External Authorisation grpc_service envoy_grpc not working. google_grpc is.
216 views
Skip to first unread message
Bernard Bussy
Nov 3, 2023, 6:58:41 AM11/3/23
to envoy-users
Hi everyone,
I am struggle with trying to get external authorisation working using envoy.
When I to use the google_grpc grpc client for communicating with my external grpc auth service it succeeds, but when I use the envoy_grpc it is failing. I receive http 404 errors from the upstream system when I use envoy_grpc.
Full Context:
- Envoy and my external auth service are deployed in google cloud run
- I have dropped all network and IAM controls so the services are publically accessible
- my external auth grpc google cloud run service deploy is configured for http2.
- the external auth service has a default https url assigned to it by google cloud run
- the external auth service has a default https url assigned to it by google cloud run
Failure
Notes:
- When I deploy the stack locally and the external auth service is accessible on plain text http the envoy_grpc client works - which leads me to believe that there may be an issue with my tls upstream settings.
This is the working conflig file that uses the google_grpc plugin:
and this is the version that fails with http 404 errors coming from the upstream service:
static_resources:
listeners:
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: my-backend-service
domains: ["*"]
typed_per_filter_config:
envoy.filters.http.cors:
allow_origin_string_match:
- safe_regex:
regex: \*
allow_methods: "GET, PUT, DELETE, POST, OPTIONS"
allow_headers: "authorization,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout"
expose_headers: "grpc-status,grpc-message"
routes:
- match:
prefix: "/"
route:
cluster: my-backend-service
auto_host_rewrite: true
max_stream_duration:
grpc_timeout_header_max: 0s
http_filters:
- name: envoy.filters.http.grpc_web
typed_config:
- name: envoy.filters.http.cors
typed_config:
- name: envoy.filters.http.ext_authz
typed_config:
transport_api_version: V3
grpc_service:
google_grpc:
target_uri: my-external-auth-service-address:443
stat_prefix: ext_authz
credentials_factory_name: envoy.grpc_credentials.default_credentials
channel_credentials:
ssl_credentials:
root_certs:
filename: /etc/ssl/certs/ca-certificates.crt
timeout: 5s
- name: envoy.filters.http.router
typed_config:
clusters:
- name: my-backend-service
type: logical_dns
connect_timeout: 20s
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: my-backend-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: my-backend-service-address
port_value: 443
dns_lookup_family: V4_ONLY
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
common_tls_context:
alpn_protocols: h2
validation_context:
trusted_ca:
filename: /etc/ssl/certs/ca-certificates.crt
sni: my-backend-service-address
and this is the version that fails with http 404 errors coming from the upstream service:
static_resources:
listeners:
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: my-backend-service
domains: ["*"]
typed_per_filter_config:
envoy.filters.http.cors:
allow_origin_string_match:
- safe_regex:
regex: \*
allow_methods: "GET, PUT, DELETE, POST, OPTIONS"
allow_headers: "authorization,keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout"
expose_headers: "grpc-status,grpc-message"
routes:
- match:
prefix: "/"
route:
cluster: my-backend-service
auto_host_rewrite: true
max_stream_duration:
grpc_timeout_header_max: 0s
http_filters:
- name: envoy.filters.http.grpc_web
typed_config:
- name: envoy.filters.http.cors
typed_config:
- name: envoy.filters.http.ext_authz
typed_config:
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: my-external-auth-service
timeout: 5s
- name: envoy.filters.http.router
typed_config:
clusters:
- name: my-backend-service
type: logical_dns
connect_timeout: 20s
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: my-backend-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: my-backend-service-address
port_value: 443
dns_lookup_family: V4_ONLY
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
common_tls_context:
alpn_protocols: h2
validation_context:
trusted_ca:
filename: /etc/ssl/certs/ca-certificates.crt
sni: my-backend-service-address
- name: my-external-auth-service
type: logical_dns
connect_timeout: 20s
http2_protocol_options: {}
lb_policy: round_robin
load_assignment:
cluster_name: my-external-auth-service
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: my-external-auth-service-address
port_value: 443
dns_lookup_family: V4_ONLY
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
common_tls_context:
alpn_protocols: h2
validation_context:
trusted_ca:
filename: /etc/ssl/certs/ca-certificates.crt
sni: my-external-auth-service-address
Reply all
Reply to author
Forward
0 new messages