Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement gRPC service for envoy ExtAuthz #4990

Merged
merged 7 commits into from
Jul 2, 2024
Merged

Implement gRPC service for envoy ExtAuthz #4990

merged 7 commits into from
Jul 2, 2024

Conversation

Warashi
Copy link
Contributor

@Warashi Warashi commented Jun 24, 2024
edited
Loading

What this PR does / why we need it:

This PR implements envoy external authorization service with gRPC, as RFC.

After merging this PR, I'll send another PR to add routing to the envoy configuration.

Which issue(s) this PR fixes:

Part of #4977

Does this PR introduce a user-facing change?: No

  • How are users affected by this change:
  • Is this breaking change:
  • How to migrate (if breaking change):

@codecov Codecov
Copy link

codecov bot commented Jun 24, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 68 lines in your changes missing coverage. Please review.

Project coverage is 22.45%. Comparing base (ead2798) to head (0093830).
Report is 18 commits behind head on master.

Files Patch % Lines
cmd/pipecd/server.go 0.00% 42 Missing ⚠️
pkg/app/server/grpcapi/envoy_ext_authz_api.go 0.00% 24 Missing ⚠️
pkg/rpc/rpcauth/auth.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4990      +/-   ##
==========================================
+ Coverage   22.04%   22.45%   +0.40%     
==========================================
  Files         519      520       +1     
  Lines       57247    56852     -395     
==========================================
+ Hits        12621    12766     +145     
+ Misses      43604    43060     -544     
- Partials     1022     1026       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

khanhtc1202
khanhtc1202 reviewed Jun 24, 2024
View reviewed changes
pkg/app/server/grpcapi/envoy_ext_authz_api.go
@@ -0,0 +1,68 @@
package grpcapi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the pipecd license header (refer other files)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I added this commit: 6ed9c7a.

@Warashi
Add License header
6ed9c7a 
Signed-off-by: Shinnosuke Sawada <[email protected]>
@khanhtc1202
Copy link
Member

Overall LGTM, just left a nits about licensing

@Warashi Warashi requested a review from khanhtc1202 June 24, 2024 06:58
khanhtc1202
khanhtc1202 previously approved these changes Jun 24, 2024
View reviewed changes
Copy link
Member

@khanhtc1202 khanhtc1202 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here you go 👍

@Warashi Warashi enabled auto-merge (squash) July 2, 2024 01:15
@Warashi Warashi disabled auto-merge July 2, 2024 01:16
@Warashi Warashi enabled auto-merge (squash) July 2, 2024 01:16
ffjlabo
ffjlabo reviewed Jul 2, 2024
View reviewed changes
pkg/app/server/grpcapi/envoy_ext_authz_api.go Outdated
Comment on lines 72 to 82
func (e *EnvoyAuthorizationServer) parsePipedToken(a string) (string, string, string, error) {
if !strings.HasPrefix(a, "Bearer ") {
return "", "", "", errors.New("invalid authorization header")
}

parts := strings.Split(strings.TrimPrefix(a, "Bearer "), ",")
if len(parts) != 3 || parts[0] == "" || parts[1] == "" || parts[2] == "" {
return "", "", "", errors.New("malformed piped token")
}
return parts[0], parts[1], parts[2], nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[IMO] It might be nice to use parsePipedToken in rpc/rpcauth WDYT?
https://github.com/pipe-cd/pipecd/blob/ce05395afbd2397e60a7a9b99cb6c4d3fad07294/pkg/rpc/rpcauth/auth.go#L55C1-L77C2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
That sounds nice! I'll change the codes.

Copy link
Contributor Author

@Warashi Warashi Jul 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the codes.

@Warashi Warashi disabled auto-merge July 2, 2024 01:43
@khanhtc1202
Copy link
Member

@Warashi DCO not pass 👀

ffjlabo
ffjlabo approved these changes Jul 2, 2024
View reviewed changes
Copy link
Member

@ffjlabo ffjlabo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@Warashi
Copy link
Contributor Author

Warashi commented Jul 2, 2024

@khanhtc1202
Sorry.
I signed off with rebase and force-pushed.

khanhtc1202
khanhtc1202 approved these changes Jul 2, 2024
View reviewed changes
Copy link
Member

@khanhtc1202 khanhtc1202 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Warashi Warashi merged commit fe8f0d3 into master Jul 2, 2024
17 of 18 checks passed
@Warashi Warashi deleted the envoy-ext-authz-service branch July 2, 2024 04:19
@github-actions github-actions bot mentioned this pull request Jul 4, 2024
Merged
khanhtc1202 pushed a commit that referenced this pull request Jul 12, 2024
@Warashi @khanhtc1202
Implement gRPC service for envoy ExtAuthz (#4990)
300acf5 
* Implement gRPC service for envoy ExtAuthz

Signed-off-by: Shinnosuke Sawada <[email protected]>

* Run gRPC server for envoy ExtAuthz

Signed-off-by: Shinnosuke Sawada <[email protected]>

* Add words to make document clear

Signed-off-by: Shinnosuke Sawada <[email protected]>

* Change dependency versions as which match current we uses as much as possible

Signed-off-by: Shinnosuke Sawada <[email protected]>

* Add License header

Signed-off-by: Shinnosuke Sawada <[email protected]>

* Expose parsePipedToken to use at envoy grpc auth service

Signed-off-by: Shinnosuke Sawada <[email protected]>

* Use rpcauth.ParsePipedToken instead of implementing in package

Signed-off-by: Shinnosuke Sawada <[email protected]>

---------

Signed-off-by: Shinnosuke Sawada <[email protected]>
Signed-off-by: khanhtc1202 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ffjlabo ffjlabo ffjlabo approved these changes

@khanhtc1202 khanhtc1202 khanhtc1202 approved these changes

@nghialv nghialv Awaiting requested review from nghialv nghialv is a code owner

@kentakozuka kentakozuka Awaiting requested review from kentakozuka kentakozuka is a code owner

@t-kikuc t-kikuc Awaiting requested review from t-kikuc t-kikuc is a code owner

Assignees
No one assigned
Labels
area/go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Warashi @khanhtc1202 @ffjlabo