Open kncesarini opened 1 week ago
github-actions[bot]
commented
1 week ago Hey @kncesarini! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace
kristiankco
commented
1 week ago I discovered that this already seems to be a thing with the globalExtAuth configuration- https://github.com/projectcontour/contour/blob/main/design/global-external-authorization-design.md
What still still seems to be missing (?) is being able to toggle this off for specific vhosts or routes as I don't see the configs suggested in the design present in the HTTPProxy CRD. This is of course an issue as not all requests necessarily require authentication, but there's already another issue on this topic so this one can be closed. Pleas also add globalExtAuth to the docs!
Currently, external authorization (via httpproxy) is only possible when using TLS, and even more restrictive than that it is only possible when clients send SNI headers, as using a fallback certificate is also not allowed. I understand there are technical reasons for this from reading the design doc (https://github.com/projectcontour/contour/blob/main/design/external-authorization-design.md), but strongly hope this is something that can be added to the roadmap as it is a blocker for many common architectures.
For us specifically this causes an issue when we use contour together with an AWS ALB. Our original hope was to do TLS offloading on the ALB and then forward http to contour (running in k8s). We figured that we can take the additional step and encrypt traffic between the ALB and contour as well to allow external authorization, but then discovered that the ALB doesn't forward SNI headers, which means it will only ever be able to hit a fallback certificate in envoy, which as said don't allow external auth servers. ALB is unfortunately a non-negotiable necessary component for us and surely many others, primarily as a place to plug in a WAF and public certificates, so just going with an NLB instead for example loses important functionality.
Because of this we're forced to go with a different ingress controller (unless there's some magic solution we're overlooking) solely so that we can have a functional external auth, which is very unfortunate as we really like how it has been implemented in contour apart from this snag.