Update AuthenticationFilter proposal #4424
Conversation
github-actions
bot
added
the
documentation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4424 +/- ##
=======================================
Coverage 86.09% 86.09%
=======================================
Files 132 132
Lines 14381 14381
Branches 35 35
=======================================
Hits 12382 12382
+ Misses 1788 1787 -1
- Partials 211 212 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| // LocalObjectReference specifies a local Kubernetes object. | ||
| type LocalObjectReference struct { | ||
| // Name is the referenced object. | ||
| Name string `json:"name"` |
There was a problem hiding this comment.
This object is for the SecretRef for storing the name of the secret.
It used to be here in the API. It just got moved up.
|
|
||
| - Resolved filter referenced by a single route rule within a single HTTP/GRPCRoute | ||
| - Resolved filter referenced by multiple route rules within a single HTTP/GRPCRoute | ||
| - Resolved filter referenced by multiple HTTP/GRPCRoutes |
There was a problem hiding this comment.
The 2nd test in this list is intended to capture that test case.
There was a problem hiding this comment.
maybe we have different dictionary. for me second i see like: one route with two rules, that is not valid
There was a problem hiding this comment.
Ah right, I see what you mean. My scenario is multiple separate route rules. This is the same as what you mean.
But, we don't have a test case for multiple routes in one rule. I'll add a case for that as well 😄
| Invalid reference scenarios: | ||
|
|
||
| - Resolved filter referenced multiple times in a single route rule within a single HTTP/GRPCRoute | ||
| - Resolved filter referenced multiple times in a single route rule within a single HTTP/GRPCRoute |
|
|
||
| - Resolved filter referenced multiple times in a single route rule within a single HTTP/GRPCRoute | ||
| - Resolved filter referenced multiple times in a single route rule within a single HTTP/GRPCRoute | ||
| - Resolved filter referenced multiple times by multiple route rules within a single HTTP/GRPCRoute |
There was a problem hiding this comment.
actually. What is expected behaviour here and above? i cannot understand the scenario as a functional test and not a unit
There was a problem hiding this comment.
These are intended to be invalid testing cases.
But you make a good point, I don't list the expected outcome. I'll add those here as well
There was a problem hiding this comment.
i see invalid functional tests for authentication as: Authentication failed or Authentication passed - for valid, means we get a response from the route behind auth filter
Resolved/Unresolved more sound like a unit test
| - Resolved filter referenced multiple times in a single route rule within a single HTTP/GRPCRoute | ||
| - Resolved filter referenced multiple times by multiple route rules within a single HTTP/GRPCRoute | ||
| - Unresolved filter referenced by a single route rule within a single HTTP/GRPCRoute | ||
| - Unresolved filter referenced by multiple route rules within a single HTTP/GRPCRoute |
There was a problem hiding this comment.
Pull request overview
This PR updates the AuthenticationFilter proposal by refining the API design, removing the OnFailure configuration from the main spec, and enhancing documentation quality. The changes move AuthFailure customization to stretch goals while improving clarity throughout the proposal.
Key Changes:
- Removed OnFailure configuration from BasicAuth and JWTAuth specs, relocating it to stretch goals
- Enhanced functional testing section with detailed test case scenarios
- Fixed numerous spelling and grammatical errors throughout the document
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| type LocalObjectReference struct { | ||
| // Name is the referenced object. | ||
| Name string `json:"name"` | ||
| } |
There was a problem hiding this comment.
The LocalObjectReference struct definition has been moved to after BasicAuth, but the comment on line 154 still refers to it. Consider adding a comment explaining that this is a simplified version compared to the Kubernetes core LocalObjectReference, which includes a key field.
|
|
||
| ### Functional Test Cases | ||
|
|
||
| Note: The keyword "resolved" is used to refer to a filter that the controller has found, and matches the reference of the route rule. |
There was a problem hiding this comment.
i see invalid functional tests for authentication as Authentication failed, and Authentication passed - for valid, means we get a response from the route behind auth filter.
Don't we do this full check in functional tests?
| - Expected outcome: Requests to all route rules referencing the filter successfully process authentication requests | ||
| - Resolved filter referenced by rules in multiple HTTP/GRPCRoutes | ||
| - Expected outcome: Requests to all route rules across each HTTP/GRPCRoute successfully process authentication requests | ||
|
|
There was a problem hiding this comment.
With our other functional tests, we also verify that the nginx configuration is correct.
| ```text | ||
| The realm value is a free-form string | ||
| that can only be compared for equality with other realms on that | ||
| server. The server will service the request only if it can validate |
There was a problem hiding this comment.
| server. The server will service the request only if it can validate |
| // +kubebuilder:object:root=true | ||
| // +kubebuilder:storageversion | ||
| // +kubebuilder:subresource:status | ||
| // +kubebuilder:resource:categories=nginx-gateway-fabric,shortName=authfilter;authenticationfilter |
There was a problem hiding this comment.
is the short name only descriptive? or it can be used in the spec to specify fields?
| statusCode: 401 | ||
| scheme: Basic |
There was a problem hiding this comment.
nit: use any other code to show case custom option, 401 is the default.
| ### Additional Fields for JWT | ||
| `require`, `tokenSource` and `propagation` are some additional fields that may be incldued in future updates to the API. | ||
| `require`, `tokenSource` and `propagation` are some additional fields that may be included in future updates to the API. |
There was a problem hiding this comment.
it would be nice to just put the future updates in another section, i saw some spread out and got a little confused on what's part of this feature work and what could get added in the future.
Proposed changes
This change updates the AuthenticationFilter proposal.
Changes made:
Details related to AuthFailure are captured in the Stretch Goals section
Closes #4423
Checklist
Before creating a PR, run through this checklist and mark each as complete.
Release notes
If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.