Add ability to define the authority for a cluster.

[pszeto]

Gloo Edge Product

Enterprise

Gloo Edge Version

1.17.0

Is your feature request related to a problem? Please describe.

When configuring various grpc services, extauth, ratelimit, or otel, it's reference using the upstream name:

Example Extauth

  extauth:
    extauthzServerRef:
      name: extauth
      namespace: gloo-system

Example RateLimit:

  ratelimitServer:
    rateLimitBeforeAuth: false
    ratelimitServerRef:
      name: rate-limit
      namespace: gloo-system

Example Otel:

          openTelemetryConfig:
            collectorUpstreamRef:
              namespace: "gloo-system"
              name: "opentelemetry-collector"

These gets configured to the following the envoy configs:

Rate-limit

             {
              "name": "envoy.filters.http.ratelimit",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit",
               "domain": "ingress",
               "request_type": "both",
               "timeout": "0.100s",
               "rate_limit_service": {
                "grpc_service": {
                 "envoy_grpc": {
                  "cluster_name": "rate-limit_gloo-system"
                 }
                },
                "transport_api_version": "V3"
               }
              }
             }

extauth

             {
              "name": "envoy.filters.http.ext_authz",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
               "grpc_service": {
                "envoy_grpc": {
                 "cluster_name": "extauth_gloo-system"
                },
                "timeout": "0.200s"
               },
               "metadata_context_namespaces": [
                "envoy.filters.http.jwt_authn"
               ],
               "transport_api_version": "V3"
              }
             },

otel:

"tracing": {
             "client_sampling": {
              "value": 100
             },
             "random_sampling": {
              "value": 100
             },
             "overall_sampling": {
              "value": 100
             },
             "provider": {
              "name": "envoy.tracers.opentelemetry",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.config.trace.v3.OpenTelemetryConfig",
               "grpc_service": {
                "envoy_grpc": {
                 "cluster_name": "opentelemetry-collector_gloo-system"
                }
               },
               "service_name": "gateway-proxy"
              }
             }
            }

Sometimes the backend grcp requires a different authority. Envoy supports passing a different authority in the config.core.v3.GrpcService.EnvoyGrpc

https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/grpc_service.proto#config-core-v3-grpcservice-envoygrpc

{
  "cluster_name": ...,
  "authority": ...,
  "retry_policy": {...},
  "max_receive_message_length": {...},
  "skip_envoy_headers": ...
}

Describe the solution you'd like

Expose an option in the upstream to specify the authority.

For example.

Extauth:

apiVersion: gloo.solo.io/v1
kind: Upstream
metadata:
  labels:
    app: gloo
    gloo: extauth
  name: extauth
  namespace: gloo-system
spec:
  healthChecks:
  - grpcHealthCheck:
      serviceName: ext-auth
    healthyThreshold: 3
    interval: 10s
    noTrafficInterval: 10s
    timeout: 5s
    unhealthyThreshold: 3
  kube:
    serviceName: extauth
    serviceNamespace: gloo-system
    servicePort: 8083
    serviceSpec:
      grpc: {}
  useHttp2: true
  grpcAuthority: extauth.gloo-system.svc.cluster.local

and the resulting extauth will have

extauth

             {
              "name": "envoy.filters.http.ext_authz",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz",
               "grpc_service": {
                "envoy_grpc": {
                 "cluster_name": "extauth_gloo-system"
                 "authority": "extauth.gloo-system.svc.cluster.local"
                },
                "timeout": "0.200s"
               },
               "metadata_context_namespaces": [
                "envoy.filters.http.jwt_authn"
               ],
               "transport_api_version": "V3"
              }
             },

Describe alternatives you've considered

No response

Additional Context

No response

┆Issue is synchronized with this Asana task by Unito

[soloio-bot]

Zendesk ticket #4482 has been linked to this issue.

[jenshu]

extauth and ratelimit currently support an authority field on the grpc service settings:

• extauth
• ratelimit

[pszeto]

@jenshu Thanks, i just found that right now as well. It seems when configuring oTel it doesn't have it:

openTelemetryConfig:
            collectorUpstreamRef:
              namespace: "gloo-system"
              name: "opentelemetry-collector"

would it be better at the upstream level, so it's more generic?

[jenshu]

would it be better at the upstream level, so it's more generic?

i'm not sure what all the implications are of having it at the upstream vs extauth/ratelimit/otel options level.
is it possible that the same upstream might be used with different authorities depending on the context?
since extauth/ratelimit already have the field, maybe the easiest / non-breaking fix for now is to add a similar field for otel

[pszeto]

@jenshu That makes sense