emissary-ingress · rnburn · Jul 21, 2021 · Jul 21, 2021 · Jul 24, 2021 · Jul 27, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -77,6 +77,7 @@ Please see the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest
 
 We're pleased to introduce Emissary 2.0.1 as a developer preview. The 2.X family introduces a number of changes to allow Emissary to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
 
+- Feature: Support passing metadata to external authentication services.
 - Feature: The optional `statsPrefix` element of the `AmbassadorListener` CRD now determines the prefix of HTTP statistics emitted for a specific `AmbassadorListener`.
 - Feature: Ambassador Agent reports sidecar process information and Mapping OpenAPI documentation to Ambassador Cloud to provide more visibility into services and clusters.
 

diff --git a/charts/emissary-ingress/crds/getambassador.io_authservices.yaml b/charts/emissary-ingress/crds/getambassador.io_authservices.yaml
@@ -76,6 +76,10 @@ spec:
               - allow_partial
               - max_bytes
               type: object
+            initial_metadata:
+              additionalProperties:
+                type: string
+              type: object
             path_prefix:
               type: string
             proto:

diff --git a/cmd/kat-server/services/grpc-auth-v3.go b/cmd/kat-server/services/grpc-auth-v3.go
@@ -21,6 +21,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
 )
 
 // GRPCAUTHV3 server object (all fields are required).
@@ -164,6 +165,10 @@ func (g *GRPCAUTHV3) Check(ctx context.Context, r *pb.CheckRequest) (*pb.CheckRe
 	if rs.GetHTTPHeaderMap() != nil {
 		results["headers"] = *rs.GetHTTPHeaderMap()
 	}
+	md, ok := metadata.FromIncomingContext(ctx)
+	if ok {
+		results["metadata"] = md
+	}
 	body, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		body = []byte(fmt.Sprintf("Error: %v", err))

diff --git a/cmd/kat-server/services/grpc-auth.go b/cmd/kat-server/services/grpc-auth.go
@@ -16,6 +16,7 @@ import (
 	"google.golang.org/genproto/googleapis/rpc/code"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
 
 	// first party (protobuf)
 	core "github.com/datawire/ambassador/v2/pkg/api/envoy/api/v2/core"
@@ -164,6 +165,10 @@ func (g *GRPCAUTH) Check(ctx context.Context, r *pb.CheckRequest) (*pb.CheckResp
 	if rs.GetHTTPHeaderMap() != nil {
 		results["headers"] = *rs.GetHTTPHeaderMap()
 	}
+	md, ok := metadata.FromIncomingContext(ctx)
+	if ok {
+		results["metadata"] = md
+	}
 	body, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		body = []byte(fmt.Sprintf("Error: %v", err))

diff --git a/manifests/emissary/ambassador-crds.yaml b/manifests/emissary/ambassador-crds.yaml
@@ -75,6 +75,10 @@ spec:
               - allow_partial
               - max_bytes
               type: object
+            initial_metadata:
+              additionalProperties:
+                type: string
+              type: object
             path_prefix:
               type: string
             proto:

diff --git a/manifests/emissary/emissary-crds.yaml b/manifests/emissary/emissary-crds.yaml
@@ -75,6 +75,10 @@ spec:
               - allow_partial
               - max_bytes
               type: object
+            initial_metadata:
+              additionalProperties:
+                type: string
+              type: object
             path_prefix:
               type: string
             proto:

diff --git a/pkg/api/getambassador.io/v2/authservice_types.go b/pkg/api/getambassador.io/v2/authservice_types.go
@@ -51,6 +51,7 @@ type AuthServiceSpec struct {
 	AllowedRequestHeaders       []string                  `json:"allowed_request_headers,omitempty"`
 	AllowedAuthorizationHeaders []string                  `json:"allowed_authorization_headers,omitempty"`
 	AddAuthHeaders              map[string]BoolOrString   `json:"add_auth_headers,omitempty"`
+	InitialMetadata             map[string]string         `json:"initial_metadata,omitempty"`
 	AllowRequestBody            *bool                     `json:"allow_request_body,omitempty"`
 	AddLinkerdHeaders           *bool                     `json:"add_linkerd_headers,omitempty"`
 	FailureModeAllow            *bool                     `json:"failure_mode_allow,omitempty"`

diff --git a/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go b/pkg/api/getambassador.io/v2/zz_generated.deepcopy.go
diff --git a/python/ambassador/envoy/v2/v2httpfilter.py b/python/ambassador/envoy/v2/v2httpfilter.py
@@ -319,7 +319,15 @@ def V2HTTPFilter_authv1(auth: IRAuth, v2config: 'V2Config'):
         }
 
     if auth.proto == "grpc":
+        initial_metadata = []
         protocol_version = auth.get('protocol_version', 'v2')
+
+        for k, v in auth.get('initial_metadata', {}).items():
+            initial_metadata.append({
+                'key': k,
+                'value': v,
+            })
+
         auth_info = {
             'name': 'envoy.filters.http.ext_authz',
             'typed_config': {
@@ -328,7 +336,8 @@ def V2HTTPFilter_authv1(auth: IRAuth, v2config: 'V2Config'):
                     'envoy_grpc': {
                         'cluster_name': cluster.envoy_name
                     },
-                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0)
+                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0),
+                    'initial_metadata': initial_metadata
                 }
             }
         }

diff --git a/python/ambassador/envoy/v3/v3httpfilter.py b/python/ambassador/envoy/v3/v3httpfilter.py
@@ -325,7 +325,15 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
         }
 
     if auth.proto == "grpc":
+        initial_metadata = []
         protocol_version = auth.get('protocol_version', 'v2')
+
+        for k, v in auth.get('initial_metadata', {}).items():
+            initial_metadata.append({
+                'key': k,
+                'value': v,
+            })
+
         auth_info = {
             'name': 'envoy.filters.http.ext_authz',
             'typed_config': {
@@ -334,7 +342,8 @@ def V3HTTPFilter_authv1(auth: IRAuth, v3config: 'V3Config'):
                     'envoy_grpc': {
                         'cluster_name': cluster.envoy_name
                     },
-                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0)
+                    'timeout': "%0.3fs" % (float(auth.timeout_ms) / 1000.0),
+                    'initial_metadata': initial_metadata
                 },
                 'transport_api_version': protocol_version.replace("alpha", "").upper(),
             }

diff --git a/python/ambassador/ir/irauth.py b/python/ambassador/ir/irauth.py
@@ -133,6 +133,7 @@ def _load_auth(self, module: Resource, ir: 'IR'):
         self["connect_timeout_ms"] = module.get("connect_timeout_ms", 3000)
         self["cluster_idle_timeout_ms"] = module.get("cluster_idle_timeout_ms", None)
         self["cluster_max_connection_lifetime_ms"] = module.get("cluster_max_connection_lifetime_ms", None)
+        self["initial_metadata"] = module.get("initial_metadata", {})
         self["add_auth_headers"] = module.get("add_auth_headers", {})
         self["protocol_version"] = module.get("protocol_version", "v2")
         self.__to_header_list('allowed_headers', module)

diff --git a/python/kat/harness.py b/python/kat/harness.py
@@ -1008,6 +1008,7 @@ def __init__(self, bres):
 
         if isinstance(bres, dict):
             self.name = bres.get("backend")
+            self.metadata = bres.get("metadata")
             self.request = BackendRequest(bres["request"]) if "request" in bres else None
             self.response = BackendResponse(bres["response"]) if "response" in bres else None
 
@@ -1016,6 +1017,9 @@ def as_dict(self) -> Dict[str, Any]:
             'name': self.name
         }
 
+        if self.metadata:
+            od['metadata'] = self.metadata
+
         if self.request:
             od['request'] = dictify(self.request)
 

diff --git a/python/schemas/v2/AuthService.schema b/python/schemas/v2/AuthService.schema
@@ -40,6 +40,10 @@
             "type": "object",
             "additionalProperties": { "type": [ "string", "boolean" ] }
         },
+        "initial_metadata": {
+            "type": "object",
+            "additionalProperties": { "type": "string" }
+        },
         "allow_request_body": { "type": "boolean" },
         "add_linkerd_headers": { "type": "boolean" },
         "include_body": {

diff --git a/python/tests/kat/t_extauth.py b/python/tests/kat/t_extauth.py
@@ -45,6 +45,8 @@ def config(self):
 auth_service: "{self.auth.path.fqdn}"
 timeout_ms: 5000
 proto: grpc
+initial_metadata:
+  X-Init-Meta: init-meta
 """)
         yield self, self.format("""
 ---
@@ -104,6 +106,7 @@ def check(self):
         assert self.results[0].backend.request.headers["x-forwarded-proto"]== ["http"]
         assert "user-agent" in self.results[0].backend.request.headers
         assert "baz" in self.results[0].backend.request.headers
+        assert self.results[0].backend.metadata["x-init-meta"]== ["init-meta"]
         assert self.results[0].status == 401
         assert self.results[0].headers["Server"] == ["envoy"]
         assert self.results[0].headers['X-Grpc-Service-Protocol-Version'] == ['v2']
@@ -978,6 +981,8 @@ def config(self):
 timeout_ms: 5000
 protocol_version: "v3"
 proto: grpc
+initial_metadata:
+  X-Init-Meta: init-meta
 """)
         yield self, self.format("""
 ---
@@ -1021,6 +1026,7 @@ def check(self):
         assert self.results[0].status == 401
         assert self.results[0].headers["Server"] == ["envoy"]
         assert self.results[0].headers['X-Grpc-Service-Protocol-Version'] == ['v3']
+        assert self.results[0].backend.metadata["x-init-meta"]== ["init-meta"]
 
         # [1] Verifies that Location header is returned from Envoy.
         assert self.results[1].backend.name == self.auth.path.k8s