From cdf267ba5fdb60014df154db1550e8de1b5407b2 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Tue, 20 Jul 2021 19:53:36 -0700
Subject: [PATCH 1/9] add initial_metadata

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 python/ambassador/envoy/v2/v2httpfilter.py | 11 ++++++++++-
 python/ambassador/envoy/v3/v3httpfilter.py | 11 ++++++++++-
 python/ambassador/ir/irauth.py             |  1 +
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/python/ambassador/envoy/v2/v2httpfilter.py b/python/ambassador/envoy/v2/v2httpfilter.py
index 88d15533d1..8cb0c6742d 100644
--- a/python/ambassador/envoy/v2/v2httpfilter.py
+++ b/python/ambassador/envoy/v2/v2httpfilter.py
@@ -319,7 +319,15 @@ def V2HTTPFilter_authv1(auth: IRAuth, v2config: 'V2Config'):
         }
 
     if auth.proto == "grpc":
+        metadata_to_add = []
         protocol_version = auth.get('protocol_version', 'v2')
+
+        for k, v in auth.get('initial_metadata', {}).items():
+            metadata_to_add.append({
+                'key': k,
+                'value': v,
+            })
+
         auth_info = {
             'name': 'envoy.filters.http.ext_authz',
             'typed_config': {
@@ -328,7 +336,8 @@ def V2HTTPFilter_authv1(auth: IRAuth, v2config: 'V2Config'):
                     'envoy_grpc': {
                         'cluster_name': cluster.envoy_name
                     },
-                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0)
+                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0),
+                    'initial_metadata': metadata_to_add
                 }
             }
         }
diff --git a/python/ambassador/envoy/v3/v3httpfilter.py b/python/ambassador/envoy/v3/v3httpfilter.py
index a1892e55f7..35867f6995 100644
--- a/python/ambassador/envoy/v3/v3httpfilter.py
+++ b/python/ambassador/envoy/v3/v3httpfilter.py
@@ -325,7 +325,15 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
         }
 
     if auth.proto == "grpc":
+        metadata_to_add = []
         protocol_version = auth.get('protocol_version', 'v2')
+
+        for k, v in auth.get('initial_metadata', {}).items():
+            metadata_to_add.append({
+                'key': k,
+                'value': v,
+            })
+
         auth_info = {
             'name': 'envoy.filters.http.ext_authz',
             'typed_config': {
@@ -334,7 +342,8 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
                     'envoy_grpc': {
                         'cluster_name': cluster.envoy_name
                     },
-                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0)
+                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0),
+                    'initial_metadata': metadata_to_add
                 },
                 'transport_api_version': protocol_version.replace("alpha", "").upper(),
             }
diff --git a/python/ambassador/ir/irauth.py b/python/ambassador/ir/irauth.py
index aecf94b40e..b941536f94 100644
--- a/python/ambassador/ir/irauth.py
+++ b/python/ambassador/ir/irauth.py
@@ -133,6 +133,7 @@ def _load_auth(self, module: Resource, ir: 'IR'):
         self["connect_timeout_ms"] = module.get("connect_timeout_ms", 3000)
         self["cluster_idle_timeout_ms"] = module.get("cluster_idle_timeout_ms", None)
         self["cluster_max_connection_lifetime_ms"] = module.get("cluster_max_connection_lifetime_ms", None)
+        self["initial_metadata"] = module.get("initial_metadata", {})
         self["add_auth_headers"] = module.get("add_auth_headers", {})
         self["protocol_version"] = module.get("protocol_version", "v2")
         self.__to_header_list('allowed_headers', module)

From 68e4ef851fb06fd60b6590c4116c0519f965e9d5 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Wed, 21 Jul 2021 15:59:41 -0700
Subject: [PATCH 2/9] rename

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 python/ambassador/envoy/v2/v2httpfilter.py | 6 +++---
 python/ambassador/envoy/v3/v3httpfilter.py | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/python/ambassador/envoy/v2/v2httpfilter.py b/python/ambassador/envoy/v2/v2httpfilter.py
index 8cb0c6742d..1b9fc19a83 100644
--- a/python/ambassador/envoy/v2/v2httpfilter.py
+++ b/python/ambassador/envoy/v2/v2httpfilter.py
@@ -319,11 +319,11 @@ def V2HTTPFilter_authv1(auth: IRAuth, v2config: 'V2Config'):
         }
 
     if auth.proto == "grpc":
-        metadata_to_add = []
+        initial_metadata = []
         protocol_version = auth.get('protocol_version', 'v2')
 
         for k, v in auth.get('initial_metadata', {}).items():
-            metadata_to_add.append({
+            initial_metadata.append({
                 'key': k,
                 'value': v,
             })
@@ -337,7 +337,7 @@ def V2HTTPFilter_authv1(auth: IRAuth, v2config: 'V2Config'):
                         'cluster_name': cluster.envoy_name
                     },
                     'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0),
-                    'initial_metadata': metadata_to_add
+                    'initial_metadata': initial_metadata
                 }
             }
         }
diff --git a/python/ambassador/envoy/v3/v3httpfilter.py b/python/ambassador/envoy/v3/v3httpfilter.py
index 35867f6995..8ed96da5e8 100644
--- a/python/ambassador/envoy/v3/v3httpfilter.py
+++ b/python/ambassador/envoy/v3/v3httpfilter.py
@@ -325,11 +325,11 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
         }
 
     if auth.proto == "grpc":
-        metadata_to_add = []
+        initial_metadata = []
         protocol_version = auth.get('protocol_version', 'v2')
 
         for k, v in auth.get('initial_metadata', {}).items():
-            metadata_to_add.append({
+            initial_metadata.append({
                 'key': k,
                 'value': v,
             })
@@ -343,7 +343,7 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
                         'cluster_name': cluster.envoy_name
                     },
                     'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0),
-                    'initial_metadata': metadata_to_add
+                    'initial_metadata': initial_metadata
                 },
                 'transport_api_version': protocol_version.replace("alpha", "").upper(),
             }

From 86ce925a6d40d40d1a59ee3fb168624f37b6af75 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Fri, 23 Jul 2021 19:28:06 -0700
Subject: [PATCH 3/9] add initial_metadata to schemas

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 .../crds/getambassador.io_authservices.yaml        |  7 +++++++
 manifests/emissary/ambassador-crds.yaml            |  7 +++++++
 manifests/emissary/emissary-crds.yaml              | 14 ++++++++++++++
 pkg/api/getambassador.io/v2/authservice_types.go   |  1 +
 .../getambassador.io/v2/zz_generated.deepcopy.go   |  7 +++++++
 python/schemas/v2/AuthService.schema               |  4 ++++
 6 files changed, 40 insertions(+)

diff --git a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
index 7b197f8a3b..daa87cf109 100644
--- a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
+++ b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
@@ -42,6 +42,13 @@ spec:
                 - type: string
                 - type: boolean
               type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
             add_linkerd_headers:
               type: boolean
             allow_request_body:
diff --git a/manifests/emissary/ambassador-crds.yaml b/manifests/emissary/ambassador-crds.yaml
index 2f36983567..0ff23072ac 100644
--- a/manifests/emissary/ambassador-crds.yaml
+++ b/manifests/emissary/ambassador-crds.yaml
@@ -41,6 +41,13 @@ spec:
                 - type: string
                 - type: boolean
               type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
             add_linkerd_headers:
               type: boolean
             allow_request_body:
diff --git a/manifests/emissary/emissary-crds.yaml b/manifests/emissary/emissary-crds.yaml
index 2f36983567..2371b2b888 100644
--- a/manifests/emissary/emissary-crds.yaml
+++ b/manifests/emissary/emissary-crds.yaml
@@ -41,6 +41,20 @@ spec:
                 - type: string
                 - type: boolean
               type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
             add_linkerd_headers:
               type: boolean
             allow_request_body:
diff --git a/pkg/api/getambassador.io/v2/authservice_types.go b/pkg/api/getambassador.io/v2/authservice_types.go
index 3413d2a8a2..5ffffec60c 100644
--- a/pkg/api/getambassador.io/v2/authservice_types.go
+++ b/pkg/api/getambassador.io/v2/authservice_types.go
@@ -51,6 +51,7 @@ type AuthServiceSpec struct {
 	AllowedRequestHeaders       []string                  `json:"allowed_request_headers,omitempty"`
 	AllowedAuthorizationHeaders []string                  `json:"allowed_authorization_headers,omitempty"`
 	AddAuthHeaders              map[string]BoolOrString   `json:"add_auth_headers,omitempty"`
+	InitialMetadata             map[string]BoolOrString   `json:"initial_metadata,omitempty"`
 	AllowRequestBody            *bool                     `json:"allow_request_body,omitempty"`
 	AddLinkerdHeaders           *bool                     `json:"add_linkerd_headers,omitempty"`
 	FailureModeAllow            *bool                     `json:"failure_mode_allow,omitempty"`
diff --git a/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go b/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
index c64a1e596a..6bc6f9613a 100644
--- a/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
+++ b/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
@@ -290,6 +290,13 @@ func (in *AuthServiceSpec) DeepCopyInto(out *AuthServiceSpec) {
 			(*out)[key] = *val.DeepCopy()
 		}
 	}
+	if in.InitialMetadata != nil {
+		in, out := &in.InitialMetadata, &out.InitialMetadata
+		*out = make(map[string]BoolOrString, len(*in))
+		for key, val := range *in {
+			(*out)[key] = *val.DeepCopy()
+		}
+	}
 	if in.AllowRequestBody != nil {
 		in, out := &in.AllowRequestBody, &out.AllowRequestBody
 		*out = new(bool)
diff --git a/python/schemas/v2/AuthService.schema b/python/schemas/v2/AuthService.schema
index 3bcca9c433..ed6d85a0e6 100644
--- a/python/schemas/v2/AuthService.schema
+++ b/python/schemas/v2/AuthService.schema
@@ -40,6 +40,10 @@
             "type": "object",
             "additionalProperties": { "type": [ "string", "boolean" ] }
         },
+        "initial_metadata": {
+            "type": "object",
+            "additionalProperties": { "type": [ "string", "boolean" ] }
+        },
         "allow_request_body": { "type": "boolean" },
         "add_linkerd_headers": { "type": "boolean" },
         "include_body": {

From 68252971c4b6c77eb0ba22934e2a6ed27e756181 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Mon, 26 Jul 2021 18:20:27 -0700
Subject: [PATCH 4/9] add initial_metadata test

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 cmd/kat-server/services/grpc-auth-v3.go | 6 ++++++
 cmd/kat-server/services/grpc-auth.go    | 5 +++++
 python/kat/harness.py                   | 4 ++++
 python/tests/kat/t_extauth.py           | 3 +++
 4 files changed, 18 insertions(+)

diff --git a/cmd/kat-server/services/grpc-auth-v3.go b/cmd/kat-server/services/grpc-auth-v3.go
index e25dc58d69..e2c93cd8af 100644
--- a/cmd/kat-server/services/grpc-auth-v3.go
+++ b/cmd/kat-server/services/grpc-auth-v3.go
@@ -21,6 +21,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
+  "google.golang.org/grpc/metadata"
 )
 
 // GRPCAUTHV3 server object (all fields are required).
@@ -164,6 +165,11 @@ func (g *GRPCAUTHV3) Check(ctx context.Context, r *pb.CheckRequest) (*pb.CheckRe
 	if rs.GetHTTPHeaderMap() != nil {
 		results["headers"] = *rs.GetHTTPHeaderMap()
 	}
+  md, ok := metadata.FromIncomingContext(ctx)
+  if ok {
+    results["metadata"] = md
+  }
+  results["animal"] = "turtle"
 	body, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		body = []byte(fmt.Sprintf("Error: %v", err))
diff --git a/cmd/kat-server/services/grpc-auth.go b/cmd/kat-server/services/grpc-auth.go
index 629709efc0..5bdef3448e 100644
--- a/cmd/kat-server/services/grpc-auth.go
+++ b/cmd/kat-server/services/grpc-auth.go
@@ -16,6 +16,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
+  "google.golang.org/grpc/metadata"
 
 	// first party (protobuf)
 	core "github.com/datawire/ambassador/v2/pkg/api/envoy/api/v2/core"
@@ -164,6 +165,10 @@ func (g *GRPCAUTH) Check(ctx context.Context, r *pb.CheckRequest) (*pb.CheckResp
 	if rs.GetHTTPHeaderMap() != nil {
 		results["headers"] = *rs.GetHTTPHeaderMap()
 	}
+  md, ok := metadata.FromIncomingContext(ctx)
+  if ok {
+    results["metadata"] = md
+  }
 	body, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		body = []byte(fmt.Sprintf("Error: %v", err))
diff --git a/python/kat/harness.py b/python/kat/harness.py
index ca0e2060f5..785deae96d 100755
--- a/python/kat/harness.py
+++ b/python/kat/harness.py
@@ -1008,6 +1008,7 @@ def __init__(self, bres):
 
         if isinstance(bres, dict):
             self.name = bres.get("backend")
+            self.metadata = bres.get("metadata")
             self.request = BackendRequest(bres["request"]) if "request" in bres else None
             self.response = BackendResponse(bres["response"]) if "response" in bres else None
 
@@ -1016,6 +1017,9 @@ def as_dict(self) -> Dict[str, Any]:
             'name': self.name
         }
 
+        if self.metadata:
+            od['metadata'] = self.metadata
+
         if self.request:
             od['request'] = dictify(self.request)
 
diff --git a/python/tests/kat/t_extauth.py b/python/tests/kat/t_extauth.py
index 9d8c413e5a..42067ffcd4 100644
--- a/python/tests/kat/t_extauth.py
+++ b/python/tests/kat/t_extauth.py
@@ -45,6 +45,8 @@ def config(self):
 auth_service: "{self.auth.path.fqdn}"
 timeout_ms: 5000
 proto: grpc
+initial_metadata:
+    abc: xyz
 """)
         yield self, self.format("""
 ---
@@ -104,6 +106,7 @@ def check(self):
         assert self.results[0].backend.request.headers["x-forwarded-proto"]== ["http"]
         assert "user-agent" in self.results[0].backend.request.headers
         assert "baz" in self.results[0].backend.request.headers
+        assert self.results[0].backend.metadata["abc"]== ["xyz"]
         assert self.results[0].status == 401
         assert self.results[0].headers["Server"] == ["envoy"]
         assert self.results[0].headers['X-Grpc-Service-Protocol-Version'] == ['v2']

From a661e6f2a016fa637307c9777eb2b395b8abb0e0 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Mon, 26 Jul 2021 18:28:19 -0700
Subject: [PATCH 5/9] expand metadata testing

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 python/tests/kat/t_extauth.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/python/tests/kat/t_extauth.py b/python/tests/kat/t_extauth.py
index 42067ffcd4..7dd6ec678a 100644
--- a/python/tests/kat/t_extauth.py
+++ b/python/tests/kat/t_extauth.py
@@ -46,7 +46,7 @@ def config(self):
 timeout_ms: 5000
 proto: grpc
 initial_metadata:
-    abc: xyz
+  X-Init-Meta: init-meta
 """)
         yield self, self.format("""
 ---
@@ -106,7 +106,7 @@ def check(self):
         assert self.results[0].backend.request.headers["x-forwarded-proto"]== ["http"]
         assert "user-agent" in self.results[0].backend.request.headers
         assert "baz" in self.results[0].backend.request.headers
-        assert self.results[0].backend.metadata["abc"]== ["xyz"]
+        assert self.results[0].backend.metadata["x-init-meta"]== ["init-meta"]
         assert self.results[0].status == 401
         assert self.results[0].headers["Server"] == ["envoy"]
         assert self.results[0].headers['X-Grpc-Service-Protocol-Version'] == ['v2']
@@ -981,6 +981,8 @@ def config(self):
 timeout_ms: 5000
 protocol_version: "v3"
 proto: grpc
+initial_metadata:
+  X-Init-Meta: init-meta
 """)
         yield self, self.format("""
 ---
@@ -1024,6 +1026,7 @@ def check(self):
         assert self.results[0].status == 401
         assert self.results[0].headers["Server"] == ["envoy"]
         assert self.results[0].headers['X-Grpc-Service-Protocol-Version'] == ['v3']
+        assert self.results[0].backend.metadata["x-init-meta"]== ["init-meta"]
 
         # [1] Verifies that Location header is returned from Envoy.
         assert self.results[1].backend.name == self.auth.path.k8s

From 92cb682d592010ca2cb32234e8f806a675d1a217 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Mon, 26 Jul 2021 18:31:27 -0700
Subject: [PATCH 6/9] reformat

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 cmd/kat-server/services/grpc-auth-v3.go | 11 +++++------
 cmd/kat-server/services/grpc-auth.go    | 10 +++++-----
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/cmd/kat-server/services/grpc-auth-v3.go b/cmd/kat-server/services/grpc-auth-v3.go
index e2c93cd8af..33250bdbd2 100644
--- a/cmd/kat-server/services/grpc-auth-v3.go
+++ b/cmd/kat-server/services/grpc-auth-v3.go
@@ -21,7 +21,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
-  "google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/metadata"
 )
 
 // GRPCAUTHV3 server object (all fields are required).
@@ -165,11 +165,10 @@ func (g *GRPCAUTHV3) Check(ctx context.Context, r *pb.CheckRequest) (*pb.CheckRe
 	if rs.GetHTTPHeaderMap() != nil {
 		results["headers"] = *rs.GetHTTPHeaderMap()
 	}
-  md, ok := metadata.FromIncomingContext(ctx)
-  if ok {
-    results["metadata"] = md
-  }
-  results["animal"] = "turtle"
+	md, ok := metadata.FromIncomingContext(ctx)
+	if ok {
+		results["metadata"] = md
+	}
 	body, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		body = []byte(fmt.Sprintf("Error: %v", err))
diff --git a/cmd/kat-server/services/grpc-auth.go b/cmd/kat-server/services/grpc-auth.go
index 5bdef3448e..efd46611c4 100644
--- a/cmd/kat-server/services/grpc-auth.go
+++ b/cmd/kat-server/services/grpc-auth.go
@@ -16,7 +16,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
-  "google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/metadata"
 
 	// first party (protobuf)
 	core "github.com/datawire/ambassador/v2/pkg/api/envoy/api/v2/core"
@@ -165,10 +165,10 @@ func (g *GRPCAUTH) Check(ctx context.Context, r *pb.CheckRequest) (*pb.CheckResp
 	if rs.GetHTTPHeaderMap() != nil {
 		results["headers"] = *rs.GetHTTPHeaderMap()
 	}
-  md, ok := metadata.FromIncomingContext(ctx)
-  if ok {
-    results["metadata"] = md
-  }
+	md, ok := metadata.FromIncomingContext(ctx)
+	if ok {
+		results["metadata"] = md
+	}
 	body, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		body = []byte(fmt.Sprintf("Error: %v", err))

From eafe7eb00923c03f691dbc74779b9f33a7912cb7 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Mon, 26 Jul 2021 19:01:39 -0700
Subject: [PATCH 7/9] update generated files

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 .../crds/getambassador.io_authservices.yaml   | 14 ++++++-------
 manifests/emissary/ambassador-crds.yaml       | 14 ++++++-------
 manifests/emissary/emissary-crds.yaml         | 21 +++++++------------
 3 files changed, 21 insertions(+), 28 deletions(-)

diff --git a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
index daa87cf109..7b9ba3200d 100644
--- a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
+++ b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
@@ -42,13 +42,6 @@ spec:
                 - type: string
                 - type: boolean
               type: object
-            initial_metadata:
-              additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
-              type: object
             add_linkerd_headers:
               type: boolean
             allow_request_body:
@@ -83,6 +76,13 @@ spec:
               - allow_partial
               - max_bytes
               type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
             path_prefix:
               type: string
             proto:
diff --git a/manifests/emissary/ambassador-crds.yaml b/manifests/emissary/ambassador-crds.yaml
index 0ff23072ac..0328e005dc 100644
--- a/manifests/emissary/ambassador-crds.yaml
+++ b/manifests/emissary/ambassador-crds.yaml
@@ -41,13 +41,6 @@ spec:
                 - type: string
                 - type: boolean
               type: object
-            initial_metadata:
-              additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
-              type: object
             add_linkerd_headers:
               type: boolean
             allow_request_body:
@@ -82,6 +75,13 @@ spec:
               - allow_partial
               - max_bytes
               type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
             path_prefix:
               type: string
             proto:
diff --git a/manifests/emissary/emissary-crds.yaml b/manifests/emissary/emissary-crds.yaml
index 2371b2b888..0328e005dc 100644
--- a/manifests/emissary/emissary-crds.yaml
+++ b/manifests/emissary/emissary-crds.yaml
@@ -41,20 +41,6 @@ spec:
                 - type: string
                 - type: boolean
               type: object
-            initial_metadata:
-              additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
-              type: object
-            initial_metadata:
-              additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
-              type: object
             add_linkerd_headers:
               type: boolean
             allow_request_body:
@@ -89,6 +75,13 @@ spec:
               - allow_partial
               - max_bytes
               type: object
+            initial_metadata:
+              additionalProperties:
+                description: BoolOrString is a type that can hold a Boolean or a string.
+                oneOf:
+                - type: string
+                - type: boolean
+              type: object
             path_prefix:
               type: string
             proto:

From 6d22280bc92b15b29110b196b04ed5cf08336d70 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Mon, 26 Jul 2021 19:06:40 -0700
Subject: [PATCH 8/9] update changelog

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b8566d3316..49716308d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -75,7 +75,7 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
 
 ### Emissary Ingress
 
-(no changes yet)
+- Feature: Support passing metadata to external authentication services.
 
 ## [2.0.0-ea] June 24, 2021
 [2.0.0-ea]: https://github.com/emissary-ingress/emissary/compare/v1.13.8...v2.0.0-ea

From c0c61cd1d9d0efb8f3ff3e111cafdc774ebd3560 Mon Sep 17 00:00:00 2001
From: Ryan Burn <ryan.burn@gmail.com>
Date: Tue, 3 Aug 2021 16:53:20 -0700
Subject: [PATCH 9/9] change initial_metadata type

Signed-off-by: Ryan Burn <ryan.burn@gmail.com>
---
 .../emissary-ingress/crds/getambassador.io_authservices.yaml | 5 +----
 manifests/emissary/ambassador-crds.yaml                      | 5 +----
 manifests/emissary/emissary-crds.yaml                        | 5 +----
 pkg/api/getambassador.io/v2/authservice_types.go             | 2 +-
 pkg/api/getambassador.io/v2/zz_generated.deepcopy.go         | 4 ++--
 python/schemas/v2/AuthService.schema                         | 2 +-
 6 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
index 7b9ba3200d..eb4c7ef1e8 100644
--- a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
+++ b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
@@ -78,10 +78,7 @@ spec:
               type: object
             initial_metadata:
               additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
+                type: string
               type: object
             path_prefix:
               type: string
diff --git a/manifests/emissary/ambassador-crds.yaml b/manifests/emissary/ambassador-crds.yaml
index 9418f5ffde..344f6fe689 100644
--- a/manifests/emissary/ambassador-crds.yaml
+++ b/manifests/emissary/ambassador-crds.yaml
@@ -77,10 +77,7 @@ spec:
               type: object
             initial_metadata:
               additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
+                type: string
               type: object
             path_prefix:
               type: string
diff --git a/manifests/emissary/emissary-crds.yaml b/manifests/emissary/emissary-crds.yaml
index 9418f5ffde..344f6fe689 100644
--- a/manifests/emissary/emissary-crds.yaml
+++ b/manifests/emissary/emissary-crds.yaml
@@ -77,10 +77,7 @@ spec:
               type: object
             initial_metadata:
               additionalProperties:
-                description: BoolOrString is a type that can hold a Boolean or a string.
-                oneOf:
-                - type: string
-                - type: boolean
+                type: string
               type: object
             path_prefix:
               type: string
diff --git a/pkg/api/getambassador.io/v2/authservice_types.go b/pkg/api/getambassador.io/v2/authservice_types.go
index 5ffffec60c..817e01e460 100644
--- a/pkg/api/getambassador.io/v2/authservice_types.go
+++ b/pkg/api/getambassador.io/v2/authservice_types.go
@@ -51,7 +51,7 @@ type AuthServiceSpec struct {
 	AllowedRequestHeaders       []string                  `json:"allowed_request_headers,omitempty"`
 	AllowedAuthorizationHeaders []string                  `json:"allowed_authorization_headers,omitempty"`
 	AddAuthHeaders              map[string]BoolOrString   `json:"add_auth_headers,omitempty"`
-	InitialMetadata             map[string]BoolOrString   `json:"initial_metadata,omitempty"`
+	InitialMetadata             map[string]string         `json:"initial_metadata,omitempty"`
 	AllowRequestBody            *bool                     `json:"allow_request_body,omitempty"`
 	AddLinkerdHeaders           *bool                     `json:"add_linkerd_headers,omitempty"`
 	FailureModeAllow            *bool                     `json:"failure_mode_allow,omitempty"`
diff --git a/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go b/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
index 6bc6f9613a..3bc57f53df 100644
--- a/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
+++ b/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
@@ -292,9 +292,9 @@ func (in *AuthServiceSpec) DeepCopyInto(out *AuthServiceSpec) {
 	}
 	if in.InitialMetadata != nil {
 		in, out := &in.InitialMetadata, &out.InitialMetadata
-		*out = make(map[string]BoolOrString, len(*in))
+		*out = make(map[string]string, len(*in))
 		for key, val := range *in {
-			(*out)[key] = *val.DeepCopy()
+			(*out)[key] = val
 		}
 	}
 	if in.AllowRequestBody != nil {
diff --git a/python/schemas/v2/AuthService.schema b/python/schemas/v2/AuthService.schema
index ed6d85a0e6..45e7efdb10 100644
--- a/python/schemas/v2/AuthService.schema
+++ b/python/schemas/v2/AuthService.schema
@@ -42,7 +42,7 @@
         },
         "initial_metadata": {
             "type": "object",
-            "additionalProperties": { "type": [ "string", "boolean" ] }
+            "additionalProperties": { "type": "string" }
         },
         "allow_request_body": { "type": "boolean" },
         "add_linkerd_headers": { "type": "boolean" },