-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Envoy external auth and UDS example tutorial does't work #6757
Envoy external auth and UDS example tutorial does't work #6757
Comments
Thanks for reporting this @Sanskarzz. If you'd like to contribute a fix that would be great! Thanks. |
Hey @ashutosh-narkar Yes, I would like to contribute. However, I have tried debugging and checking the Envoy logs to identify the problem, but I couldn't find a solution. It would be great if you could guide me or provide me with the steps to follow to resolve this issue. Here are the logs of envoy when i made curl request
|
Hey @ashutosh-narkar Are you sure - name: envoy.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
with_request_body:
max_request_bytes: 8192
allow_partial_message: true
pack_as_bytes: true
failure_mode_allow: false
grpc_service:
google_grpc:
stat_prefix: ext_authz
target_uri: unix:///run/opa/sockets/auth.sock
timeout: 0.5s |
It was working before so I would imagine the |
Thank you, @ashutosh-narkar , for your response. If there is an opportunity for me to contribute, please let me know where the issue lies, and I would be happy to assist. Actually i'm LFX mentee currently working on the kyverno-envoy-plugin, I have learned a great deal from your work on the OPA-envoy-plugin. I appreciate your contributions to open source; they have been incredibly helpful and inspiring. Thanks for doing open source. |
If you control the envoy CLI args, try adding |
@srenatus @ashutosh-narkar sanskar@sanskar-HP-Laptop-15s-du1xxx:~$ kubectl logs "$(kubectl get pod -l app=example-app -o jsonpath={.items..metadata.name})" -c envoy -f
[2024-05-29 12:26:19.095][23][trace][ext_authz] [source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc:42] Sending CheckRequest: attributes {
source {
address {
socket_address {
address: "10.244.0.1"
port_value: 31005
}
}
}
destination {
address {
socket_address {
address: "10.244.0.5"
port_value: 8000
}
}
}
request {
time {
seconds: 1716985579
nanos: 93830000
}
http {
id: "6536821954363734"
method: "GET"
headers {
key: ":authority"
value: "192.168.49.2:31814"
}
headers {
key: ":method"
value: "GET"
}
headers {
key: ":path"
value: "/people"
}
headers {
key: ":scheme"
value: "http"
}
headers {
key: "accept"
value: "*/*"
}
headers {
key: "authorization"
value: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiZ3Vlc3QiLCJzdWIiOiJZV3hwWTJVPSIsIm5iZiI6MTUxNDg1MTEzOSwiZXhwIjoxNjQxMDgxNTM5fQ.K5DnnbbIOspRbpCr2IKXE9cPVatGOCBrBQobQmBmaeU"
}
headers {
key: "user-agent"
value: "curl/7.81.0"
}
headers {
key: "x-forwarded-proto"
value: "http"
}
headers {
key: "x-request-id"
value: "65f25374-f403-4fbf-8840-008f5e490844"
}
path: "/people"
host: "192.168.49.2:31814"
scheme: "http"
protocol: "HTTP/1.1"
}
}
metadata_context {
}
}
[2024-05-29 12:26:19.102][23][trace][ext_authz] [source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc:48] Received CheckResponse: status {
code: 7
}
dynamic_metadata {
fields {
key: "decision_id"
value {
string_value: "ac1824e9-6d1f-43f2-931f-69aa8f106e40"
}
}
} curl request sanskar@sanskar-HP-Laptop-15s-du1xxx:~/opa-envoy-plugin/examples/envoy-uds$ curl -i -H "Authorization: Bearer "$ALICE_TOKEN"" http://$SERVICE_URL/people
HTTP/1.1 403 Forbidden
date: Wed, 29 May 2024 12:26:19 GMT
server: envoy
content-length: 0 |
So that's definitely a response from opa-envoy-plugin, meaning the UDS communication works. The problem thus has something to do with you config and policy. Can you share them? |
I don't think so this proves the response from opa-envoy-plugin it can be sent by envoy filter also. |
Are you sure? That decision ID in dynamic metadata is generated by opa-envoy-plugin and sent as part of the response. Envoy doesn't make this up. |
Not fully sure leave it. I found where was the error the ALICE_TOKEN was provided in the already expired I will PR this soon.
|
Now it looks like a problem calling opa-envoy-plugin. Or rather, opa-envoy-plugin seems to have hit some error. Can you check and share its logs, too? Also, it might help to enable decision logs with decision_logs:
console: true |
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
Short description
This example tutorial on opa-envoy-plugin with UDS does't work .
cc @ashutosh-narkar
it returns 403 forbidden on both get and post curl request.
Steps To Reproduce
Expected behavior
Additional context
The text was updated successfully, but these errors were encountered: