Update Auth GEP with Implementable details

This commit adds the design rationale and API design
for phase 1 of the Auth GEP, adding a Filter to HTTPRoute.

Signed-off-by: Nick Young <[email protected]>

Author: youngnick

geps/gep-1494/index.md

@@ -1,7 +1,7 @@
 # GEP-1494: HTTP Auth in Gateway API
 
 * Issue: [#1494](https://github.com/kubernetes-sigs/gateway-api/issues/1494)
-* Status: Provisional
+* Status: Implementable
 
 (See [status definitions](../overview.md#gep-states).)
 
@@ -130,20 +130,343 @@ From @ongy, some additional goals to keep in mind:
 
 ## API
 
-(... details, can point to PR with changes)
+This GEP proposes a two-part solution to this problem:
+
+* We introduce a new HTTPRoute Filter, `ExternalAuth`, that allows the
+  specification of an external source to connect to using Envoy's `ext_auth` protocol.
+* We introduce a new Policy object that can be targeted at either the
+  Gateway or HTTPRoute levels. In either of these cases, it _defaults_ the settings
+  for the HTTPRoute Filter across all HTTPRoute matches that roll up to the object.
+
+These two parts will be done in two separate changes - Filter first, then
+Policy after.
+
+Both of these additions use the same underlying struct for the config, so that
+changes or additions in one place add them in the other as well.
+
+This plan has some big things that need explaining before we get to the API details:
+
+* Why a Filter plus Policy approach?
+* Why two changes?
+* Why Envoy's `ext_auth`?
+
+### Why a Filter plus Policy approach?
+
+We have two main requirements: Ana needs to be able to configure auth at least at
+the smallest possible scope, and Ana, Ian and Chihiro need to be able to configure
+defaults at larger scopes.
+
+The smallest possible scope for this config is the HTTPRoute Rule level, where
+you can match a single set of matchers - like a path, or a path and header
+combination.
+
+At this level, the inline tool we have available to perform changes is the HTTPRoute
+Filter, which also has the property that it's designed to _filter_ requests. This
+matches the overall pattern here, which is to _filter_ some requests, allowing
+or denying them based on the presence of Authentication and the passing of
+Authorization checks.
+
+A Policy _can_ be targeted at this level, using the Route rule as a `sectionName`,
+but that leaves aside that Filters are exactly designed to handle this use case.
+
+Policy attachment includes defaulting fields like Filters in its scope already,
+so we are allowed to use a combination in this way. 
+
+Using a Filter also has the advantage that, at the tightest possible scope (the
+object being defaulted) you can _explicitly_ override any configured defaults.
+
+Using a Filter also includes ordering (because Filters are an ordered list),
+although this exact behavior is currently underspecified. This change will also
+need to clarify. Ordering is particularly important for Auth use cases, because
+sometimes Auth will expect certain properties that may need to be introduced
+by things like header modification.
+
+Lastly, using a Filter means that, for the simplest possible case, where Ana
+wants to enable Auth* for a single path, then there is only a single object to
+edit, and a single place to configure.
+
+Using a Policy for the simplest case immediately brings in all the discovery
+problems that Policy entails.
+
+There are two important caveats here that must be addressed, however:
+* Firstly, whatever is in the filter either must be accepted, or the rule
+  is not accepted. Overrides can't make explicit config not work - that would
+  violate one of the key declarative principles, that what is requested in the
+  spec is either what ends up in the state, or that config is rejected.
+* Secondly, filter ordering is particularly important for Auth use cases, so we
+  must ensure that when we add Policy defaulting we have a way to indicate at
+  what position in a filter list the Auth policy should fit.
+
+### Why two phases?
+
+In short: In the interest of getting something, even if incomplete, into our
+user's hands as quickly as possible.
+
+Policy design is complex, and needs to be done carefully. Doing a first
+pass using only a Filter to get the basic config correct while we discuss
+how to make the Policy handling work means that we can get some work out to the
+community without needing to complete the whole design.
+
+In particular, the design for the Filter plus Policy will need to answer at
+least the following questions:
+
+* How to set where in a list of Filters a defaulted Auth filter sits;
+  and what happens if no Filters are specified in a HTTPRoute? Does it go first,
+  last, or should there be a way to specify the order?
+* What Policy types are possible? Defaults? (Definitely useful for setting a
+  baseline expectation for a cluster, which is desirable for security constructs
+  like Auth) Overrides? (Also very useful for ensuring that exceptions meet
+  certain requirements - like only allowing the disabling of Auth on `/healthz`
+  endpoints or similar use cases.)
+* Should Policy have a way to describe rules around when it should take effect?
+  That's in addition to the usual hierarchical rules, should the Policy have ways
+  to include or exclude specific matches? This would require agreement in the
+  Policy Attachment spec as well.
+
+All of these changes have costs in complexity and troubleshooting difficulty, so
+it's important to ensure that the design consciously makes these tradeoffs.
+
+In particular, the last two items in the above list seem likely to require a fair
+amount of discussion, and including a Policy in the initial release of this
+seems likely to make this change miss its current release window.
+
+
+### Why Envoy's ext_auth?
+
+#### What is ext_auth?
+
+Envoy's External Authorization filter is a filter that calls out to an authorization
+service to check if the incoming request is authorized or not. Note that, in
+order to check _authorization_, it must also be able to determine _authentication_ - 
+this is one of the reasons why we've chosen this approach.
+
+Envoy's implementation of this filter allows both a
+[gRPC, protobuf API](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto)
+and configuration of a HTTP based API (which, as it's not defined using a
+specification like protobuf, requires more configuration).
+
+The important thing to remember here is that the actual authentication and
+authorization processed are delegated to the authorization service - which is
+why the ext_auth approach allows handling many Auth methods - most of the
+work is performed by external services which implement various methods (like
+Basic Auth, OAuth, JWT validation, etc)
+
+#### Why use it over other options?
+
+The community discussed Auth extensively in-person at Kubecon London in early 2025,
+and got broad agreement from multiple dataplanes that:
+
+* something like ext_auth was a good idea, because it's flexible and allows the
+  implementation of many types of Auth without specific protocol implementation
+  in upstream
+* Envoy's ext_auth protocol has no major problems that would stop us using it
+* Envoy-based implementations mostly already have support for it
+
+At that meeting, those present agreed that ext_auth was a good place to start.
+
+Most non-Envoy dataplanes also already have similar methods, so the maintainers
+of projects using other dataplanes were okay with this idea.
+
+The alternative here would be to add a Filter type _per auth method_, which, given
+the large number of options, could quickly become very complex.
+
+This GEP is, however, explicitly _not_ ruling out the possibility of adding
+specific Filters for specific Auth methods in the future, if users of this API
+find the overhead of running a compatible implementation to be too much.
+
+### API Design
+
+#### Phase 1: Adding a Filter
+
+This config mainly takes inspiration from Envoy's ext_auth filter config, while
+also trying to maintain compatibility with other HTTP methods.
+
+This design is also trying to start with a minimum feature set, and add things
+as required, rather than adding everything configurable in all implementations
+immediately.
+
+There is some difference between data planes, based on the links above, but
+these fields should be broadly supportable across all the listed implementations.
+
+Some design comments are included inline.
+
+##### Go Structs
+
+```go
+// HTTPExtAuthFilter defines a filter that modifies requests by sending
+// request details to an external authorization server.
+//
+// Support: Extended
+// Feature Name: HTTPRouteExtAuth
+type HTTPExtAuthFilter struct {
+
+	// ExtAuthProtocol describes which protocol to use when communicating with an
+	// ext_auth authorization server.
+	//
+	// When this is set to GRPC, each backend must use the Envoy ext_auth protocol
+	// on the port specified in `backendRefs`. Requests and responses are defined
+	// in the protobufs: <link>
+	//
+	// When this is set to HTTP, each backend must respond with a status code in
+	// the `2xx` range on a successful authorization. Any other code is considered
+	// an authorization failure.
+	//
+	// +unionDiscriminator
+	// +kubebuilder:validation:Enum=HTTP;GRPC
+	ExtAuthProtocol string `json:"protocol"`
+
+	// BackendRefs is a list of references to backends to send authorization
+	// requests to.
+	//
+	// If this list contains more than one entry, authorization requests must
+	// be load-balanced across all the backends equally.
+	//
+	// The backends must speak the selected protocol (GRPC or HTTP) on the
+	// referenced port.
+	//
+	// If the backend service requires TLS, use BackendTLSPolicy to tell the
+	// implementation to supply the TLS details to be used to connect to that
+	// backend.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=8
+	BackendRefs []BackendObjectReference `json:"backendRefs"`
+
+	// GRPCAuthConfig contains configuration for communication with ext_auth
+	// protocol-speaking backends.
+	//
+	// If unset, implementations must assume the default behavior for each
+	// included field is intended.
+	//
+	// +optional
+	GRPCAuthConfig *GRPCAuthConfig `json:"grpc,omitempty"`
+
+	// HTTPAuthConfig contains configuration for communication with HTTP-speaking
+	// backends.
+	//
+	// If unset, implementations must assume the default behavior for each
+	// included field is intended.
+	//
+	// +optional
+	HTTPAuthConfig *HTTPAuthConfig `json:"http,omitempty"`
+
+	// ForwardBody controls if requests to the authorization server should include
+	// the body of the client request; and if so, how big that body is allowed
+	// to be.
+	//
+	// Feature Name: HTTPRouteExtAuthForwardBody
+	//
+	// GEP Review Notes:
+	// Both Envoy and Traefik show support for this feature, but HAProxy and
+	// ingress-nginx do not. So this has a separate feature flag for it.
+	//
+	// +optional
+	ForwardBody *ForwardBodyConfig `json:"body,omitempty"`
+}
+
+// GRPCAuthConfig contains configuration for communication with ext_auth
+// protocol-speaking backends.
+type GRPCAuthConfig struct {
+
+	// AllowedRequestHeaders specifies what headers from the client request
+	// will be sent to the authorization server.
+	//
+	// If this list is empty, then all headers must be sent.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxLength=64
+	AllowedRequestHeaders []string `json:"allowedHeaders,omitempty"`
+}
+
+// HTTPAuthConfig contains configuration for communication with HTTP-speaking
+// backends.
+type HTTPAuthConfig struct {
+	// Path sets the prefix that paths from the client request will have added
+	// when forwarrded to the authorization server.
+	//
+	// When empty or unspecified, no prefix is added.
+	// +optional
+	Path string `json:"path,omitempty"`
+
+	// AllowedRequestHeaders specifies what additional headers from the client request
+	// will be sent to the authorization server.
+	//
+  // The following headers must always be sent to the authorization server,
+  // regardless of this setting:
+  // 
+  // * `Host`
+  // * `Method`
+  // * `Path`
+  // * `Content-Length`
+  // * `Authorization`
+  //
+  // If this list is empty, then only those headers must be sent.
+	//
+  // Nick's GEP Review Notes:
+  // Envoy actually does not allow sending all headers to HTTP authorization
+  // servers. If the equivalent Envoy field is unspecified, then only
+  // `Host`, `Method`, `Path`, `Content-Length` and `Authorization` are included.
+  // This is kept for backwards compatibility in Envoy.
+  //
+  // Traefik includes _all_ headers when the equivalent setting is empty.
+  //
+  // This definition is the only compromise I can see between the two; Envoy
+  // can set this to empty, and Traefik can always explicitly specify those headers
+  // at a minimum.
+  //
+	// +optional
+	// +kubebuilder:validation:MaxLength=64
+	AllowedRequestHeaders []string `json:"allowedHeaders,omitempty"`
+
+	// AllowedResponseHeaders specifies what headers from the authorization response
+	// will be copied into the request to the backend.
+	//
+	// If this list is empty, then all headers from the authorization server
+	// except Authority or Host must be copied.
+	//
+	// +optional
+	// +kubebuilder:validation:MaxLength=64
+	AllowedResponseHeaders []string `json:"allowedResponseHeaders,omitempty"`
+
+}
+
+// ForwardBody configures if requests to the authorization server should include
+// the body of the client request; and if so, how big that body is allowed
+// to be.
+type ForwardBodyConfig struct {
+
+	// ForwardBody specifies if the body should be forwarded to the authorization
+	// server. If not specified, the body will not be forwarded.
+	ForwardBody bool `json:"forward,omitempty"`
+	// MaxSize specifies how large the largest body that will be buffered and
+	// sent to the authorization
+	MaxSize uint16 `json:"maxSize,omitempty"`
+}
+
+```
+#### YAML Examples
+
+Coming soon.
+
+#### Phase 2: Adding more complex configuration with Policy
+
+This phase is currently undefined until we reach agreement on the Filter + Policy
+approach.
 
 ## Conformance Details
 
 (from https://github.com/kubernetes-sigs/gateway-api/blob/main/geps/gep-2162/index.md#standardize-features-and-conformance-tests-names)
 
 #### Feature Names
 
-Every feature should:
+For this feature as a base:
+
+`HTTPRouteExtAuth`
+
+For forwarding the body of the client request to the authorization server
+
+`HTTPRouteExtAuthForwardBody`
 
-1. Start with the resource name. i.e HTTPRouteXXX
-2. Follow the PascalCase convention. Note that the resource name in the string should come as is and not be converted to PascalCase, i.e HTTPRoutePortRedirect and not HttpRoutePortRedirect.
-3. Not exceed 128 characters.
-4. Contain only letters and numbers
 
 ### Conformance tests 
 

geps/gep-1494/metadata.yaml

@@ -2,7 +2,7 @@ apiVersion: internal.gateway.networking.k8s.io/v1alpha1
 kind: GEPDetails
 number: 1494
 name: HTTP Auth in Gateway API
-status: Provisional
+status: Implementable
 # Any authors who contribute to the GEP in any way should be listed here using
 # their GitHub handle.
 authors:
@@ -16,4 +16,6 @@ references: {}
 featureNames: {}
 # changelog is a list of hyperlinks to PRs that make changes to the GEP, in
 # ascending date order.
-changelog: {}
+changelog:
+  - https://github.com/kubernetes-sigs/gateway-api/pull/3500
+  - https://github.com/kubernetes-sigs/gateway-api/pull/3884