Fix #1202. Note that you can't mix and match HTTP auth services and H…

…TTPS auth services. Hmmmm.
emissary-ingress · Feb 13, 2019 · cbe55ec · cbe55ec
1 parent 2f96503
commit cbe55ec
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 5 deletions.
diff --git a/ambassador/ambassador/ir/irauth.py b/ambassador/ambassador/ir/irauth.py
@@ -65,6 +65,9 @@ def add_mappings(self, ir: 'IR', aconf: Config):
         for service, params in cluster_hosts.items():
             weight, grpc, ctx_name, location = params
 
+            self.logger.debug("IRAuth: svc %s, weight %s, grpc %s, ctx_name %s, location %s" %
+                              (service, weight, grpc, ctx_name, location))
+
             cluster = IRCluster(
                 ir=ir, aconf=aconf, location=location,
                 service=service,

diff --git a/ambassador/ambassador/ir/ircluster.py b/ambassador/ambassador/ir/ircluster.py
@@ -104,12 +104,17 @@ def __init__(self, ir: 'IR', aconf: Config,
         # If we have a ctx_name, does it match a real context?
         if ctx_name:
             if ctx_name is True:
+                ir.logger.debug("using null context")
                 ctx = IRTLSContext.null_context(ir=ir)
             else:
+                ir.logger.debug("seeking named context %s" % ctx_name)
                 ctx = ir.get_tls_context(typecast(str, ctx_name))
 
             if not ctx:
+                ir.logger.debug("no named context %s" % ctx_name)
                 errors.append("Originate-TLS context %s is not defined" % ctx_name)
+            else:
+                ir.logger.debug("found context %s" % ctx)
 
         # TODO: lots of duplication of here, need to replace with broken down functions
 
@@ -155,7 +160,7 @@ def __init__(self, ir: 'IR', aconf: Config,
         # Parse the service as a URL. Note that we have to supply a scheme to urllib's
         # parser, because it's kind of stupid.
 
-        ir.logger.debug("cluster %s service %s" % (name, service))
+        ir.logger.debug("cluster %s service %s otls %s ctx %s" % (name, service, originate_tls, ctx))
         p = urllib.parse.urlparse('random://' + service)
 
         # Is there any junk after the host?

diff --git a/ambassador/schemas/v1/AuthService.schema b/ambassador/schemas/v1/AuthService.schema
@@ -12,16 +12,19 @@
                 { "type": "array", "items": { "type": "string" } }
             ]
         },
-        "proto": { 
+
+        "auth_service": { "type": "string" },
+        "path_prefix": { "type": "string" },
+        "tls": { "type": [ "string", "boolean" ] },
+
+        "proto": {
             "oneOf" : [
                 { "enum": [ "http" ] },
                 { "enum": [ "grpc" ] }
             ]
         },
         "allow_request_body": { "type": "boolean" },
-        "auth_service": { "type": "string" },
         "timeout_ms": { "type": "integer" },
-        "path_prefix": { "type": "string" },  
         "allowed_request_headers": {
             "type": "array",
             "items": { "type": "string" }

diff --git a/ambassador/tests/kat/t_extauth.py b/ambassador/tests/kat/t_extauth.py
@@ -105,13 +105,21 @@ def config(self):
   buffer:
     max_request_bytes: 16384
     max_request_time: 5000
+
+---
+apiVersion: ambassador/v1
+kind: TLSContext
+name: {self.name}-same-context-1
+secret: same-secret-1.secret-namespace
+
 ---
 apiVersion: ambassador/v1
 kind: AuthService
 name:  {self.auth.path.k8s}
 auth_service: "{self.auth.path.k8s}"
 path_prefix: "/extauth"
 timeout_ms: 5000
+tls: {self.name}-same-context-1
 
 allowed_request_headers:
 - X-Foo
@@ -265,7 +273,7 @@ def config(self):
 prefix: /target/
 service: {self.target.path.k8s}
 ---
-apiVersion: ambassador/v0
+apiVersion: ambassador/v1
 kind:  Mapping
 name:  {self.target.path.k8s}-unauthed
 prefix: /target/unauthed/