fix ext-auth api: remove listener level fields (#11119)

Signed-off-by: Yuval Kohavi <[email protected]>

Author: yuval-k

api/applyconfiguration/api/v1alpha1/extauthpolicy.go

@@ -13,11 +13,6 @@ type ExtProcPolicy struct {
 	// ProcessingMode defines how the filter should interact with the request/response streams
 	// +optional
 	ProcessingMode *ProcessingMode `json:"processingMode,omitempty"`
-
-	// FailureModeAllow defines the behavior of the filter when the external processing fails.
-	// Defaults to false.
-	// +optional
-	FailureModeAllow *bool `json:"failureModeAllow,omitempty"`
 }
 
 // ProcessingMode defines how the filter should interact with the request/response streams

api/applyconfiguration/api/v1alpha1/extprocpolicy.go

@@ -184,48 +184,14 @@ type ExtAuthPolicy struct {
 	// +optional
 	Enablement ExtAuthEnabled `json:"enablement,omitempty"`
 
-	// FailureModeAllow determines the behavior on authorization service errors.
-	// When true, requests will be allowed even if the authorization service fails or returns HTTP 5xx errors.
-	// When unset, the default behavior is false.
-	// +optional
-	FailureModeAllow *bool `json:"failureModeAllow,omitempty"`
-
 	// WithRequestBody allows the request body to be buffered and sent to the authorization service.
 	// Warning buffering has implications for streaming and therefore performance.
 	// +optional
 	WithRequestBody *BufferSettings `json:"withRequestBody,omitempty"`
 
-	// ClearRouteCache allows the authorization service to affect routing decisions.
-	// When unset, the default behavior is false.
-	// +optional
-	ClearRouteCache *bool `json:"clearRouteCache,omitempty"`
-
-	// MetadataContextNamespaces specifies metadata namespaces to pass to the authorization service.
-	// Default to allowing jwt info if processing for jwt is configured.
-	// +optional
-	// +listType=set
-	// +kubebuilder:default={"jwt"}
-	MetadataContextNamespaces []string `json:"metadataContextNamespaces,omitempty"`
-
-	// IncludePeerCertificate determines if the client's X.509 certificate should be sent to the authorization service.
-	// When true, the certificate will be included if available.
-	// When unset, the default behavior is false.
-	// +optional
-	IncludePeerCertificate *bool `json:"includePeerCertificate,omitempty"`
-
-	// IncludeTLSSession determines if TLS session details should be sent to the authorization service.
-	// When true, the SNI name from TLSClientHello will be included if available.
-	// When unset, the default behavior is false.
-	// +optional
-	IncludeTLSSession *bool `json:"includeTLSSession,omitempty"`
-
-	// EmitFilterStateStats determines if per-stream stats should be emitted for access logging.
-	// When true and using Envoy gRPC, emits latency, bytes sent/received, and upstream info.
-	// When true and not using Envoy gRPC, emits only latency.
-	// Stats are only added if a check request is made to the ext_authz service.
-	// When unset, the default behavior is false.
+	// Additional context for the authorization service.
 	// +optional
-	EmitFilterStateStats *bool `json:"emitFilterStateStats,omitempty"`
+	ContextExtensions map[string]string `json:"contextExtensions,omitempty"`
 }
 
 // BufferSettings configures how the request body should be buffered.

api/applyconfiguration/internal/internal.go

@@ -275,10 +275,10 @@ spec:
                 type: object
               extAuth:
                 properties:
-                  clearRouteCache:
-                    type: boolean
-                  emitFilterStateStats:
-                    type: boolean
+                  contextExtensions:
+                    additionalProperties:
+                      type: string
+                    type: object
                   enablement:
                     enum:
                     - DisableAll
@@ -290,19 +290,6 @@ spec:
                         type: string
                     type: object
                     x-kubernetes-map-type: atomic
-                  failureModeAllow:
-                    type: boolean
-                  includePeerCertificate:
-                    type: boolean
-                  includeTLSSession:
-                    type: boolean
-                  metadataContextNamespaces:
-                    default:
-                    - jwt
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: set
                   withRequestBody:
                     properties:
                       allowPartialMessage:
@@ -330,8 +317,6 @@ spec:
                         type: string
                     type: object
                     x-kubernetes-map-type: atomic
-                  failureModeAllow:
-                    type: boolean
                   processingMode:
                     properties:
                       requestBodyMode:

api/v1alpha1/ext_proc_types.go

@@ -2,6 +2,7 @@ package extensionsplug
 
 import (
 	"context"
+	"encoding/json"
 
 	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
@@ -105,6 +106,19 @@ type (
 	ProcessPolicyStatus func(ctx context.Context, gkString string, polReport PolicyReport)
 )
 
+// marshal json for krt debugging
+func (p PolicyReport) MarshalJSON() ([]byte, error) {
+	m := map[string]map[string][]error{}
+	for key, pol := range p {
+		objErrMap := map[string][]error{}
+		for objKey, errs := range pol {
+			objErrMap[objKey.ResourceName()] = errs
+		}
+		m[key.ID()] = objErrMap
+	}
+	return json.Marshal(m)
+}
+
 func (p PolicyPlugin) AttachmentPoints() AttachmentPoints {
 	var ret AttachmentPoints
 	if p.ProcessBackend != nil {

api/v1alpha1/traffic_policy_types.go

@@ -38,7 +38,7 @@ type AIPolicyIR struct {
 }
 
 func (p *trafficPolicyPluginGwPass) processAITrafficPolicy(
-	configMap ir.TypedFilterConfigMap,
+	configMap *ir.TypedFilterConfigMap,
 	inIr *AIPolicyIR,
 ) error {
 	if inIr.Transformation != nil {

api/v1alpha1/zz_generated.deepcopy.go

@@ -46,7 +46,7 @@ func TestProcessAITrafficPolicy(t *testing.T) {
 		// Execute
 		err := preProcessAITrafficPolicy(aiConfig, aiIR)
 		require.NoError(t, err)
-		err = plugin.processAITrafficPolicy(typedFilterConfig, aiIR)
+		err = plugin.processAITrafficPolicy(&typedFilterConfig, aiIR)
 		require.NoError(t, err)
 
 		// Verify streaming header was added
@@ -85,7 +85,7 @@ func TestProcessAITrafficPolicy(t *testing.T) {
 		err := preProcessAITrafficPolicy(aiConfig, aiIR)
 		require.NoError(t, err)
 
-		err = plugin.processAITrafficPolicy(typedFilterConfig, aiIR)
+		err = plugin.processAITrafficPolicy(&typedFilterConfig, aiIR)
 		require.NoError(t, err)
 
 		// Verify
@@ -124,7 +124,7 @@ func TestProcessAITrafficPolicy(t *testing.T) {
 		err := preProcessAITrafficPolicy(aiConfig, aiIR)
 		require.NoError(t, err)
 
-		err = plugin.processAITrafficPolicy(typedFilterConfig, aiIR)
+		err = plugin.processAITrafficPolicy(&typedFilterConfig, aiIR)
 		require.NoError(t, err)
 
 		// Verify
@@ -177,7 +177,7 @@ func TestProcessAITrafficPolicy(t *testing.T) {
 		err := preProcessAITrafficPolicy(aiConfig, aiIR)
 		require.NoError(t, err)
 
-		err = plugin.processAITrafficPolicy(typedFilterConfig, aiIR)
+		err = plugin.processAITrafficPolicy(&typedFilterConfig, aiIR)
 		require.NoError(t, err)
 
 		// Verify