Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature suggestion: support forward auth for Ingress resource #767

Closed
GhangZh opened this issue Nov 24, 2021 · 16 comments · Fixed by #937
Closed

Feature suggestion: support forward auth for Ingress resource #767

GhangZh opened this issue Nov 24, 2021 · 16 comments · Fixed by #937
Assignees
@nayihz
Labels
area/controller enhancement New feature or request help wanted Extra attention is needed triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
roadmap

Comments

@GhangZh
Copy link
Contributor

GhangZh commented Nov 24, 2021
edited
Loading

Issue description

Does apisix-ingress-controller support these annotations, I directly use is not effective. I mainly want to use these annotations for external authentication services
image

Environment

  • your apisix-ingress-controller version (output of apisix-ingress-controller version --long);
  • your Kubernetes cluster version (output of kubectl version);
  • if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a).
@GhangZh GhangZh changed the title request help: request help: ingress forward auth Nov 24, 2021
@tokers
Copy link
Contributor

tokers commented Nov 24, 2021

Hi,

These annotations are not parsed by APISIX Ingress Controller, and what's more, the underlying APISIX doesn't support the forward auth feature.

It seems that we have some issues in APISIX repo with the related topic apache/apisix#5475.

@GhangZh
Copy link
Contributor Author

GhangZh commented Nov 24, 2021

Hi,

These annotations are not parsed by APISIX Ingress Controller, and what's more, the underlying APISIX doesn't support the forward auth feature.

It seems that we have some issues in APISIX repo with the related topic apache/apisix#5475.
Thanks,So if I do an http request forwarding to my forwoard auth service by customizing a plugin, it will be fine, right?

@tokers
Copy link
Contributor

tokers commented Nov 24, 2021

Hi,
These annotations are not parsed by APISIX Ingress Controller, and what's more, the underlying APISIX doesn't support the forward auth feature.
It seems that we have some issues in APISIX repo with the related topic apache/apisix#5475.
Thanks,So if I do an http request forwarding to my forwoard auth service by customizing a plugin, it will be fine, right?

That's right, you can implement a custom plugin to support it, but it would better if you'd like to design a generic solution and send a proposal to the mailing list (dev@apisix.apache.org), then others can also use it if they desire.

@GhangZh
Copy link
Contributor Author

GhangZh commented Nov 29, 2021

Hi,
These annotations are not parsed by APISIX Ingress Controller, and what's more, the underlying APISIX doesn't support the forward auth feature.
It seems that we have some issues in APISIX repo with the related topic apache/apisix#5475.
Thanks,So if I do an http request forwarding to my forwoard auth service by customizing a plugin, it will be fine, right?

That's right, you can implement a custom plugin to support it, but it would better if you'd like to design a generic solution and send a proposal to the mailing list (dev@apisix.apache.org), then others can also use it if they desire.

I would like to implement a custom plugin to support it , but I found that I can use severless plugin for custom authentication , But I see the serverless plugin documentation is only written as a function, I want to write an http proxy in it, this plug-in can support it?

@tokers
Copy link
Contributor

tokers commented Nov 29, 2021

Hi,

These annotations are not parsed by APISIX Ingress Controller, and what's more, the underlying APISIX doesn't support the forward auth feature.

It seems that we have some issues in APISIX repo with the related topic apache/apisix#5475.

Thanks,So if I do an http request forwarding to my forwoard auth service by customizing a plugin, it will be fine, right?

That's right, you can implement a custom plugin to support it, but it would better if you'd like to design a generic solution and send a proposal to the mailing list (dev@apisix.apache.org), then others can also use it if they desire.

I would like to implement a custom plugin to support it , but I found that I can use severless plugin for custom authentication , But I see the serverless plugin documentation is only written as a function, I want to write an http proxy in it, this plug-in can support it?

Sure, you can do anything in the server-less functions.

@tao12345666333 tao12345666333 added the question Further information is requested label Dec 8, 2021
@tao12345666333 tao12345666333 added enhancement New feature or request and removed question Further information is requested labels Jan 5, 2022
@tao12345666333
Copy link
Member

We need to wait for APISIX to implement this feature before we can start

@tao12345666333
Copy link
Member

APISIX has implemented the forward-auth plugin.

We can consider adding support for this feature. But before we start we need a design proposal.

apache/apisix#6037

@tao12345666333 tao12345666333 added area/controller triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Feb 15, 2022
@tao12345666333 tao12345666333 added the help wanted Extra attention is needed label Mar 4, 2022
@tao12345666333 tao12345666333 changed the title request help: ingress forward auth Feature suggestion: support forward auth for Ingress resource Mar 4, 2022
@tao12345666333
Copy link
Member

I edited the title to make it more clear. Maybe we just need to add some annotations to support it.

@nayihz
Copy link
Contributor

nayihz commented Mar 16, 2022

Maybe we just need to add some annotations to support it.

I want to try to implement this. Plz assign to me.

@tao12345666333
Copy link
Member

thanks @cmssczy

@tao12345666333 tao12345666333 linked a pull request Mar 26, 2022 that will close this issue
feat: support forward-auth plugin #937
Merged
8 tasks
@mhh12121
Copy link

So how's the thing going about this plugin ?

@tao12345666333
Copy link
Member

@mhh12121 This feature has been implemented in #937

@mhh12121
Copy link

@tao12345666333 Terrrrrific! Thank all of you !
But what if I wanna apply apisixRoute with forward-auth plugin? Could u plz offer some examples?

@tao12345666333
Copy link
Member

@tao12345666333 Terrrrrific! Thank all of you !

But what if I wanna apply apisixRoute with forward-auth plugin? Could u plz offer some examples?

@mhh12121 you can see the example here https://github.com/apache/apisix-ingress-controller/blob/master/test/e2e/suite-annotations/forward_auth.go

@mhh12121
Copy link

@tao12345666333 Thank you! I've already tried it not only with ApiRoute but also Ingress way;

As the result, the ingress way seems not work at all with forward-auth plugin:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: apisix
    k8s.apisix.apache.org/auth-uri: "http://auth-svc.default.svc.cluster.local:1234/auth"
    k8s.apisix.apache.org/auth-request-headers: Authorization
    k8s.apisix.apache.org/auth-upstream-headers: user-id
    k8s.apisix.apache.org/auth-client-headers: Location
  name: test-ingress
spec:
  rules:
  - http:
      paths:
      - path: /test
        pathType: Exact
        backend:
          service:
            name: auth-svc
            port:
              number: 8084

Instead, I succeed by ApiRoute way

apiVersion: apisix.apache.org/v2beta3
kind: ApisixRoute
metadata:
  name: httpserver-route
spec:
  http:
  - name: rule1
    match:
      paths:
      - /test
    backends: 
    - serviceName: auth-svc
      servicePort: 1234
      resolveGranularity: service
    plugins:
    - enable: true
      name: forward-auth
      config:
        uri: "http://auth-svc.default.svc.cluster.local:1234/auth"
        request_headers: ["Authorization"]
        upstream_headers: ["user-id"]
        client_headers: ["Location"]

Could you please have a check?

@tao12345666333
Copy link
Member

@mhh12121 In the above e2e we already have test cases for coverage.
If you encounter a problem, please file a new issue describing it in detail, do not discuss it in this issue. thanks

@tao12345666333 tao12345666333 added this to Done in roadmap Nov 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nayihz nayihz

Labels
area/controller enhancement New feature or request help wanted Extra attention is needed triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
Apache APISIX Ingress controller
Archived in project
roadmap
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support forward-auth plugin
5 participants
@tao12345666333 @mhh12121 @tokers @nayihz @GhangZh