ext_authz: Add ability to enable via a runtime fractional percent (#8763)

Signed-off-by: Gastón Kleiman <gkleiman@lyft.com>

Mirrored from https://github.com/envoyproxy/envoy @ 57748e72f79e14217980b09d20c17f865459231f

envoy/api/v2/core/base.proto

@@ -288,6 +288,14 @@ message SocketOption {
 
 // Runtime derived FractionalPercent with defaults for when the numerator or denominator is not
 // specified via a runtime key.
+//
+// .. note::
+//
+//   Parsing of the runtime key's data is implemented such that it may be represented as a
+//   :ref:`FractionalPercent <envoy_api_msg_type.FractionalPercent>` proto represented as JSON/YAML
+//   and may also be represented as an integer with the assumption that the value is an integral
+//   percentage out of 100. For instance, a runtime key lookup returning the value "42" would parse
+//   as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED.
 message RuntimeFractionalPercent {
   // Default value if the runtime value's for the numerator/denominator keys are not available.
   type.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}];

envoy/api/v2/route/route.proto

@@ -475,7 +475,7 @@ message CorsPolicy {
   google.protobuf.BoolValue allow_credentials = 6;
 
   oneof enabled_specifier {
-    // Specifies if CORS is enabled. Defaults to true. Only effective on route.
+    // Specifies if the CORS filter is enabled. Defaults to true. Only effective on route.
     //
     // .. attention::
     //
@@ -483,28 +483,25 @@ message CorsPolicy {
     //   :ref:`filter_enabled<envoy_api_field_route.CorsPolicy.filter_enabled>` field instead.
     google.protobuf.BoolValue enabled = 7 [deprecated = true];
 
-    // Specifies if CORS is enabled.
+    // Specifies the % of requests for which the CORS filter is enabled.
     //
-    // More information on how this can be controlled via runtime can be found
-    // :ref:`here <cors-runtime>`.
+    // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS
+    // filter will be enabled for 100% of the requests.
     //
-    // .. note::
-    //
-    //   This field defaults to 100/:ref:`HUNDRED
-    //   <envoy_api_enum_type.FractionalPercent.DenominatorType>`.
+    // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is
+    // specified, Envoy will lookup the runtime key to get the percentage of requests to filter.
     core.RuntimeFractionalPercent filter_enabled = 9;
   }
 
-  // Specifies if CORS policies are evaluated and tracked when filter is off but
-  // does not enforce any policies.
-  //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here <cors-runtime>`.
+  // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not
+  // enforced.
   //
-  // .. note::
+  // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those
+  // fields have to explicitly disable the filter in order for this setting to take effect.
   //
-  //   This field defaults to 100/:ref:`HUNDRED
-  //   <envoy_api_enum_type.FractionalPercent.DenominatorType>`.
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
+  // and track the request's *Origin* to determine if it's valid but will not enforce any policies.
   core.RuntimeFractionalPercent shadow_enabled = 10;
 }
 
@@ -560,16 +557,6 @@ message RouteAction {
     // For some fraction N/D, a random number in the range [0,D) is selected. If the
     // number is <= the value of the numerator N, or if the key is not present, the default
     // value, the request will be mirrored.
-    //
-    // .. note::
-    //
-    //   Parsing this field is implemented such that the runtime key's data may be represented
-    //   as a :ref:`FractionalPercent <envoy_api_msg_type.FractionalPercent>` proto represented
-    //   as JSON/YAML and may also be represented as an integer with the assumption that the value
-    //   is an integral percentage out of 100. For instance, a runtime key lookup returning the
-    //   value "42" would parse as a `FractionalPercent` whose numerator is 42 and denominator is
-    //   HUNDRED. This is behaviour is different to that of the deprecated `runtime_key` field,
-    //   where the implicit denominator is 10000.
     core.RuntimeFractionalPercent runtime_fraction = 3;
   }
 

envoy/api/v3alpha/core/base.proto

@@ -291,6 +291,14 @@ message SocketOption {
 
 // Runtime derived FractionalPercent with defaults for when the numerator or denominator is not
 // specified via a runtime key.
+//
+// .. note::
+//
+//   Parsing of the runtime key's data is implemented such that it may be represented as a
+//   :ref:`FractionalPercent <envoy_api_msg_type.v3alpha.FractionalPercent>` proto represented as
+//   JSON/YAML and may also be represented as an integer with the assumption that the value is an
+//   integral percentage out of 100. For instance, a runtime key lookup returning the value "42"
+//   would parse as a `FractionalPercent` whose numerator is 42 and denominator is HUNDRED.
 message RuntimeFractionalPercent {
   // Default value if the runtime value's for the numerator/denominator keys are not available.
   type.v3alpha.FractionalPercent default_value = 1 [(validate.rules).message = {required: true}];

envoy/api/v3alpha/route/route.proto

@@ -431,28 +431,25 @@ message CorsPolicy {
   google.protobuf.BoolValue allow_credentials = 6;
 
   oneof enabled_specifier {
-    // Specifies if CORS is enabled.
+    // Specifies the % of requests for which the CORS filter is enabled.
     //
-    // More information on how this can be controlled via runtime can be found
-    // :ref:`here <cors-runtime>`.
+    // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS
+    // filter will be enabled for 100% of the requests.
     //
-    // .. note::
-    //
-    //   This field defaults to 100/:ref:`HUNDRED
-    //   <envoy_api_enum_type.v3alpha.FractionalPercent.DenominatorType>`.
+    // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is
+    // specified, Envoy will lookup the runtime key to get the percentage of requests to filter.
     core.RuntimeFractionalPercent filter_enabled = 9;
   }
 
-  // Specifies if CORS policies are evaluated and tracked when filter is off but
-  // does not enforce any policies.
-  //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here <cors-runtime>`.
+  // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not
+  // enforced.
   //
-  // .. note::
+  // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those
+  // fields have to explicitly disable the filter in order for this setting to take effect.
   //
-  //   This field defaults to 100/:ref:`HUNDRED
-  //   <envoy_api_enum_type.v3alpha.FractionalPercent.DenominatorType>`.
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
+  // and track the request's *Origin* to determine if it's valid but will not enforce any policies.
   core.RuntimeFractionalPercent shadow_enabled = 10;
 }
 
@@ -498,16 +495,6 @@ message RouteAction {
     // For some fraction N/D, a random number in the range [0,D) is selected. If the
     // number is <= the value of the numerator N, or if the key is not present, the default
     // value, the request will be mirrored.
-    //
-    // .. note::
-    //
-    //   Parsing this field is implemented such that the runtime key's data may be represented
-    //   as a :ref:`FractionalPercent <envoy_api_msg_type.v3alpha.FractionalPercent>` proto
-    //   represented as JSON/YAML and may also be represented as an integer with the assumption that
-    //   the value is an integral percentage out of 100. For instance, a runtime key lookup
-    //   returning the value "42" would parse as a `FractionalPercent` whose numerator is 42 and
-    //   denominator is HUNDRED. This is behaviour is different to that of the deprecated
-    //   `runtime_key` field, where the implicit denominator is 10000.
     core.RuntimeFractionalPercent runtime_fraction = 3;
   }
 

envoy/config/filter/http/csrf/v2/csrf.proto

@@ -16,10 +16,10 @@ import "validate/validate.proto";
 
 // CSRF filter config.
 message CsrfPolicy {
-  // Specifies if CSRF is enabled.
+  // Specifies the % of requests for which the CSRF filter is enabled.
   //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here <csrf-runtime>`.
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests to filter.
   //
   // .. note::
   //
@@ -29,15 +29,13 @@ message CsrfPolicy {
       [(validate.rules).message = {required: true}];
 
   // Specifies that CSRF policies will be evaluated and tracked, but not enforced.
-  // This is intended to be used when filter_enabled is off.
   //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here <csrf-runtime>`.
+  // This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise.
   //
-  // .. note::
-  //
-  //   This field defaults to 100/:ref:`HUNDRED
-  //   <envoy_api_enum_type.FractionalPercent.DenominatorType>`.
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
+  // and track the request's *Origin* and *Destination* to determine if it's valid, but will not
+  // enforce any policies.
   api.v2.core.RuntimeFractionalPercent shadow_enabled = 2;
 
   // Specifies additional source origins that will be allowed in addition to

envoy/config/filter/http/csrf/v3alpha/csrf.proto

@@ -16,10 +16,10 @@ import "validate/validate.proto";
 
 // CSRF filter config.
 message CsrfPolicy {
-  // Specifies if CSRF is enabled.
+  // Specifies the % of requests for which the CSRF filter is enabled.
   //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here <csrf-runtime>`.
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests to filter.
   //
   // .. note::
   //
@@ -29,15 +29,13 @@ message CsrfPolicy {
       [(validate.rules).message = {required: true}];
 
   // Specifies that CSRF policies will be evaluated and tracked, but not enforced.
-  // This is intended to be used when filter_enabled is off.
   //
-  // More information on how this can be controlled via runtime can be found
-  // :ref:`here <csrf-runtime>`.
+  // This is intended to be used when ``filter_enabled`` is off and will be ignored otherwise.
   //
-  // .. note::
-  //
-  //   This field defaults to 100/:ref:`HUNDRED
-  //   <envoy_api_enum_type.v3alpha.FractionalPercent.DenominatorType>`.
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
+  // and track the request's *Origin* and *Destination* to determine if it's valid, but will not
+  // enforce any policies.
   api.v3alpha.core.RuntimeFractionalPercent shadow_enabled = 2;
 
   // Specifies additional source origins that will be allowed in addition to

envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -17,7 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message ExtAuthz {
   // External authorization service configuration.
   oneof services {
@@ -82,6 +82,14 @@ message ExtAuthz {
   //    - envoy.filters.http.jwt_authn
   //
   repeated string metadata_context_namespaces = 8;
+
+  // Specifies if the filter is enabled.
+  //
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests to filter.
+  //
+  // If this field is not specified, the filter will be enabled for all requests.
+  api.v2.core.RuntimeFractionalPercent filter_enabled = 9;
 }
 
 // Configuration for buffering the request data.

envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto

@@ -17,7 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 
-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message ExtAuthz {
   reserved 4;
 
@@ -80,6 +80,14 @@ message ExtAuthz {
   //    - envoy.filters.http.jwt_authn
   //
   repeated string metadata_context_namespaces = 8;
+
+  // Specifies if the filter is enabled.
+  //
+  // If :ref:`runtime_key <envoy_api_field_core.runtimefractionalpercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests to filter.
+  //
+  // If this field is not specified, the filter will be enabled for all requests.
+  api.v3alpha.core.RuntimeFractionalPercent filter_enabled = 9;
 }
 
 // Configuration for buffering the request data.

envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto

@@ -124,13 +124,6 @@ message RedisProxy {
         //
         // If specified, Envoy will lookup the runtime key to get the percentage of requests to the
         // mirror.
-        //
-        // Parsing this field is implemented such that the runtime key's data may be represented
-        // as a :ref:`FractionalPercent <envoy_api_msg_type.FractionalPercent>` proto represented
-        // as JSON/YAML and may also be represented as an integer with the assumption that the value
-        // is an integral percentage out of 100. For instance, a runtime key lookup returning the
-        // value "42" would parse as a `FractionalPercent` whose numerator is 42 and denominator is
-        // HUNDRED.
         api.v2.core.RuntimeFractionalPercent runtime_fraction = 2;
 
         // Set this to TRUE to only mirror write commands, this is effectively replicating the

envoy/config/filter/network/redis_proxy/v3alpha/redis_proxy.proto

@@ -124,13 +124,6 @@ message RedisProxy {
         //
         // If specified, Envoy will lookup the runtime key to get the percentage of requests to the
         // mirror.
-        //
-        // Parsing this field is implemented such that the runtime key's data may be represented
-        // as a :ref:`FractionalPercent <envoy_api_msg_type.v3alpha.FractionalPercent>` proto
-        // represented as JSON/YAML and may also be represented as an integer with the assumption
-        // that the value is an integral percentage out of 100. For instance, a runtime key lookup
-        // returning the value "42" would parse as a `FractionalPercent` whose numerator is 42 and
-        // denominator is HUNDRED.
         api.v3alpha.core.RuntimeFractionalPercent runtime_fraction = 2;
 
         // Set this to TRUE to only mirror write commands, this is effectively replicating the