Skip to content

Commit

Permalink
Sync APIs. @tag-name=gloo-v1.18.0-beta30 (#1359)
Browse files Browse the repository at this point in the history 
Co-authored-by: soloio-bot <[email protected]>
  • Loading branch information
@soloio-bot
soloio-bot and soloio-bot authored Oct 29, 2024
1 parent 0f15058 commit 8f7b22c
Show file tree
Hide file tree
Showing 19 changed files with 4,616 additions and 3,225 deletions.
172 changes: 109 additions & 63 deletions api/gloo/enterprise.gloo/v1/auth_config.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -620,6 +620,29 @@ message ClaimToHeader {
bool append = 3;
}

// For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider.
// This way, you can enable distributed claims and caching for when users are members of more than 200 groups.
message Azure {
// The client ID for the ExtAuthService app that is registered in MS Entra,
// to access the Microsoft Graph API to retrieve distributed claims.
// This app is NOT the app that you want to configure external auth for.
string client_id = 1;

// The tenant ID represents the MS Entra organization ID where the ExtAuthService app is registered.
// This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`,
// depending on how your Azure account is provisioned.
string tenant_id = 2;

// The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API.
// The client secret data must be placed in a k8s secret under a key called 'client-secret'.
core.solo.io.ResourceRef client_secret = 3;

// Redis connection details to cache MS Entera claims.
// This way, you avoid performance issues of accessing the Microsoft Graph API too many times.
// Note that this setting does NOT turn on Redis caching for the user session.
// To turn on Redis user session caching, use the `userSessionConfig` field.
RedisOptions claims_caching_options = 4;
}

message OidcAuthorizationCode {
// your client id as registered with the issuer
Expand Down Expand Up @@ -826,29 +849,6 @@ message OidcAuthorizationCode {
// No-op, represents default OIDC behavior
message Default {}

// For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider.
// This way, you can enable distributed claims and caching for when users are members of more than 200 groups.
message Azure {
// The client ID for the ExtAuthService app that is registered in MS Entra,
// to access the Microsoft Graph API to retrieve distributed claims.
// This app is NOT the app that you want to configure external auth for.
string client_id = 1;

// The tenant ID represents the MS Entra organization ID where the ExtAuthService app is registered.
// This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`,
// depending on how your Azure account is provisioned.
string tenant_id = 2;

// The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API.
core.solo.io.ResourceRef client_secret = 3;

// Redis connection details to cache MS Entera claims.
// This way, you avoid performance issues of accessing the Microsoft Graph API too many times.
// Note that this setting does NOT turn on Redis caching for the user session.
// To turn on Redis user session caching, use the `userSessionConfig` field.
RedisOptions claims_caching_options = 4;
}

// For the moment this is just path, but we may want to configure things like iss/sid validation
message FrontChannelLogout {
// Path to use for front channel logout. Should not be the same as logout or callback paths.
Expand Down Expand Up @@ -1082,6 +1082,17 @@ message AccessTokenValidation {
// and the structure of the claim value will be preserved in the metadata struct.
map<string, string> dynamic_metadata_from_claims = 7;

// A list of claims to be mapped from the JWT token received by ext-auth-service to an upstream destination
repeated ClaimToHeader claims_to_headers = 8;

oneof Provider {
Default default = 9;
Azure azure = 10;
}

// No-op, represents default OIDC distributed claims behavior
message Default {}

message ScopeList {
repeated string scope = 1;
}
Expand Down Expand Up @@ -1260,6 +1271,9 @@ message AerospikeApiKeyStorage {
map<string, string> label_selector = 17;
}

// When no storage backend is specified, the default storage backend defined in the extauth server is used.
message ServerDefaultApiKeyStorage{}

message ApiKey {
// The string value of the API key.
string api_key = 2;
Expand Down Expand Up @@ -1598,6 +1612,40 @@ This is an internal API used to share configuration between gloo-ee and extauth.
rules about breaking changes still apply to ensure we do not get errors during upgrade and downgrade.
*/
message ExtAuthConfig {
// For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider.
// This way, you can enable distributed claims and caching for when users are members of more than 200 groups.
message Azure {
// The client ID for the ExtAuthService app that is registered in MS Entra,
// to access the Microsoft Graph API to retrieve distributed claims.
// This app is NOT the app that you want to configure external auth for.
string client_id = 1;

// The tenant ID represents the MS Entra organization ID where the ExtAuthService app is registered.
// This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`,
// depending on how your Azure account is provisioned.
string tenant_id = 2;

// The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API.
string client_secret = 3 [(extproto.sensitive) = true];

// Redis connection details to cache MS Entera claims.
// This way, you avoid performance issues of accessing the Microsoft Graph API too many times.
// Note that this setting does NOT turn on Redis caching for the user session.
// To turn on Redis user session caching, use the `userSessionConfig` field.
RedisOptions claims_caching_options = 4;
}

// Map a single claim from an OAuth2 or OIDC token to a header in the request to the upstream destination.
message ClaimToHeader {
// The claim name from the token, such as `sub`.
string claim = 1;

// The header to copy the claim to, such as `x-sub`.
string header = 2;

// If the header exists, append the claim value to the header (true), or overwrite any existing value (false). The default behavior is to overwrite any existing value (false).
bool append = 3;
}

// @solo-kit:resource.name
// This is the identifier of the AuthConfig resource that this configuration is associated with.
Expand Down Expand Up @@ -1814,18 +1862,6 @@ message ExtAuthConfig {
// Only one of client_secret or pk_jwt_client_authentication_config should be set. pk_jwt_client_authentication_config takes precedence.
PkJwtClientAuthenticationConfig pk_jwt_client_authentication_config = 21;

// Map a single claim from an OAuth2 or OIDC token to a header in the request to the upstream destination.
message ClaimToHeader {
// The claim name from the token, such as `sub`.
string claim = 1;

// The header to copy the claim to, such as `x-sub`.
string header = 2;

// If the header exists, append the claim value to the header (true), or overwrite any existing value (false). The default behavior is to overwrite any existing value (false).
bool append = 3;
}

// Optional: Configuration specific to the OAuth2 access token received and processed by the ext-auth-service.
AccessToken access_token = 22;

Expand All @@ -1852,38 +1888,26 @@ message ExtAuthConfig {
// No-op, represents default OIDC behavior
message Default {}

// For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider.
// This way, you can enable distributed claims and caching for when users are members of more than 200 groups.
message Azure {
// The client ID for the ExtAuthService app that is registered in MS Entra,
// to access the Microsoft Graph API to retrieve distributed claims.
// This app is NOT the app that you want to configure external auth for.
string client_id = 1;

// The tenant ID represents the MS Entra organization ID where the ExtAuthService app is registered.
// This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`,
// depending on how your Azure account is provisioned.
string tenant_id = 2;

// The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API.
string client_secret = 3 [(extproto.sensitive) = true];

// Redis connection details to cache MS Entera claims.
// This way, you avoid performance issues of accessing the Microsoft Graph API too many times.
// Note that this setting does NOT turn on Redis caching for the user session.
// To turn on Redis user session caching, use the `userSessionConfig` field.
RedisOptions claims_caching_options = 4;
}

// For the moment this is just path, but we may want to configure things like iss/sid validation
message FrontChannelLogout {
// Path to use for front channel logout. Should not be the same as logout or callback paths.
string path=1;
}

// Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
// The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
// Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
// The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
FrontChannelLogout front_channel_logout = 28;


// Map of metadata key to claim. Ie:
// dynamic_metadata_from_claims:
// issuer: iss
// email: email
// When specified, the matching claims from the ID token will be emitted as dynamic metadata.
// Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
// The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
// and the structure of the claim value will be preserved in the metadata struct.
map<string, string> dynamic_metadata_from_claims = 29;
}

message AccessTokenValidationConfig {
Expand Down Expand Up @@ -2012,6 +2036,27 @@ message ExtAuthConfig {
message ScopeList {
repeated string scope = 1;
}

// Map of metadata key to claim. Ie:
// dynamic_metadata_from_claims:
// issuer: iss
// email: email
// When specified, the matching claims from the access token will be emitted as dynamic metadata.
// Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
// Works when the access token is a JWT or when the access token is opaque, in which case the claims will refer to field in the response from the token introspection endpoint.
// The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
// and the structure of the claim value will be preserved in the metadata struct.
map<string, string> dynamic_metadata_from_claims = 7;

repeated ClaimToHeader claims_to_headers = 8;

oneof Provider {
Default default = 26;
Azure azure = 27;
}

// No-op, represents default OIDC behavior
message Default {}
}

message PlainOAuth2Config {
Expand Down Expand Up @@ -2120,11 +2165,12 @@ message ExtAuthConfig {
oneof storage_backend {
K8sSecretApiKeyStorage k8s_secret_apikey_storage = 4;
AerospikeApiKeyStorage aerospike_apikey_storage = 5;
ServerDefaultApiKeyStorage server_default_apikey_storage = 7;
}

// API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
// in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
// This validation comes with a performance cost, and can be disabled by setting this field to `true`.
// API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
// in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
// This validation comes with a performance cost, and can be disabled by setting this field to `true`.
bool skip_metadata_validation = 6;
}

Expand Down
7 changes: 4 additions & 3 deletions api/gloo/gateway/v1/route_table.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,10 +169,11 @@ message RouteTableSpec {
// The list of routes for the route table
repeated Route routes = 1;

// When a delegated route defines a `RouteTableSelector` that matches multiple route tables, Gloo will inspect this
// field to determine the order in which the route tables are to be evaluated. This determines the order in which
// When a delegated route in a VirtualService or RouteTable defines a `RouteTableSelector` that matches
// multiple route tables, Gloo will inspect this field to determine the order in which
// the route tables are to be evaluated. This determines the order in which
// the routes will appear on the final `Proxy` resource. The field is optional; if no value is specified, the weight
// defaults to 0 (zero).
// defaults to 0 (zero). Note that this field is ignored if it is not used in a route delegation scenario.
//
// Gloo will process the route tables matched by a selector in ascending order by weight and collect the routes of
// each route table in the order they are defined. If multiple route tables define the same weight, Gloo will sort the
Expand Down
29 changes: 24 additions & 5 deletions api/gloo/gloo/v1/enterprise/options/ai/ai.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,7 @@ package ai.options.gloo.solo.io;
option go_package = "github.com/solo-io/solo-apis/pkg/api/gloo.solo.io/v1/enterprise/options/ai";

import "github.com/solo-io/solo-kit/api/v1/ref.proto";
import "google/protobuf/wrappers.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "extproto/ext.proto";
option (extproto.equal_all) = true;
option (extproto.hash_all) = true;
Expand Down Expand Up @@ -553,14 +550,36 @@ message AIPromptGuard {
SSN = 0;
// Default REGEX for Credit Card Numbers
CREDIT_CARD = 1;
// Default REGEX for Phone Numbers
PHONE_NUMBER = 2;
// Default REGEX for Email Addresses
EMAIL = 3;
}

message RegexMatch {
// The regex pattern to match against the response.
string pattern = 1;
// An optional name for this match which can be used for debugging purposes.
string name = 2;
}
// A list of Regex patterns to match against the response.
// All matches will be masked before being sent back to the client.
// matches and builtins are additive.
repeated string matches = 1;
repeated RegexMatch matches = 1;
// A list of built-in regexes to mask in the response.
// matches and builtins are additive.
repeated BuiltIn builtins = 2;

enum Action {
// Mask the response if the regex matches
MASK = 0;
// Reject the request if the regex matches
REJECT = 1;
}

// The action to take if the regex matches
// NOTE: This will only apply to request matches, response matches will always mask
Action action = 3;
}

// Webhook settings for prompt guard
Expand Down Expand Up @@ -588,7 +607,7 @@ message AIPromptGuard {
MatchType match_type = 2;
}
// Headers to forward with the request
repeated HeaderMatch headers = 3;
repeated HeaderMatch forwardHeaders = 3;
}


Expand Down
12 changes: 12 additions & 0 deletions api/gloo/gloo/v1/load_balancer.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,4 +107,16 @@ message LoadBalancerConfig {
// If not specified, the default is 10%.
google.protobuf.DoubleValue min_weight_percent = 3;
}

// If set to true, the load balancer will drain connections when the host set changes.
//
// Ring Hash or Maglev can be used to ensure that clients with the same key
// are routed to the same upstream host.
// Distruptions can cause new connections with the same key as existing connections
// to be routed to different hosts.
// Enabling this feature will cause the load balancer to drain existing connections
// when the host set changes, ensuring that new connections with the same key are
// consistently routed to the same host.
// Connections are not immediately closed, but are allowed to drain.
bool close_connections_on_host_set_change = 10;
}
3 changes: 2 additions & 1 deletion api/gloo/gloo/v1/settings.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -908,7 +908,8 @@ message GatewayOptions {
// validation mode. This has an negative impact on the total translation throughput, but it
// helps ensure the configuration will not be nacked when served to Envoy.
//
// This feature is not yet implemented.
// This feature is disabled by default and is not recommended for production deployments unless
// the performance implications are well understood and acceptable.
google.protobuf.BoolValue full_envoy_validation = 14;
}

Expand Down
Loading

0 comments on commit 8f7b22c

Please sign in to comment.