-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question/documentation: GRPC-JSON transcoder and grpc ext_authz filter (envoy control plane ext_authz ) integration #33713
Comments
cc @nareddyt |
gRPC transcoder with ext_authz should work well, I believe I personally ran a similar configuration in the past. Your config LGTM. I noticed the following:
To help further debug, please provide the following details:
FYI gRPC transcoder will automatically clear the route cache once it translates the HTTP request unless |
@nareddyt Thanks for looking out, from long time we got stuck on this.
which is able to match the envoy grpc service and without envoy ext_auth and it gives response.
![]() 2 envoy debug log and screen shot where we are able to get the details its making POST API call from inside of ext_auth_filter,
|
Thanks for providing the logs and configuration files, that gave me everything I needed to debug the issue. I'll walk you through it. Logs show the request is following the request path correctly:
In fact, the HTTP 501 is from your own backend. Notice the response has header
Obviously I don't have your backend to verify this. But you can try making the same request Envoy makes directly to your backend (
I do have a guess for why your backend is sending back HTTP 501. Take a look at the HTTP path that envoy sends to your backend:
IIUC the query parameter Why is Envoy sending this query parameter to the backend? It is because of the ext_authz response from your ext_authz server:
The following part should be removed, as it is not compliant with gRPC over HTTP2:
In general, i don't recommend you rewrite the entire request via the ext_authz response. Just add on the headers you need, like |
TLDR - there is no issue with gRPC JSON transcoder or ext_authz filter integration. It is due to malformed ext_authz response causing the user's backend to respond with 501. |
i have removed query_parameters_to_set and make path as grpc compliant and its working fine. Thanks a lot, for giving the details insight and suggestion. We have used query params to use this feature of grpc-gateway: https://github.com/googleapis/googleapis/blob/master/google/api/http.proto#L223 |
Title: GRPC-JSON transcoder is ignoring ext_authz filter, can we have documentation/example updates in which both filter are working together
Description:
** Expectation:** in envoy ext_authz control plane authenticate and pass the CheckResponse to upstream grpc-service.
how to apply missing envoy-config or how we can resolve the 501 error code ( as auth is passing request to grpc but not in correct url )
Based on suggestion Tried Solution/steps :
Listener envoy config:
The text was updated successfully, but these errors were encountered: