Provide support for integrating with an external auth service. #432
Comments
|
I wanted to raise a similar issue then managed to convince myself that although this feature would be useful it's not aligned with this project's goals (note that I'm just somebody from the Internet who found this project some days ago.). My reasoning is that different teams can have different authentication requirements. Contour is to have one Ingress that delegates the traffic to team-managed services. Those services can be simple services or API gateways that hides other services and those API gateways would be a better place for authentication. Just my two cents. |
|
I can certainly see where you're coming from @ihrwein. I just opened this issue to track the feature request (I figured I should at least make the ask). Will totally understand if the Contour folks decide this is not a feature they want to support (because it's not handled by the Ingress spec). |
|
Hi @ihrwein and @larkinkevin - thanks for opening this issue. I think this is an interesting feature request and something that could be a useful addition to the new IngressRoute CRD we're heads down on at the moment. We haven't taken a close look at the APIs exposed via envoyproxy/envoy#2828, but once it lands in an Envoy release, we'll take another peak. |
rosskukulinski
added
kind/feature
|
+1 for this feature. I'd love to have some Contour backends protected by the Envoy docs for the feature, since it doesn't look like those have been linked here yet: |
|
I’d be happy to contribute a PoC for ext_authz filter configuration if the contour team still believes it's a valuable feature to add. Are you dead set on having this only available through the new IngressRoute custom CRD or should I also consider how to integrate it with the native ingress definition? |
|
I think this may also be related to adding similar functionality as to #68 |
davecheney
added
priority/important-soon
|
Removing the 0.11 milestone as external auth support is not available in a shipping envoy 1.9 |
|
@davecheney Envoy 1.9.0 released on Dec 20, 2018 has support for ext_authz. Am I missing something? |
|
I’m sorry, that was my mistake. I confused this with another feature.
… On 12 Mar 2019, at 10:18, Tim Bart ***@***.***> wrote:
@davecheney Envoy 1.9.0 released on Dec 20, 2018 has support for ext_authz.
https://github.com/envoyproxy/envoy/blob/v1.9.0/docs/root/configuration/http_filters/ext_authz_filter.rst
Am I missing something?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Any chance this goes back to |
|
I've readded the 0.11 milestone, but no promises, as usual, we're resource constrained and once we decide on a release date for 0.11, there may not be time to implement it. |
davecheney
added
priority/important-longterm
|
Adding what customer shared in the ticket they have open for this issue. |
|
Due to the need to ship Contour 0.11 to address a security issue in Envoy 1.9.0 this issus has been bumped to 0.12. @shabx this issue has been reassigned to 0.12, however I feel that its likely that when we rationalise the backlog for 0.12 (there is far too much in there for our team) this feature will be removed from the milestone until there is a design document for it. |
jpeach
added
area/deployment
This updates projectcontour#432. This updates projectcontour#2459. This updates projectcontour#2325. Signed-off-by: James Peach <[email protected]>
This updates #432. This updates #2459. This updates #2325. Signed-off-by: James Peach <[email protected]>
That seems like a different feature, or if you like a refinement that can be implemented later. As for now, the external authorization even if not optimal in all cases would help in solving many use cases that are kind of impossible to achieve today. |
|
Closing this issue as we have linked more granular issues open |
and others
The text was updated successfully, but these errors were encountered: