Add Authentication using `ExtensionRef` to Gateway API

[joda01]

As a user of contour I want to configure external authentication backend using Gateway API similar to the HTTProxy API as described in external-authorization . As described in Gateway API specification extensionRef filters should be used to implement such mechanisms like authentication.

I want to keep the implementation as similar to HTTProxy API as possible.

• One proposal would be to use the existing ExtensionService CRD and select the custom filter function using the specified group field of the ExtensionRef object of the Gateway API specification.
  • Disadvantage is that there is no way in the actual CRD to specify additional settings needed by the auth server like context fields, FailOpen option, timeout field, and requested body.
  • Advantage easy to switch from HTTProxy to API Gateway since the ExtensionService deployment keeps the same. Fast to implement.
• An other way could be to define a new CRD ExtensionRefAuth to handle this extension.
  • Disadvantage A new processor and CRD definition is needed. Not backward compatible to HTTProxy API.
  • Advantage: All configurations needed for auth can be added to the newly defined CRD.

I created a working example implementation using proposal 1 just to keep it simple. You can have a look at branch https://github.com/fronius-sed/contour/tree/add-custom-filter-to-gateway

---

Service of the auth backend

apiVersion: v1
kind: Service
metadata:
  name: contourauthservice
spec:
  ports:
  - name: h2c
    port: 9443

Extension Reference

apiVersion: projectcontour.io/v1alpha1
kind: ExtensionService
metadata:
  name: contourauth
spec:
  protocol: h2
  services:
  - name: contourauthservice
    port: 9443

HTTPRoute example

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: nginx-web-server
spec:
  parentRefs:
  - name: parent-gateway
  rules:
  - matches:
    - path:
        value: /
        type: PathPrefix
    filters:
    - type: ExtensionRef
      extensionRef:
       kind: ExtensionService
       group: authorization
       name: contourauth
    backendRefs:
    - name: nginx-web-server-service
      port: 8080

[joda01]

@scalpel4k and @ka0o0 FYI

[sunjayBhatia]

@joda01 thank you for your interest in Contour and Gateway API!

I think this is an opportunity to go through the design proposal process if you are willing to contribute to this feature so we can get a chance to more formally discuss how we want to handle the Contour-specific filter extension implementation.

Personally I think it is appropriate to first start with a proposal for how Contour will implement the extensionRef mechanism (because as you mention above there are a few options with tradeoffs for each) using external authentication to help form some examples. We can follow on with a specific implementation for adding external auth support once we have nailed this down.

If you're willing/able to turn this into a design proposal that would be super great! @projectcontour/maintainers are here to help and offer guidance about the process and details

[sunjayBhatia]

xref: https://github.com/projectcontour/contour/issues/4530

[sunjayBhatia]

An important detail to also consider here is that configuration for the external auth server parameters is not currently configurable per-route, only the authorization context is, the auth server to use etc. is configurable per root HTTPProxy, which is a difference from how the Gateway API is structured

[joda01]

@sunjayBhatia Thank's a lot for your response. I'm very interesting in contributing the contour and go through the design process for defining the extensionRef API. I'm not an expert in contour yet, just have added some peace of code :D but where I can help, I like to help and can share my ideas and helping with some lines of code. Looking forward to contributing!

[charandas]

@sunjayBhatia i am willing to spend some time on this too, if that helps absorb @joda01 ‘s effort into the mainline. Do you think it’s possible to make this a reality or are there impediments like this piece touching too many important parts, that only core contributors can take this up.

[charandas]

I am currently using Ambassador Edge Stack enterprise version but would much rather use Contour. Only thing missing for me is a standard way to enforce authorization using CRDs.

[sunjayBhatia]

forgot to update this issue, but on this topic:

I've got a WIP design to start laying out guidelines on how the project will deal with Gateway API extension points: https://github.com/projectcontour/contour/pull/4749

The goal is to have some guidelines on how something like External Auth etc. will fit in, via custom Policy attachment CRD, route Filter, etc. and how things will be modeled in the project

This design is not finished but any comments or feedback on the context and content would be appreciated

Hopefully we can get things in a place where it is not a huge burden/change for contributors to pick up adding new features

[github-actions[bot]]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[github-actions[bot]]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack