Merge branch 'main' into revert-4979-revert-4960-feat-set-default-mem…

…ory-limits
envoyproxy · Jan 13, 2025 · d348bea · d348bea
2 parents aff1c2d + 271a697
commit d348bea
Show file tree

Hide file tree

Showing 26 changed files with 1,397 additions and 51 deletions.
diff --git a/api/v1alpha1/api_key_auth_types.go b/api/v1alpha1/api_key_auth_types.go
@@ -0,0 +1,48 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+)
+
+const APIKeysSecretKey = "credentials"
+
+// APIKeyAuth defines the configuration for the API Key Authentication.
+type APIKeyAuth struct {
+	// CredentialRefs is the Kubernetes secret which contains the API keys.
+	// This is an Opaque secret.
+	// Each API key is stored in the key representing the client id.
+	// If the secrets have a key for a duplicated client, the first one will be used.
+	CredentialRefs []gwapiv1.SecretObjectReference `json:"credentialRefs"`
+
+	// ExtractFrom is where to fetch the key from the coming request.
+	// The value from the first source that has a key will be used.
+	ExtractFrom []*ExtractFrom `json:"extractFrom"`
+}
+
+// ExtractFrom is where to fetch the key from the coming request.
+// Only one of header, param or cookie is supposed to be specified.
+type ExtractFrom struct {
+	// Headers is the names of the header to fetch the key from.
+	// If multiple headers are specified, envoy will look for the api key in the order of the list.
+	// This field is optional, but only one of headers, params or cookies is supposed to be specified.
+	//
+	// +optional
+	Headers []string `json:"headers,omitempty"`
+	// Params is the names of the query parameter to fetch the key from.
+	// If multiple params are specified, envoy will look for the api key in the order of the list.
+	// This field is optional, but only one of headers, params or cookies is supposed to be specified.
+	//
+	// +optional
+	Params []string `json:"params,omitempty"`
+	// Cookies is the names of the cookie to fetch the key from.
+	// If multiple cookies are specified, envoy will look for the api key in the order of the list.
+	// This field is optional, but only one of headers, params or cookies is supposed to be specified.
+	//
+	// +optional
+	Cookies []string `json:"cookies,omitempty"`
+}
diff --git a/api/v1alpha1/envoyproxy_types.go b/api/v1alpha1/envoyproxy_types.go
@@ -211,6 +211,10 @@ const (
 	// EnvoyFilterExtAuthz defines the Envoy HTTP external authorization filter.
 	EnvoyFilterExtAuthz EnvoyFilter = "envoy.filters.http.ext_authz"
 
+	// EnvoyFilterAPIKeyAuth defines the Envoy HTTP api key authentication filter.
+	//nolint:gosec // this is not an API key credential.
+	EnvoyFilterAPIKeyAuth EnvoyFilter = "envoy.filters.http.api_key_auth"
+
 	// EnvoyFilterBasicAuth defines the Envoy HTTP basic authentication filter.
 	EnvoyFilterBasicAuth EnvoyFilter = "envoy.filters.http.basic_auth"
 

diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
@@ -47,6 +47,11 @@ type SecurityPolicy struct {
 type SecurityPolicySpec struct {
 	PolicyTargetReferences `json:",inline"`
 
+	// APIKeyAuth defines the configuration for the API Key Authentication.
+	//
+	// +optional
+	APIKeyAuth *APIKeyAuth `json:"apiKeyAuth,omitempty"`
+
 	// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
 	//
 	// +optional

diff --git a/api/v1alpha1/validation/securitypolicy_validate.go b/api/v1alpha1/validation/securitypolicy_validate.go
@@ -48,6 +48,8 @@ func validateSecurityPolicySpec(spec *egv1a1.SecurityPolicySpec) error {
 		}
 	case spec.Authorization != nil:
 		sum++
+	case spec.APIKeyAuth != nil:
+		sum++
 	case spec.BasicAuth != nil:
 		sum++
 	case spec.ExtAuth != nil:
@@ -64,9 +66,28 @@ func validateSecurityPolicySpec(spec *egv1a1.SecurityPolicySpec) error {
 		return utilerrors.NewAggregate(errs)
 	}
 
+	if err := ValidateAPIKeyAuth(spec.APIKeyAuth); err != nil {
+		errs = append(errs, err)
+	}
 	return utilerrors.NewAggregate(errs)
 }
 
+func ValidateAPIKeyAuth(p *egv1a1.APIKeyAuth) error {
+	if p == nil {
+		return nil
+	}
+
+	for _, keySource := range p.ExtractFrom {
+		// only one of headers, params or cookies is supposed to be specified.
+		if len(keySource.Headers) > 0 && len(keySource.Params) > 0 ||
+			len(keySource.Headers) > 0 && len(keySource.Cookies) > 0 ||
+			len(keySource.Params) > 0 && len(keySource.Cookies) > 0 {
+			return errors.New("only one of headers, params or cookies must be specified")
+		}
+	}
+	return nil
+}
+
 // ValidateJWTProvider validates the provided JWT authentication configuration.
 func ValidateJWTProvider(providers []egv1a1.JWTProvider) error {
 	var errs []error

diff --git a/api/v1alpha1/validation/securitypolicy_validate_test.go b/api/v1alpha1/validation/securitypolicy_validate_test.go
@@ -491,6 +491,29 @@ func TestValidateSecurityPolicy(t *testing.T) {
 			},
 			expected: true,
 		},
+		{
+			name: "only one of header, query or cookie is supposed to be specified",
+			policy: &egv1a1.SecurityPolicy{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       egv1a1.KindSecurityPolicy,
+					APIVersion: egv1a1.GroupVersion.String(),
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: "test",
+					Name:      "test",
+				},
+				Spec: egv1a1.SecurityPolicySpec{
+					APIKeyAuth: &egv1a1.APIKeyAuth{
+						ExtractFrom: []*egv1a1.ExtractFrom{
+							{
+								Headers: []string{"header"},
+								Params:  []string{"param"},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	for i := range testCases {