Skip to content

Add support for External Authentication for HTTPRoutes #5145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
salonichf5 merged 8 commits into from
May 6, 2026
Merged

Add support for External Authentication for HTTPRoutes #5145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
3841113
add support for external auth
salonichf5 Apr 15, 2026
fbcaf05
update based on reviews
salonichf5 Apr 20, 2026
7536d67
simplify filter validation
salonichf5 Apr 20, 2026
c3ef6e5
remove mirror backend from BTP checks
salonichf5 Apr 20, 2026
13608f2
allow external auth server to have its own BTP, pass main location bl…
salonichf5 May 5, 2026
22cfbd6
address copilot review comments
salonichf5 May 6, 2026
e766a70
address review comments
salonichf5 May 6, 2026
4484af4
add back auth header comment
salonichf5 May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions examples/external-authentication/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# External Authentication

This directory contains the YAML files used in the [External Authentication](https://docs.nginx.com/nginx-gateway-fabric/traffic-security/external-authentication/) guide.
52 changes: 52 additions & 0 deletions examples/external-authentication/cafe-routes.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: coffee
spec:
parentRefs:
- name: gateway
sectionName: http
hostnames:
- "cafe.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /coffee
filters:
- type: ExternalAuth
externalAuth:
protocol: HTTP
backendRef:
name: ext-auth-server
port: 80
http:
path: /
allowedHeaders:
Comment thread
salonichf5 marked this conversation as resolved.
- X-Api-Key
allowedResponseHeaders:
- X-User-Id
forwardBody:
maxSize: 1024
backendRefs:
- name: coffee
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: tea
spec:
parentRefs:
- name: gateway
sectionName: http
hostnames:
- "cafe.example.com"
rules:
- matches:
- path:
type: Exact
value: /tea
backendRefs:
- name: tea
port: 80
65 changes: 65 additions & 0 deletions examples/external-authentication/cafe.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: coffee
spec:
replicas: 1
selector:
matchLabels:
app: coffee
template:
metadata:
labels:
app: coffee
spec:
containers:
- name: coffee
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: coffee
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: coffee
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tea
spec:
replicas: 1
selector:
matchLabels:
app: tea
template:
metadata:
labels:
app: tea
spec:
containers:
- name: tea
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: tea
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: tea
57 changes: 57 additions & 0 deletions examples/external-authentication/external-auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# yamllint disable rule:indentation
apiVersion: v1
kind: ConfigMap
metadata:
name: ext-auth-config
data:
default.conf: |
server {
listen 8080;

location / {
if ($http_x_api_key != "my-custom-secret") {
return 401 "unauthorized";
}
return 200 "ok";
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ext-auth-server
spec:
replicas: 1
selector:
matchLabels:
app: ext-auth-server
template:
metadata:
labels:
app: ext-auth-server
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 8080
volumeMounts:
- name: config
mountPath: /etc/nginx/conf.d
volumes:
- name: config
configMap:
name: ext-auth-config
---
apiVersion: v1
kind: Service
metadata:
name: ext-auth-server
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: ext-auth-server
11 changes: 11 additions & 0 deletions examples/external-authentication/gateway.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
spec:
gatewayClassName: nginx
listeners:
- name: http
port: 80
protocol: HTTP
hostname: "*.example.com"
7 changes: 4 additions & 3 deletions internal/controller/nginx/agent/grpc/filewatcher/filewatcher_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,20 @@ func TestFileWatcher_Watch(t *testing.T) {
ctx, cancel := context.WithCancel(t.Context())
defer cancel()

file := path.Join(os.TempDir(), "test-file")
file := path.Join(t.TempDir(), "test-file")
_, err := os.Create(file)
g.Expect(err).ToNot(HaveOccurred())
defer os.Remove(file)

w, err := NewFileWatcher(logr.Discard(), []string{file}, notifyCh)
g.Expect(err).ToNot(HaveOccurred())
w.interval = 300 * time.Millisecond

go w.Watch(ctx)

w.watcher.Events <- fsnotify.Event{Name: file, Op: fsnotify.Write}
g.Eventually(func() bool {
if err := os.WriteFile(file, []byte("data"), 0o600); err != nil {
return false
}
return w.filesChanged.Load()
Comment thread
salonichf5 marked this conversation as resolved.
}).Should(BeTrue())

Expand Down
46 changes: 36 additions & 10 deletions internal/controller/nginx/config/http/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,16 @@ type Location struct {
Return *Return
// ProxySSLVerify controls SSL verification for upstreams when proxying requests.
ProxySSLVerify *ProxySSLVerify
// ProxyPass is the upstream backend (URL or name) to which requests are proxied.
ProxyPass string
// CORSHeaders are the CORS headers to be added for this location.
CORSHeaders []Header
// HTTPMatchKey is the key for associating HTTP match rules, used for routing and NJS module logic.
HTTPMatchKey string
// AuthExternalRequest holds external auth (auth_request) configuration.
AuthExternalRequest *AuthExternalRequest
// AuthJWT contains the configuration for JWT authentication.
AuthJWT *AuthJWT
// AuthBasic contains the configuration for basic authentication.
AuthBasic *AuthBasic
// ProxyPassRequestBody renders proxy_pass_request_body ("on"/"off"); unset leaves the directive out.
ProxyPassRequestBody string
// ProxyPassRequestHeaders renders proxy_pass_request_headers ("on"/"off"); unset leaves the directive out.
ProxyPassRequestHeaders string
// MirrorSplitClientsVariableName is the variable name for split_clients, used in traffic mirroring scenarios.
MirrorSplitClientsVariableName string
// EPPInternalPath is the internal path for the inference NJS module to redirect to.
Expand All @@ -78,10 +82,10 @@ type Location struct {
Type LocationType
// Path is the NGINX location path.
Path string
// AuthBasic contains the configuration for basic authentication.
AuthBasic *AuthBasic
// AuthJWT contains the configuration for JWT authentication.
AuthJWT *AuthJWT
// HTTPMatchKey is the key for associating HTTP match rules, used for routing and NJS module logic.
HTTPMatchKey string
// ProxyPass is the upstream backend (URL or name) to which requests are proxied.
ProxyPass string
// AuthOIDCProviderName is the name of the oidc_provider to be referenced in this location.
AuthOIDCProviderName string
// ResponseHeaders are custom response headers to be sent.
Expand All @@ -94,12 +98,34 @@ type Location struct {
MirrorPaths []string
// Includes are additional NGINX config snippets or policies to include in this location.
Includes []shared.Include
// CORSHeaders are the CORS headers to be added for this location.
CORSHeaders []Header
// EPPPort is the port for the EndpointPicker, used for inference routing.
EPPPort int
// ClientMaxBodySize renders client_max_body_size in bytes; unset leaves the directive out.
ClientMaxBodySize uint16
Comment thread
salonichf5 marked this conversation as resolved.
Comment thread
salonichf5 marked this conversation as resolved.
// GRPC indicates if this location proxies gRPC traffic.
GRPC bool
}

// AuthExternalRequest holds the auth_request configuration for a location.
type AuthExternalRequest struct {
// ProxySSLVerify holds TLS verification config for the auth backend.
ProxySSLVerify *ProxySSLVerify
// InternalPath is the auth subrequest location path.
InternalPath string
// UpstreamName is the upstream to proxy_pass to in the internal location.
UpstreamName string
// PathPrefix is an optional path prefix forwarded to the auth server.
PathPrefix string
// AllowedRequestHeaders are extra headers to proxy_set_header to the auth server.
AllowedRequestHeaders []string
// AllowedResponseHeaders are headers to copy from auth response via auth_request_set.
AllowedResponseHeaders []string
// ForwardBody, if true, enables proxy_pass_request_body in the internal location.
ForwardBody bool
}

// Header defines an HTTP header to be passed to the proxied server.
type Header struct {
Name string
Expand Down
Loading
Loading