github.com/projectcontour/contour@v1.28.2/site/content/docs/1.26/config/client-authorization.md (about)

     1  # Client Authorization
     2  
     3  Contour supports integrating external servers to authorize client requests.
     4  
     5  Envoy implements external authorization in the [ext_authz][1] filter.
     6  This filter intercepts client requests and holds them while it sends a check
     7  request to an external server.
     8  The filter uses the check result to either allow the request to proceed, or to
     9  deny or redirect the request.
    10  
    11  The diagram below shows the sequence of requests involved in the successful
    12  authorization of a HTTP request:
    13  
    14  <p align="center">
    15  <img src="/img/uml/client-auth-sequence.png" alt="client authorization sequence diagram"/>
    16  </p>
    17  
    18  The [external authorization][7] guides demonstrates how to deploy HTTP basic
    19  authentication using Contour and [contour-authserver](https://github.com/projectcontour/contour-authserver).
    20  
    21  ## Extension Services
    22  
    23  The starting point for external authorization in Contour is the
    24  [ExtensionService][2] API.
    25  This API creates a cluster which Envoy can use to send requests to an external server.
    26  In principle, the Envoy cluster can be used for any purpose, but in this
    27  document we are concerned only with how to use it as an authorization service.
    28  
    29  An authorization service is a gRPC service that implements the Envoy [CheckRequest][3] protocol.
    30  Note that Contour requires the extension to implement the "v3" version of the protocol.
    31  Contour is compatible with any authorization server that implements this protocol.
    32  
    33  The primary field of interest in the `ExtensionService` CRD is the
    34  `.spec.services` field.
    35  This field lists the Kubernetes Services that will receive the check requests.
    36  The `.spec.services[].name` field contains the name of the Service, which must
    37  exist in the same namespace as the `ExtensionService` object.
    38  The `ExtensionService` object must exist in the same namespace as the
    39  Services they target to ensure that both objects are under the same
    40  administrative control.
    41  
    42  ### Load Balancing for Extension Services
    43  
    44  An `ExtensionService` can be configured to send traffic to multiple Kubernetes Services.
    45  In this case, requests are divided proportionally across the Services according
    46  to the weight in the `.spec.services[].weight` field.
    47  The service weight can be used to flexibly shift traffic between Services for
    48  reasons like implementing blue-green deployments.
    49  The `.spec.loadBalancerPolicy` field configures how Envoy will load balance
    50  requests to the endpoints within each Service.
    51  
    52  ### TLS Validation for Extension Services
    53  
    54  Since authorizing a client request may involve passing sensitive credentials
    55  from a HTTP request to the authorization service, the connection to the
    56  authorization server should be as secure as possible.
    57  Contour defaults the `.spec.protocol` field to "h2", which configures
    58  Envoy to use HTTP/2 over TLS for the authorization service connection.
    59  
    60  The [.spec.validation][4] field configures how Envoy should verify the TLS
    61  identity of the authorization server.
    62  This is a critical protection against accidentally sending credentials to an
    63  imposter service and should be enabled for all production deployments.
    64  The `.spec.validation` field should specify the expected server name
    65  from the authorization server's TLS certificate, and the trusted CA bundle
    66  that can be used to validate the TLS chain of trust.
    67  
    68  ## Authorizing Virtual Hosts
    69  
    70  The [.spec.virtualhost.authorization][5] field in the Contour `HTTPProxy`
    71  API connects a virtual host to an authorization server that is bound by an
    72  `ExtensionService` object.
    73  Each virtual host can use a different `ExtensionService`, but only one
    74  `ExtensionService` can be used by a single virtual host.
    75  Authorization servers can only be attached to `HTTPProxy` objects that have TLS
    76  termination enabled.
    77  
    78  ### Migrating from Application Authorization
    79  
    80  When applications perform their own authorization, migrating to centralized
    81  authorization may need some planning.
    82  The `.spec.virtualhost.authorization.failOpen` field controls how client
    83  requests should be handled when the authorization server fails.
    84  During a migration process, this can be set to `true`, so that if the
    85  authorization server becomes unavailable, clients can gracefully fall back to
    86  the existing application authorization mechanism.
    87  
    88  ### Scoping Authorization Policy Settings
    89  
    90  It is common for services to contain some HTTP request paths that require
    91  authorization and some that do not.
    92  The HTTPProxy [authorization policy][6] allows authorization to be
    93  disabled for both an entire virtual host and for specific routes.
    94  
    95  The initial authorization policy is set on the HTTPProxy virtual host
    96  in the `.spec.virtualhost.authorization.authPolicy` field. 
    97  This configures whether authorization is enabled, and the default authorization policy context.
    98  If authorization is disabled on the virtual host, it is also disabled by
    99  default on all the routes for that virtual host that do not specify an authorization policy.
   100  However, a route can configure its own authorization policy (in the
   101  `.spec.routes[].authPolicy` field) that can configure whether authorization
   102  is enabled, irrespective of the virtual host setting.
   103  
   104  The authorization policy context is a way to configure a set of key/value
   105  pairs that will be sent to the authorization server with each request check
   106  request.
   107  The keys and values that should be specified here depend on which authorization
   108  server has been configured.
   109  This facility is intended for configuring authorization-specific information, such as
   110  the basic authentication realm, or OIDC parameters.
   111  
   112  The initial context map can be set on the virtual host.
   113  This sets the context keys that will be sent on every check request.
   114  A route can overwrite the value for a context key by setting it in the
   115  context field of authorization policy for the route.
   116  
   117  [1]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter
   118  [2]: api/#projectcontour.io/v1alpha1.ExtensionService
   119  [3]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto
   120  [4]: api/#projectcontour.io/v1.UpstreamValidation
   121  [5]: api/#projectcontour.io/v1.AuthorizationServer
   122  [6]: api/#projectcontour.io/v1.AuthorizationPolicy
   123  [7]: guides/external-authorization.md