Help Needed With External Authorization

hasit · January 31, 2023, 4:39pm

Hello,

I have configured Consul to run in my k8s cluster with the following config:

global:
  name: consul
  logLevel: debug
  tls:
    enabled: false
    verify: false
    httpsOnly: false

syncCatalog:
  enabled: true
  toConsul: true
  toK8S: true

server:
  # use 1 server
  replicas: 1

client:
  enabled: true

connectInject:
  enabled: true
  transparentProxy:
    defaultEnabled: true
  # inject an envoy sidecar into every new pod,
  # except for those with annotations that prevent injection
  default: true
  namespaceSelector: |
    matchLabels:
      connect-inject : enabled

# enable CRDs
controller:
  enabled: true

With this config, I see all services being discovered in Consul’s UI.

My goal is to configure Envoy via escape hatch to perform external authorization to FluxNinja Aperture running in aperture-agent namespace. Here is my ProxyDefaults file:

apiVersion: consul.hashicorp.com/v1alpha1
kind: ProxyDefaults
metadata:
  name: global
spec:
  config:
    protocol: "http"
    envoy_extra_static_clusters_json: |
      [
        {
          "name": "service",
          "connect_timeout": "5s",
          "load_assignment": {
            "cluster_name": "service",
            "endpoints": [
              {
                "lb_endpoints": [
                  {
                    "endpoint": {
                      "address": {
                        "socket_address": {
                          "address": "127.0.0.1",
                          "port_value": 8099
                        }
                      }
                    }
                  }
                ]
              }
            ]
          }
        },
        {
          "name": "blackhole_service",
          "type": "STATIC",
          "connect_timeout": "5s"
        }
      ]
    envoy_extra_static_listeners_json: |
      [
        {
          "name": "outbound_handle",
          "address": {
            "socket_address": {
              "address": "0.0.0.0",
              "port_value": 15005
            }
          },
          "traffic_direction": "OUTBOUND",
          "filter_chains": [
            {
              "filters": [
                {
                  "name": "envoy.filters.network.http_connection_manager",
                  "typed_config": {
                    "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                    "stat_prefix": "egress",
                    "route_config": {
                      "name": "local_route",
                      "virtual_hosts": [
                        {
                          "name": "backend",
                          "domains": [
                            "*"
                          ],
                          "routes": [
                            {
                              "match": {
                                "prefix": "/"
                              },
                              "route": {
                                "cluster": "blackhole_service"
                              }
                            }
                          ]
                        }
                      ]
                    },
                    "access_log": [
                      {
                        "name": "envoy.access_loggers.open_telemetry",
                        "typed_config": {
                          "@type": "type.googleapis.com/envoy.extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig",
                          "common_config": {
                            "log_name": "egress",
                            "grpc_service": {
                              "google_grpc": {
                                "target_uri": "aperture-agent.aperture-agent.svc.cluster.local:8080",
                                "stat_prefix": "aperture_access_log"
                              }
                            },
                            "transport_api_version": "V3"
                          },
                          "body": {
                            "string_value": "%REQ(:METHOD)%"
                          },
                          "attributes": {
                            "values": [
                              {
                                "key": "aperture.source",
                                "value": {
                                  "string_value": "envoy"
                                }
                              },
                              {
                                "key": "aperture.check_response",
                                "value": {
                                  "string_value": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:aperture.check_response)%"
                                }
                              },
                              {
                                "key": "http.status_code",
                                "value": {
                                  "string_value": "%RESPONSE_CODE%"
                                }
                              },
                              {
                                "key": "authz_duration",
                                "value": {
                                  "string_value": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:ext_authz_duration)%"
                                }
                              },
                              {
                                "key": "BYTES_RECEIVED",
                                "value": {
                                  "string_value": "%BYTES_RECEIVED%"
                                }
                              },
                              {
                                "key": "BYTES_SENT",
                                "value": {
                                  "string_value": "%BYTES_SENT%"
                                }
                              },
                              {
                                "key": "DURATION",
                                "value": {
                                  "string_value": "%DURATION%"
                                }
                              },
                              {
                                "key": "REQUEST_DURATION",
                                "value": {
                                  "string_value": "%REQUEST_DURATION%"
                                }
                              },
                              {
                                "key": "REQUEST_TX_DURATION",
                                "value": {
                                  "string_value": "%REQUEST_TX_DURATION%"
                                }
                              },
                              {
                                "key": "RESPONSE_DURATION",
                                "value": {
                                  "string_value": "%RESPONSE_DURATION%"
                                }
                              },
                              {
                                "key": "RESPONSE_TX_DURATION",
                                "value": {
                                  "string_value": "%RESPONSE_TX_DURATION%"
                                }
                              }
                            ]
                          }
                        }
                      }
                    ],
                    "http_filters": [
                      {
                        "name": "envoy.filters.http.ext_authz",
                        "typed_config": {
                          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
                          "grpc_service": {
                            "google_grpc": {
                              "target_uri": "aperture-agent.aperture-agent.svc.cluster.local:8080",
                              "stat_prefix": "ext_authz"
                            },
                            "timeout": "10s",
                            "initial_metadata": [
                              {
                                "key": "control-point",
                                "value": "egress"
                              }
                            ]
                          },
                          "failure_mode_allow": true,
                          "transport_api_version": "V3"
                        }
                      },
                      {
                        "name": "envoy.filters.http.router",
                        "typed_config": {
                          "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
                        }
                      }
                    ]
                  }
                }
              ]
            }
          ]
        },
        {
          "name": "inbound_handle",
          "address": {
            "socket_address": {
              "address": "0.0.0.0",
              "port_value": 15006
            }
          },
          "traffic_direction": "INBOUND",
          "filter_chains": [
            {
              "filters": [
                {
                  "name": "envoy.filters.network.http_connection_manager",
                  "typed_config": {
                    "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
                    "stat_prefix": "ingress",
                    "route_config": {
                      "name": "local_route",
                      "virtual_hosts": [
                        {
                          "name": "backend",
                          "domains": [
                            "*"
                          ],
                          "routes": [
                            {
                              "match": {
                                "prefix": "/"
                              },
                              "route": {
                                "cluster": "service"
                              }
                            }
                          ]
                        }
                      ]
                    },
                    "access_log": [
                      {
                        "name": "envoy.access_loggers.open_telemetry",
                        "typed_config": {
                          "@type": "type.googleapis.com/envoy.extensions.access_loggers.open_telemetry.v3.OpenTelemetryAccessLogConfig",
                          "common_config": {
                            "log_name": "ingress",
                            "grpc_service": {
                              "google_grpc": {
                                "target_uri": "aperture-agent.aperture-agent.svc.cluster.local:8080",
                                "stat_prefix": "aperture_access_log"
                              }
                            },
                            "transport_api_version": "V3"
                          },
                          "body": {
                            "string_value": "%REQ(:METHOD)%"
                          },
                          "attributes": {
                            "values": [
                              {
                                "key": "aperture.source",
                                "value": {
                                  "string_value": "envoy"
                                }
                              },
                              {
                                "key": "aperture.check_response",
                                "value": {
                                  "string_value": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:aperture.check_response)%"
                                }
                              },
                              {
                                "key": "http.status_code",
                                "value": {
                                  "string_value": "%RESPONSE_CODE%"
                                }
                              },
                              {
                                "key": "authz_duration",
                                "value": {
                                  "string_value": "%DYNAMIC_METADATA(envoy.filters.http.ext_authz:ext_authz_duration)%"
                                }
                              },
                              {
                                "key": "BYTES_RECEIVED",
                                "value": {
                                  "string_value": "%BYTES_RECEIVED%"
                                }
                              },
                              {
                                "key": "BYTES_SENT",
                                "value": {
                                  "string_value": "%BYTES_SENT%"
                                }
                              },
                              {
                                "key": "DURATION",
                                "value": {
                                  "string_value": "%DURATION%"
                                }
                              },
                              {
                                "key": "REQUEST_DURATION",
                                "value": {
                                  "string_value": "%REQUEST_DURATION%"
                                }
                              },
                              {
                                "key": "REQUEST_TX_DURATION",
                                "value": {
                                  "string_value": "%REQUEST_TX_DURATION%"
                                }
                              },
                              {
                                "key": "RESPONSE_DURATION",
                                "value": {
                                  "string_value": "%RESPONSE_DURATION%"
                                }
                              },
                              {
                                "key": "RESPONSE_TX_DURATION",
                                "value": {
                                  "string_value": "%RESPONSE_TX_DURATION%"
                                }
                              }
                            ]
                          }
                        }
                      }
                    ],
                    "http_filters": [
                      {
                        "name": "envoy.filters.http.ext_authz",
                        "typed_config": {
                          "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
                          "grpc_service": {
                            "google_grpc": {
                              "target_uri": "aperture-agent.aperture-agent.svc.cluster.local:8080",
                              "stat_prefix": "ext_authz"
                            },
                            "timeout": "10s",
                            "initial_metadata": [
                              {
                                "key": "control-point",
                                "value": "ingress"
                              }
                            ]
                          },
                          "failure_mode_allow": true,
                          "transport_api_version": "V3"
                        }
                      },
                      {
                        "name": "envoy.filters.http.router",
                        "typed_config": {
                          "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
                        }
                      }
                    ]
                  }
                }
              ]
            }
          ]
        }
      ]

I do not see any requests from demo applications running in demoapp namespace reaching Aperture Agent. Am I missing something?

blake · July 14, 2023, 9:01pm

Hi @hasit,

Consul 1.16 now supports configuring ext_authz via an Envoy extension. I recommend configuring the filter using this method and letting us know if you’re still running into issues.

https://developer.hashicorp.com/consul/docs/connect/proxies/envoy-extensions/usage/ext-authz