search

solo-io / gloo

The Cloud-Native API Gateway and AI Gateway
https://docs.solo.io/
Apache License 2.0
4.09k stars 446 forks source link

Tracing headers are not part of httpPassthrough auth requests #7913

Open huzlak opened 1 year ago

huzlak commented 1 year ago

Gloo Edge Version

1.13.x (latest stable)

Kubernetes Version

1.24.x

Describe the bug

With tracing enabled in httpConnectionManagerSettings, the tracing headers that are added to the request by gateway-proxy are not part of auth requests to httpPassthrough auth.

Steps to reproduce the bug

  1. Enable tracing and have http passthrough auth setup. helm-values.yaml: 
    global:
extensions:
extAuth:
  deployment:
    customEnv:
      - name: LOG_LEVEL
        value: debug
gloo:
gatewayProxies:
gatewayProxy:
  envoyLogLevel: debug
  gatewaySettings:
    accessLoggingService:
      accessLog:
        - fileSink:
            stringFormat: >
              [%START_TIME%] %DOWNSTREAM_REMOTE_ADDRESS% %REQ(X-AUTHORIZED)% %DYNAMIC_METADATA(envoy.filters.http.ext_authz)% %DYNAMIC_METADATA(io.solo.filters.http.transformation_ee)% %DYNAMIC_METADATA(io.solo.transformation)% %DYNAMIC_METADATA(io.solo.api_gateway.api_gateway_request_transformer)% %DYNAMIC_METADATA(io.solo.api_gateway.api_gateway_transformer)% %DYNAMIC_METADATA(io.solo)% "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% "%UPSTREAM_HOST%" "%UPSTREAM_CLUSTER%"  
            path: /dev/stdout
  tracing:
    provider:
      zipkinConfig:
        clusterName: zipkin
        collectorEndpoint: "/api/v1/spans"
    cluster:
       - name: zipkin
         connect_timeout: 1s
         type: STRICT_DNS
         load_assignment:
           cluster_name: zipkin
           endpoints:
           - lb_endpoints:
             - endpoint:
                 address:
                   socket_address:
                     address: 172.18.0.18
                     port_value: 9411

    authconfig.yaml:

    apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
name: http-passthrough-auth
namespace: gloo-system
spec:
configs:
- passThroughAuth:
  http:
    connectionTimeout: 3s
    request:
      allowedHeaders:
      - authorization
      - x-b3-spanid
      - x-b3-traceid
      - x-b3-sampled
    url: http://http-passthrough.default:9001/auth
  2. Do a request. The upstream receives the tracing headers added by envoy, but they are not part of the request to http passthrough server.

Request:

$ curl $(glooctl proxy url)/get -H "Host: httpbin.test" -H "Authorization: authorize me" -H "test: test"
{
  "args": {}, 
  "headers": {
    "Accept": "*/*", 
    "Authorization": "authorize me", 
    "Host": "httpbin.test", 
    "Test": "test", 
    "User-Agent": "curl/7.81.0", 
    "X-B3-Sampled": "1", 
    "X-B3-Spanid": "4fe43cbd63c3ba4e", 
    "X-B3-Traceid": "4fe43cbd63c3ba4e", 
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000"
  }, 
  "origin": "10.108.1.128", 
  "url": "http://httpbin.test/get"
}

Request log from http passthrough server:

$ kubectl logs http-passthrough |tail
received request with url: /auth, with headers map[Accept-Encoding:[gzip] Authorization:[authorize me] Content-Length:[0] User-Agent:[Go-http-client/1.1]]
REQUEST:
POST /auth HTTP/1.1
Host: http-passthrough.default:9001
Accept-Encoding: gzip
Authorization: authorize me
Content-Length: 0
User-Agent: Go-http-client/1.1

Expected Behavior

X-B3-* headers available as headers on the requests to http passthrough

Additional Context

No response

github-actions[bot] commented 4 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.