enhancement: support setting the timeout of ext_auth and ext_proc

[MayorFaj]

Description

Change Type

/kind new_feature

Changelog

None

This pull request introduces support for configuring timeouts for external authorization and processing services in the Gateway API. The changes include updates to the API types, Helm chart templates, and internal translation logic to handle the new Timeout field.

This pull request introduces support for configuring timeouts for external services in the Gateway API, including external authorization, processing, and rate-limiting providers. The changes add timeout fields with validation rules, default values, and corresponding tests to ensure proper behavior.

Timeout Configuration for External Services

API Updates

• Added a Timeout field of type metav1.Duration to ExtAuthProvider, ExtProcProvider, and RateLimitProvider structs, with default values and validation rules ensuring a minimum of 1 millisecond. (api/v1alpha1/gateway_extensions_types.go) [1] [2]
• Updated the apply configuration structs (ExtAuthProviderApplyConfiguration, ExtProcProviderApplyConfiguration) to include the Timeout field and corresponding WithTimeout chaining methods. (api/applyconfiguration/api/v1alpha1/extauthprovider.go, api/applyconfiguration/api/v1alpha1/extprocprovider.go) [1] [2] [3] [4]

Schema and Validation

• Updated the CRD Helm templates to include the timeout field with validation rules and default values for external services. (install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml) [1] [2] [3]
• Updated internal schema definitions to reflect the Timeout field as a metav1.Duration. (api/applyconfiguration/internal/internal.go) [1] [2] [3]

DeepCopy and Tests

• Updated autogenerated DeepCopy functions to handle the new Timeout field. (api/v1alpha1/zz_generated.deepcopy.go) [1] [2] [3]
• Added unit tests for ensuring correct behavior of the Timeout field, including default values and explicit configurations. (internal/kgateway/extensions2/plugins/trafficpolicy/extauth_policy_test.go, internal/kgateway/extensions2/plugins/trafficpolicy/extproc_policy_test.go, internal/kgateway/extensions2/plugins/trafficpolicy/global_rate_limit_plugin_test.go) [1] [2] [3]

Traffic Policy Integration

• Integrated the Timeout field into traffic policy plugins for external authorization, processing, and rate-limiting services, ensuring that the timeout is correctly propagated to Envoy configurations. (internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go)

closes #11291

[Copilot]

Pull Request Overview

This PR adds support for configurable timeouts for external authorization and processing by introducing a new Timeout field in API types, Helm chart templates, and internal translation logic.

• Adds a new Timeout field and corresponding WithTimeout methods to ExtAuthProviderApplyConfiguration and ExtProcProviderApplyConfiguration.
• Updates the Helm chart to include timeout defaults and validation patterns.
• Modifies internal translation logic to apply timeout values for ExtAuth and ExtProc services.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/kgateway/extensions2/plugins/trafficpolicy/traffic_policy_plugin.go	Adds timeout parsing and logging logic for ExtAuth and ExtProc services
install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml	Introduces timeout field in the CRD schema with default value and pattern
api/v1alpha1/gateway_extensions_types.go	Adds Timeout field to ExtAuthProvider and ExtProcProvider API types
api/applyconfiguration/internal/internal.go	Updates internal schema to include timeout as a scalar string
api/applyconfiguration/api/v1alpha1/extprocprovider.go	Adds Timeout field and WithTimeout method for ExtProcProviderApplyConfiguration
api/applyconfiguration/api/v1alpha1/extauthprovider.go	Adds Timeout field and WithTimeout method for ExtAuthProviderApplyConfiguration

[timflannagan]

Thanks -- took a quick peek at the changes and had a question/comment. For testing, I think we can get away with adding some simple setup test cases and don't need e2e coverage.

[timflannagan]

Does a timeout field belong on the shared ExtGrpcService type?

[MayorFaj]

yea it does, however, diff service types needs diff default timeouts.
(rate limiting: 20ms, ext_auth and proc : 200ms). won't give room for flexibility

[timflannagan]

Bumping branch due to ubuntu outage.

[lgadban]

in line with this comment from @timflannagan

I'm a bit confused as to why we wouldn't the shared ExtGrpcService type to have Timeout as a field?
That way all extensions which can reference an ExtGrpcService can configure the timeout if needed.

[MayorFaj]

Hi @lgadban what should we then set the default value to ?200ms or 20ms, since the rate limit has a diff default and it is referencing same service

[lgadban]

Hi @MayorFaj thanks for the reminder, this fell off my radar, apologies for the delay!

My suggestion here is actually to treat this field as completely optional and not provide a default, relying on the default envoy behavior. If a user needs to opt-in and set a timeout, they can do so contextually based on the usage of the ExtGrpService i.e. if it's rate limit or extauth.

That being said, it's actually not obvious to me if timeout is a required field or not.

[MayorFaj]

it is optional, not required.