Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to add multiple headers with the same name from extauth response to upstream #2983

Closed
Jingru opened this issue May 11, 2020 · 2 comments · Fixed by #5726
Closed

How to add multiple headers with the same name from extauth response to upstream #2983

Jingru opened this issue May 11, 2020 · 2 comments · Fixed by #5726
Labels
Type: Question

Comments

@Jingru
Copy link

Jingru commented May 11, 2020
edited

As mentioned in gloo's documentation: https://docs.solo.io/gloo/1.2.0/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk/#response, I can set allowedUpstreamHeaders to ask gloo to add headers sent from extauth response then send to upstream. But I can't add multiple headers with the same name becase Note that coexistent headers will be overridden.

However, in kubernetes authenticating proxy: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authenticating-proxy, I have to add multiple headers with the same --requestheader-group-headers name if this user belongs to multiple groups.

Any chances that I can use gloo as kubernetes authenticating proxy?
@yuval-k
Copy link
Member

yuval-k commented May 11, 2020
edited

unfortunately, the way envoy ext_authz filter is written today, it only allows setting a header, or appending (value will be added to existing header, separated by a comma).

this is the relevant code:

https://github.com/envoyproxy/envoy/blob/0f5dd5b45b5e17eb316c1502ac11aa4d1cd39d55/source/extensions/filters/http/ext_authz/ext_authz.cc#L164-L170

to enable this use-case, an envoy PR will be needed to support addCopy in addtion to setCopy and appendCopy

@Jingru
Copy link
Author

Jingru commented May 12, 2020

Thanks for the reply!
It seems like kubernetes api server won't split group string concatenated by comma. It just takes the group header as a whole.
I guess an envoy PR is necessary.

@weixiao-huang weixiao-huang mentioned this issue May 12, 2020
Merged
htuch pushed a commit to envoyproxy/envoy that referenced this issue Jun 22, 2020
@weixiao-huang
ext_authz: support sending multiple headers with the same name to ups…
dcf3497 
…tream (#11158)

This patch adds allowed_upstream_headers_to_append to allow sending multiple headers with the same name to upstream.

Relevant issue: solo-io/gloo#2983.

Risk Level: Low
Testing: Unit tests.
Docs Changes: Added.
Release Notes: Added.
Fixes #11156

Signed-off-by: weixiao-huang <hwx.simle@gmail.com>
mattklein123 pushed a commit to envoyproxy/data-plane-api that referenced this issue Jun 22, 2020
ext_authz: support sending multiple headers with the same name to ups…
eb877ac 
…tream (#11158)

This patch adds allowed_upstream_headers_to_append to allow sending multiple headers with the same name to upstream.

Relevant issue: solo-io/gloo#2983.

Risk Level: Low
Testing: Unit tests.
Docs Changes: Added.
Release Notes: Added.
Fixes #11156

Signed-off-by: weixiao-huang <hwx.simle@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ dcf34972d1bc15324835c40dfd7a780e8fc69d72
songhu pushed a commit to songhu/envoy that referenced this issue Jun 25, 2020
@weixiao-huang @songhu
ext_authz: support sending multiple headers with the same name to ups…
260675d 
…tream (envoyproxy#11158)

This patch adds allowed_upstream_headers_to_append to allow sending multiple headers with the same name to upstream.

Relevant issue: solo-io/gloo#2983.

Risk Level: Low
Testing: Unit tests.
Docs Changes: Added.
Release Notes: Added.
Fixes envoyproxy#11156

Signed-off-by: weixiao-huang <hwx.simle@gmail.com>
yashwant121 pushed a commit to yashwant121/envoy that referenced this issue Jul 24, 2020
@weixiao-huang @yashwant121
ext_authz: support sending multiple headers with the same name to ups…
bea54a7 
…tream (envoyproxy#11158)

This patch adds allowed_upstream_headers_to_append to allow sending multiple headers with the same name to upstream.

Relevant issue: solo-io/gloo#2983.

Risk Level: Low
Testing: Unit tests.
Docs Changes: Added.
Release Notes: Added.
Fixes envoyproxy#11156

Signed-off-by: weixiao-huang <hwx.simle@gmail.com>
Signed-off-by: yashwant121 <yadavyashwant36@gmail.com>
@vixus0 vixus0 mentioned this issue Apr 2, 2021
Open
weixiao-huang added a commit to weixiao-huang/gloo that referenced this issue Dec 18, 2021
@weixiao-huang
feat: add allowed_upstream_headers_to_append in extauth.proto due to s…
31cedc2 
…olo-io#2983
weixiao-huang added a commit to weixiao-huang/gloo that referenced this issue Dec 18, 2021
@weixiao-huang
feat: add allowed_upstream_headers_to_append in extauth.proto due to s…
5589413 
…olo-io#2983
@weixiao-huang weixiao-huang mentioned this issue Dec 18, 2021
Merged
8 tasks
soloio-bulldozer bot pushed a commit that referenced this issue Dec 21, 2021
@weixiao-huang @sam-heilbron
feat: add allowed_upstream_headers_to_append in extauth.proto due to #…
d1f0cb7 
…2983 (#5726)

* feat: add allowed_upstream_headers_to_append in extauth.proto due to #2983

* add changelog

* add unit test

* move changelog dir to prepare RC

Co-authored-by: Sam Heilbron <samheilbron@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add allowed_upstream_headers_to_append in extauth.proto due to #2983 weixiao-huang/gloo
2 participants
@yuval-k @Jingru