CFP: Support basic-auth/oauth2/mTLS for north-south traffic (GatewayAPI/Ingress)

[chancez]

Cilium Feature Proposal

Describe the feature you'd like

I'd like to be able to expose my applications with various forms of authentication. For example, I want to expose hubble-relay outside of my cluster.

Various authentication mechanisms work better for various situations. Generally all 3 mentioned should be relatively standard APIs for configuration. One thing that would be really nice, is to be able to configure different authentication mechanisms based on different rules. For example, mTLS/client-certs if the request is coming from a certain IP range, and basic-auth/oauth2 if a specific user-agent is set.

(Optional) Describe your proposed solution

I would like these to be expose in GatewayAPI, but Ingress is fine too.

[artyom-p]

Planning to migrate from aws-cni + istio to cilium, we have external auth middleware on istios ingressgateway which redirects user to our keykloak instance, at the moment absence of this feature is one of the blockers for migration.

[youngnick]

@artyom-p, could you point me to any documentation about that middleware? The work to design something to do this for Gateway API is still pretty early, so the more concrete examples we have, the better.

I agree these should be exposed in Gateway API, currently Policy Attachment is the way to do this, because noone is sure of the right way to describe the config.

tl;dr Upstream Gateway API design work needs to happen before we can implement this for Gateway API. I'd prefer to wait for that than to add a whole bunch of annotations to Ingress (annotations are sticky and unstructured, which is a bad combination for supportability.)

[artyom-p]

Thats not related to Gateway API, its a feature of Istio/Envoy itself, just a middleware. You can check example here.

[chancez]

Yeah, that filter would be pretty useful. It's pretty common to avoid double proxying with an auth proxy, and using the auth proxy to act more as an authentication/authorization API. This is often used with oauth2-proxy/authelia. I agree adding support for that would be very useful for a lot of users.

[youngnick]

Ah, okay, that's using the ext_auth support, I agree that's very useful, thanks.

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[github-actions]

This issue has not seen any activity since it was marked stale.
Closing.

[laibe]

would be very much interested in this feature as well!