Websockets do not work with AuthService in 0.50.0-ea7

[dgaffuri]

Describe the bug
Configuring AuthService in 0.50.0-ea7 cause losing all web socket traffic after connection.

To Reproduce
Steps to reproduce the behavior:

1. Deploy an authentication service returning 200 on every request
2. Configure a service pointing to a WebSocket echo server (e.g wss://echo.websocket.org)
3. Connect to the socket, connection is successful
4. Send a text message
5. No message is echoed back

Expected behavior
Websocket traffic should be forwarded to destination.

Versions (please complete the following information):

• Ambassador: 0.50.0-ea7
• Kubernetes environment: Docker Desktop Community 2.0.0.0-mac81 (29211)
• Version: 1.10.3

Additional context
Same configuration works in 0.50.0-ea6. Attached configurations (with and without authentication service) and local websocket/auth service node application (require npm install websocket) allow to reproduce the problem.

Following is behaviour without authorisation

$ kubectl apply -f ambassador.yaml
clusterrole.rbac.authorization.k8s.io/ambassador created
serviceaccount/ambassador created
clusterrolebinding.rbac.authorization.k8s.io/ambassador created
service/ambassador created
deployment.extensions/ambassador created
$ ./server.js
Mon Dec 10 2018 14:54:01 GMT+0100 (CET) Server is listening on port 9080
# connect from client
Mon Dec 10 2018 14:54:35 GMT+0100 (CET) Connection accepted.
# send "echo" text message
Received Message: echo
# echoed message is received by client
# disconnect from client
Mon Dec 10 2018 14:54:46 GMT+0100 (CET) Peer 192.168.65.3 disconnected.

and with authorisation

$ kubectl apply -f ambassador-auth.yaml
  ...
$ ./server.js
Mon Dec 10 2018 14:57:18 GMT+0100 (CET) Server is listening on port 9080
# connect from client
Mon Dec 10 2018 14:57:22 GMT+0100 (CET) Received request for /websocket/
Mon Dec 10 2018 14:57:22 GMT+0100 (CET) Connection accepted.
# send "echo" text message
# no message is logged by server and echoed to client
# disconnect from client
# after about 15 seconds
Mon Dec 10 2018 14:57:52 GMT+0100 (CET) Peer 192.168.65.3 disconnected.

websockets.zip

[iNoahNothing]

I can confirm the behavior. Interestingly enough, the AuthService I am using is returning a 401 for both 0.50.0-ea7 and 0.40.2. The access logs are showing this 401 response returned with 0.50.0-ea7`

ACCESS [2018-12-10T20:29:32.488Z] "GET /echo/ HTTP/1.1" 401 UAEX 0 0 3 - "65.217.185.138" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" "d0838215-dcc9-4049-82e0-f7ba334854fe" "domain1.nkrause.k736.net" "-"

but a http response code of 0 with 0.40.2.

ACCESS [2018-12-10T20:33:09.946Z] "GET /echo/ HTTP/1.1" 0 - 6 571 992 - "65.217.185.138" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" "32a7cc84-cfbc-40c2-99fa-6fc035afd5a3" "echo.websocket.org" "174.129.224.73:80"

Marking this for resolution for 0.50.0-ga

[iNoahNothing]

Not sure what I was looking at last week. Websockets and AuthService is well supported in 0.50.0-ea7. Head on over to our slack channel and I'd be happy to answer any configuration questions https://d6e.co/slack

[iNoahNothing]

Reopening since I have been able to replicate the behavior with a similar AuthService that just issues a 200.

The web sockets app goes through the AuthService fine but seems to drop connection after connecting.

It is not an issue with headers not being included in the v1 AuthService definition from v0 so I do not think a configuration change is the solution.

Tagging for GA

[iNoahNothing]

Related: #670