feat: add dynamic metadata support in http ext authz

api/v1alpha1/ext_auth_types.go

@@ -86,4 +86,11 @@ type HTTPExtAuthService struct {
 	// original client request.
 	// +optional
 	HeadersToBackend []string `json:"headersToBackend,omitempty"`
+
+	// HeadersToMetadata are the authorization response headers that will be emitted
+	// as dynamic metadata to be consumed by next filter.
+	// Note: this metadata lives in envoy.filters.http.ext_authz and can only be consumed
+	// by the next filter if explicitly specified.
+	// +optional
+	HeadersToMetadata []string `json:"headersToMetadata,omitempty"`
 }

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -2083,6 +2083,15 @@ spec:
                         items:
                           type: string
                         type: array
+                      headersToMetadata:
+                        description: |-
+                          HeadersToMetadata are the authorization response headers that will be emitted
+                          as dynamic metadata to be consumed by next filter.
+                          Note: this metadata lives in envoy.filters.http.ext_authz and can only be consumed
+                          by the next filter if explicitly specified.
+                        items:
+                          type: string
+                        type: array
                       path:
                         description: |-
                           Path is the path of the HTTP External Authorization service.

internal/gatewayapi/securitypolicy.go

@@ -878,10 +878,11 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso
 
 	if http != nil {
 		extAuth.HTTP = &ir.HTTPExtAuthService{
-			Destination:      rd,
-			Authority:        authority,
-			Path:             ptr.Deref(http.Path, ""),
-			HeadersToBackend: http.HeadersToBackend,
+			Destination:       rd,
+			Authority:         authority,
+			Path:              ptr.Deref(http.Path, ""),
+			HeadersToBackend:  http.HeadersToBackend,
+			HeadersToMetadata: http.HeadersToMetadata,
 		}
 	} else {
 		extAuth.GRPC = &ir.GRPCExtAuthService{

internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml

@@ -170,3 +170,6 @@ securityPolicies:
           headersToBackend:
             - header1
             - header2
+          headersToMetadata:
+            - metadata1
+            - metadata2

internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml

@@ -191,6 +191,9 @@ securityPolicies:
         headersToBackend:
         - header1
         - header2
+        headersToMetadata:
+        - metadata1
+        - metadata2
         path: /auth
     targetRef:
       group: gateway.networking.k8s.io
@@ -350,5 +353,8 @@ xdsIR:
               headersToBackend:
               - header1
               - header2
+              headersToMetadata:
+              - metadata1
+              - metadata2
               path: /auth
             name: securitypolicy/default/policy-for-gateway-1

internal/ir/xds.go

@@ -932,6 +932,13 @@ type HTTPExtAuthService struct {
 	// original client request.
 	// +optional
 	HeadersToBackend []string `json:"headersToBackend,omitempty"`
+
+	// HeadersToMetadata are the authorization response headers that will be emitted
+	// as dynamic metadata to be consumed by next filter.
+	// Note: this metadata lives in envoy.filters.http.ext_authz and can only be consumed
+	// by the next filter if explicitly specified.
+	// +optional
+	HeadersToMetadata []string `json:"headersToMetadata,omitempty"`
 }
 
 // GRPCExtAuthService defines the gRPC External Authorization service

internal/xds/translator/extauth.go

@@ -145,9 +145,10 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
 
 func httpService(http *ir.HTTPExtAuthService) *extauthv3.HttpService {
 	var (
-		uri              string
-		headersToBackend []*matcherv3.StringMatcher
-		service          *extauthv3.HttpService
+		uri               string
+		headersToBackend  []*matcherv3.StringMatcher
+		headersToMetadata []*matcherv3.StringMatcher
+		service           *extauthv3.HttpService
 	)
 
 	service = &extauthv3.HttpService{
@@ -191,6 +192,25 @@ func httpService(http *ir.HTTPExtAuthService) *extauthv3.HttpService {
 		}
 	}
 
+	for _, metadata := range http.HeadersToMetadata {
+		headersToMetadata = append(headersToMetadata, &matcherv3.StringMatcher{
+			MatchPattern: &matcherv3.StringMatcher_Exact{
+				Exact: metadata,
+			},
+			IgnoreCase: true,
+		})
+	}
+
+	if len(headersToMetadata) > 0 {
+		if service.AuthorizationResponse == nil {
+			service.AuthorizationResponse = &extauthv3.AuthorizationResponse{}
+		}
+
+		service.AuthorizationResponse.DynamicMetadataFromHeaders = &matcherv3.ListStringMatcher{
+			Patterns: headersToMetadata,
+		}
+	}
+
 	return service
 }
 

internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml

@@ -126,4 +126,7 @@ http:
               headersToBackend:
                 - header1
                 - header2
+              headersToMetadata:
+                - metadata1
+                - metadata2
               path: /auth

internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml

@@ -43,6 +43,12 @@
                     ignoreCase: true
                   - exact: header2
                     ignoreCase: true
+                dynamicMetadataFromHeaders:
+                  patterns:
+                  - exact: metadata1
+                    ignoreCase: true
+                  - exact: metadata2
+                    ignoreCase: true
               pathPrefix: /auth
               serverUri:
                 cluster: securitypolicy/default/policy-for-gateway-1/envoy-gateway/http-backend

site/content/en/latest/api/extension_types.md

@@ -1936,6 +1936,7 @@ _Appears in:_
 | `backendSettings` | _[ClusterSettings](#clustersettings)_ |  false  | BackendSettings holds configuration for managing the connection<br />to the backend. |
 | `path` | _string_ |  true  | Path is the path of the HTTP External Authorization service.<br />If path is specified, the authorization request will be sent to that path,<br />or else the authorization request will be sent to the root path. |
 | `headersToBackend` | _string array_ |  false  | HeadersToBackend are the authorization response headers that will be added<br />to the original client request before sending it to the backend server.<br />Note that coexisting headers will be overridden.<br />If not specified, no authorization response headers will be added to the<br />original client request. |
+| `headersToMetadata` | _string array_ |  false  | HeadersToMetadata are the authorization response headers that will be emitted<br />as dynamic metadata to be consumed by next filter.<br />Note: this metadata lives in envoy.filters.http.ext_authz and can only be consumed<br />by the next filter if explicitly specified. |
 
 
 #### HTTPPathModifier

site/content/zh/latest/api/extension_types.md

@@ -1936,6 +1936,7 @@ _Appears in:_
 | `backendSettings` | _[ClusterSettings](#clustersettings)_ |  false  | BackendSettings holds configuration for managing the connection<br />to the backend. |
 | `path` | _string_ |  true  | Path is the path of the HTTP External Authorization service.<br />If path is specified, the authorization request will be sent to that path,<br />or else the authorization request will be sent to the root path. |
 | `headersToBackend` | _string array_ |  false  | HeadersToBackend are the authorization response headers that will be added<br />to the original client request before sending it to the backend server.<br />Note that coexisting headers will be overridden.<br />If not specified, no authorization response headers will be added to the<br />original client request. |
+| `headersToMetadata` | _string array_ |  false  | HeadersToMetadata are the authorization response headers that will be emitted<br />as dynamic metadata to be consumed by next filter.<br />Note: this metadata lives in envoy.filters.http.ext_authz and can only be consumed<br />by the next filter if explicitly specified. |
 
 
 #### HTTPPathModifier