Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TEST: Service updater 2020 12 04 2332.612 #9

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

TEST: Service updater 2020 12 04 2332.612 #9

wants to merge 17 commits into from

Conversation

ashutosh-narkar
Copy link
Owner

No description provided.

ashutosh-narkar and others added 17 commits October 28, 2020 10:36
@ashutosh-narkar
Makefile: Use the plugin version to build releases
29b2218 
Earlier we used only the OPA version to create a GH release and
build the release binaries. We did not create a new GH release when
changes we made to the plugin itself.

This change updates the release target to use the plugin version
instead of only the OPA version to checkout and build binaries.
This will allow us to create releases for the plugin revisions.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@srenatus @ashutosh-narkar
deps: update deps
d2411e3 
Notable bumps:

- google.golang.org/grpc v1.23.0 ⏩ v1.33.1
- github.com/envoyproxy/go-control-plane v0.9.0 ⏩ v0.9.7
- github.com/sirupsen/logrus v1.4.2 ⏩ v1.7.0

Signed-off-by: Stephan Renatus <srenatus@chef.io>
@ashutosh-narkar
.github: Change fetch-depth in the GHA checkout step
21ad755 
Earlier the checkout step of the post-tag workflow
used the default fetch-depth=1 which would only fetch a
single commit. This would result in an incorrect calculation
of the number of commits from the last OPA revendoring.

This change sets fetch-depth=0 to fetch all history to correct
this issue.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@ashutosh-narkar
internal: Handle errors from OPA eval cancellation
ed75cb9 
When the context is cancelled or deadline is reached
durign query evaluation, the error message returned is
"caller cancelled query execution". This message is
not very informative from the pov of the plugin user.
This change updates the plugin to handle eval cancellation
errors and returns a more helpful error message.

This change also checks if the context is cancelled or
deadline is reached even before policy eval has started
which may happen in scenarios where the server is overloaded and
has pending requests in its queue and returns an appropriate
error message in such cases.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@ashutosh-narkar
Migrate to GitHub Actions
f45d5f9 
This commit includes changes to migrate from Travis to
Github Actions. Couple of workflows are added that will
trigger when a pull request is created and when changes
are merged into master.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@ashutosh-narkar
.github: Set fetch-depth=0 in the post merge checkout workflow
e7a6cca 
Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@ashutosh-narkar
.github: Update post tag workflow to use env files
b5aa5a4 
The post tag workflow used the `set-env` command to
set the TAG_NAME env variable. The `set-env` command is
now disabled. This change updates the worklow to remove
usage of the `set-env` command to use environment files
instead.

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@srenatus
README.md: update JWT example
3cb291a 
Some day, we've updated our vendored protobuf files by updating go-control-plane,
and it has pulled in a change to the "well-known" type google.protobuf.Struct that
made it play nice with encoding/json from the stdlib.

This is a recent decision log entry (abbreviated) that shows that dynamic metadata
no longer looks like it did in oct 2019.

    {
      "decision_id": "0824f36e-8e1e-41e4-a692-b71fd72ee3db",
      "input": {
        "attributes": {
          "destination": {
            "address": {
              "Address": {
                "SocketAddress": {
                  "PortSpecifier": {
                    "PortValue": 51051
                  },
                  "address": "127.0.0.1"
                }
              }
            }
          },
          "metadata_context": {
            "filter_metadata": {
              "envoy.filters.http.jwt_authn": {
                "verified_jwt": {
                  "at_hash": "upgSTpYk9xI07B4MXcJwcg",
                  "aud": "example-app",
                  "email": "kilgore@kilgore.trout",
                  "email_verified": true,
                  "exp": 1605957182,
                  "groups": [
                    "authors"
                  ],
                  "iat": 1605870782,
                  "iss": "http://127.0.0.1:5556/dex",
                  "name": "Kilgore Trout",
                  "sub": "Cg0wLTM4NS0yODA4OS0wEgRtb2Nr"
                }
              }
            }
          },
          "request": {
            "http": {
              "headers": {
                ":authority": "127.0.0.1:51051",
                ":method": "GET",
                ":path": "/foobar",
                "accept": "*/*",

Signed-off-by: Stephan Renatus <stephan@styra.com>
@keyolk @ashutosh-narkar
internal: Handle array of response headers
5ca9ba8 
Signed-off-by: keyolk <chanhun.jeong@navercorp.com>
@ashutosh-narkar
Update the docs around generating array of response headers
e4f1926 
Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@srenatus
Support Envoy's v3 xDS API, envoy.service.auth.v3.Authorization
ce5edd0 
This change makes opa-envoy-plugin expose two gRPC services:
envoy.service.auth.v2.Authorization and envoy.service.auth.v3.Authorization.

Since switching to v3 requires user action already, we've taken this chance
to migrate the representation of the v3 CheckRequest to the specified JSON
mapping. See the README.md for details.

That aside, if you're using the v2 API, no changes to your policies are
required, and you can keep using the v2 API for some time. It's TBD when we
are going to drop support for it.

This change also brings another input value that lets you determine the
request version (v2/v3) and its encoding (protojson for the official mapping,
"encoding/json" for the one used with v2).

With respect to the software we're integrating with here, note

- Envoy 1.13 is the first version to support the v3 API.
- Istio 1.7.0 is the first version that lets you configure the v3 filters
  required to use the v3 API with Envoy.
  Support for the 1.6 series of Istio has been ended in Nov 21 2020.
- That first version of Envoy released in 2021, presumably 1.18, will drop
  support for the v2 API.

The `examples/istio/quick_start.yaml` file has been adapted:

1. it's using the v3 API
2. its hardcoded TLS certs (generated with `build/gen-tls-certs.sh`) work
   with a service that's built with Go 1.15 (which refuses CN in favour of
   SNI records)

Signed-off-by: Stephan Renatus <stephan@styra.com>
@srenatus
vendor: Support Envoy's v3 xDS API, envoy.service.auth.v3.Authorization
fe9de5b 
Signed-off-by: Stephan Renatus <stephan@styra.com>
@srenatus @ashutosh-narkar
actions: fix e2e test, add it to pull-request workflow
6ff608e 
Also updates kind to 0.9.0, required for Istio 1.7.0.
(Oversight of open-policy-agent#217)

Signed-off-by: Stephan Renatus <stephan@styra.com>
@ashutosh-narkar
Update OPA version to v0.25.0
d4347f9 
Signed-off-by: opa-updater-automation <opa-updater-automation@openpolicyagent.org>
Update OPA version to v0.25.1
1e643e2 
Signed-off-by: opa-updater-automation <opa-updater-automation@openpolicyagent.org>
@ashutosh-narkar
Merge branch 'master' into service-updater_2020-12-04-2332.612
1c59b72
@ashutosh-narkar
Update repo name
37be9b1 
Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ashutosh-narkar @srenatus @keyolk