Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to inject Linkerd into Ambassador pod when custom Auth module is used #1578

Closed
bourquep opened this issue May 29, 2019 · 1 comment
Closed

Unable to inject Linkerd into Ambassador pod when custom Auth module is used #1578

bourquep opened this issue May 29, 2019 · 1 comment
Assignees
@gsagula
Milestone
santa-cruz

Comments

@bourquep
Copy link

Describe the bug

In order to allow the Linkerd proxy to be injected into the Ambassador pod and have the requests properly routed by Linkerd, we must add a custom l5d-dst-override header to our requests, as documented here.

This works well as long as Ambassador Auth module is not involved.

With an Auth module configured, Ambassador injects the l5d-dst-override header into the requests that are destined for the auth service, which tricks the Linkerd proxy into routing the auth request to the final upstream service, making all auth requests fail.

To Reproduce

  • Install Ambassador
  • Configure a custom Auth module
  • Configure a mapping
  • Test to make sure that calls made to Ambassador are properly authenticated (via auth service) then routed to the upstream service (via mapping).
  • Install Linkerd with automatic proxy injection enabled
  • Inject the Linkerd proxy into everything (either add the linkerd.io/inject: enabled annotation to all namespaces, or to all deployments (service, auth, ambassador).
  • Add this to the Ambassador mapping:
     add_request_headers:
        l5d-dst-override: fully-qualified-service:port
  • Observe that calls made to Ambassador don't work anymore - the authentication requests are routed to the upstream service, not the auth module.
  • Disable the auth module
  • Observe that calls work, they are properly routed to the upstream service

Expected behavior

One of:

  • The headers configured via add_request_headers are not be added to the auth request
  • The headers configured via add_request_headers can be configured to be added to the auth request or not
  • The l5d-dst-override header is automatically added by Ambassador to all requests, setting the appropriate fully-qualified service address for each request (auth or otherwise)

Versions (please complete the following information):

  • Ambassador: 0.70.1
  • Kubernetes environment Azure AKS
  • Version 1.11.9

Additional context

This issue may or may not be related to #921
@richarddli richarddli mentioned this issue Jun 4, 2019
Closed
@gsagula
Copy link
Contributor

gsagula commented Jun 19, 2019

I'm currently working on #1594. I believe that we could use Envoy headers_to_add for this one.
https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#config-filter-http-ext-authz-v2-authorizationrequest

@gsagula gsagula self-assigned this Jun 19, 2019
@gsagula gsagula mentioned this issue Jun 24, 2019
Closed
@rhs rhs added this to the santa-cruz milestone Jun 25, 2019
@gsagula gsagula mentioned this issue Jun 27, 2019
Merged
@kflynn kflynn closed this as completed Jul 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gsagula gsagula

Labels
None yet
Projects
None yet
Milestone
santa-cruz
Development

Successfully merging a pull request may close this issue.

auth-service: automatically include the l5d-dst-override header emissary-ingress/emissary
4 participants
@bourquep @rhs @gsagula @kflynn