envoyproxy · mattklein123 · Aug 2, 2021 · Jul 27, 2021 · Jul 29, 2021 · Jul 29, 2021
diff --git a/source/server/config_validation/server.cc b/source/server/config_validation/server.cc
@@ -78,22 +78,21 @@ void ValidationInstance::initialize(const Options& options,
   // If we get all the way through that stripped-down initialization flow, to the point where we'd
   // be ready to serve, then the config has passed validation.
   // Handle configuration that needs to take place prior to the main configuration load.
-  envoy::config::bootstrap::v3::Bootstrap bootstrap;
-  InstanceUtil::loadBootstrapConfig(bootstrap, options,
+  InstanceUtil::loadBootstrapConfig(bootstrap_, options,
                                     messageValidationContext().staticValidationVisitor(), *api_);
 
-  Config::Utility::createTagProducer(bootstrap);
-  bootstrap.mutable_node()->set_hidden_envoy_deprecated_build_version(VersionInfo::version());
+  Config::Utility::createTagProducer(bootstrap_);
+  bootstrap_.mutable_node()->set_hidden_envoy_deprecated_build_version(VersionInfo::version());
 
   local_info_ = std::make_unique<LocalInfo::LocalInfoImpl>(
-      stats().symbolTable(), bootstrap.node(), bootstrap.node_context_params(), local_address,
+      stats().symbolTable(), bootstrap_.node(), bootstrap_.node_context_params(), local_address,
       options.serviceZone(), options.serviceClusterName(), options.serviceNodeName());
 
   overload_manager_ = std::make_unique<OverloadManagerImpl>(
-      dispatcher(), stats(), threadLocal(), bootstrap.overload_manager(),
+      dispatcher(), stats(), threadLocal(), bootstrap_.overload_manager(),
       messageValidationContext().staticValidationVisitor(), *api_, options_);
-  Configuration::InitialImpl initial_config(bootstrap, options);
-  initial_config.initAdminAccessLog(bootstrap, *this);
+  Configuration::InitialImpl initial_config(bootstrap_, options);
+  initial_config.initAdminAccessLog(bootstrap_, *this);
   admin_ = std::make_unique<Server::ValidationAdmin>(initial_config.admin().address());
   listener_manager_ =
       std::make_unique<ListenerManagerImpl>(*this, *this, *this, false, quic_stat_names_);
@@ -107,7 +106,7 @@ void ValidationInstance::initialize(const Options& options,
       localInfo(), *secret_manager_, messageValidationContext(), *api_, http_context_,
       grpc_context_, router_context_, accessLogManager(), singletonManager(), options,
       quic_stat_names_);
-  config_.initialize(bootstrap, *this, *cluster_manager_factory_);
+  config_.initialize(bootstrap_, *this, *cluster_manager_factory_);
   runtime().initialize(clusterManager());
   clusterManager().setInitializedCb([this]() -> void { init_manager_.initialize(init_watcher_); });
 }

diff --git a/source/server/config_validation/server.h b/source/server/config_validation/server.h
@@ -112,7 +112,7 @@ class ValidationInstance final : Logger::Loggable<Logger::Id::main>,
   bool enableReusePortDefault() override { return true; }
 
   Configuration::StatsConfig& statsConfig() override { return config_.statsConfig(); }
-  envoy::config::bootstrap::v3::Bootstrap& bootstrap() override { NOT_IMPLEMENTED_GCOVR_EXCL_LINE; }
+  envoy::config::bootstrap::v3::Bootstrap& bootstrap() override { return bootstrap_; }
   Configuration::ServerFactoryContext& serverFactoryContext() override { return server_contexts_; }
   Configuration::TransportSocketFactoryContext& transportSocketFactoryContext() override {
     return server_contexts_;
@@ -199,6 +199,7 @@ class ValidationInstance final : Logger::Loggable<Logger::Id::main>,
   Event::DispatcherPtr dispatcher_;
   std::unique_ptr<Server::ValidationAdmin> admin_;
   Singleton::ManagerPtr singleton_manager_;
+  envoy::config::bootstrap::v3::Bootstrap bootstrap_;
   std::unique_ptr<Runtime::ScopedLoaderSingleton> runtime_singleton_;
   Random::RandomGeneratorImpl random_generator_;
   std::unique_ptr<Ssl::ContextManager> ssl_context_manager_;

@@ -56,10 +56,15 @@ envoy_extension_cc_test(
 envoy_extension_cc_test(
     name = "ext_authz_integration_test",
     srcs = ["ext_authz_integration_test.cc"],
+    data = [
+        "ext_authz.yaml",
+    ],
     extension_names = ["envoy.filters.http.ext_authz"],
     deps = [
         "//source/extensions/filters/http/ext_authz:config",
+        "//source/server/config_validation:server_lib",
         "//test/integration:http_integration_lib",
+        "//test/mocks/server:options_mocks",
         "//test/test_common:utility_lib",
         "@envoy_api//envoy/config/bootstrap/v3:pkg_cc_proto",
         "@envoy_api//envoy/config/listener/v3:pkg_cc_proto",

@@ -0,0 +1,77 @@
+# Regression test for https://github.com/envoyproxy/envoy/issues/17344
+static_resources:
+  listeners:
+    - address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 8080
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: local_service
+                      domains: ["*"]
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: local_service
+                http_filters:
+                  - name: envoy.ext_authz
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                      failure_mode_allow: false
+                      transport_api_version: V3
+                      status_on_error:
+                        code: 503
+                      grpc_service:
+                        envoy_grpc:
+                          cluster_name: ext_authz-service
+                        timeout: 0.5s
+                      with_request_body:
+                        max_request_bytes: 10240
+                        allow_partial_message: true
+                        pack_as_bytes: false
+                  - name: envoy.filters.http.router
+                    typed_config: {}
+  clusters:
+    - name: local_service
+      connect_timeout: 30s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: local_service
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: main
+                      port_value: 8080
+    - name: ext_authz-service
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
+      load_assignment:
+        cluster_name: ext_authz-service
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: opa
+                      port_value: 80
+admin:
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 8081
@@ -4,9 +4,11 @@
 #include "envoy/service/auth/v3/external_auth.pb.h"
 
 #include "source/common/common/macros.h"
+#include "source/server/config_validation/server.h"
 
 #include "test/common/grpc/grpc_client_integration.h"
 #include "test/integration/http_integration.h"
+#include "test/mocks/server/options.h"
 #include "test/test_common/utility.h"
 
 #include "absl/strings/str_format.h"
@@ -887,4 +889,13 @@ TEST_P(ExtAuthzGrpcIntegrationTest, GoogleAsyncClientCreation) {
   cleanup();
 }
 
+// Regression test for https://github.com/envoyproxy/envoy/issues/17344
+TEST(ExtConfigValidateTest, Validate) {
+  Server::TestComponentFactory component_factory;
+  EXPECT_TRUE(validateConfig(testing::NiceMock<Server::MockOptions>(TestEnvironment::runfilesPath(
+                                 "test/extensions/filters/http/ext_authz/ext_authz.yaml")),
+                             Network::Address::InstanceConstSharedPtr(), component_factory,
+                             Thread::threadFactoryForTest(), Filesystem::fileSystemForTest()));
+}
+
 } // namespace Envoy