolicy/default/policy-for-gateway-1
             failOpen: true
-            bodyToExtAuth: true
+            bodyToExtAuth: {}
             http:
               authority: primary.foo.com
               destination:

diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml
@@ -35,6 +35,7 @@
           typedConfig:
             '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
             withRequestBody:
+              maxRequestBytes: 1024
               allowPartialMessage: false
               packAsBytes: false
             failureModeAllow: true