support for envoy ext_proc in OPA

[rshriram]

OPA currently supports Envoy's ext_authz protocol (unary gRPC). Envoy now has a more extensible and stream based protocol for extensibility (ext_proc) that provides a structured way to interpose on request headers/body etc. This feature request is to add support for the Envoy ext_proc protocol to OPA's envoy plugin. The main benefit of this feature is that as an end user, I will have to use only one extensibility protocol in Envoy that can be used for multiple purposes: authorization, body transformation or any kind of traffic mutation.

[ashutosh-narkar]

Thanks for filing this request.

The main benefit of this feature is that as an end user, I will have to use only one extensibility protocol in Envoy that can be used for multiple purposes: authorization, body transformation or any kind of traffic mutation.

Currently you would have to use the ext_authz filter plus other filters to make this work but ext_proc can do all this. Is this correct?

From the ext_proc docs this is a WIP but most functionality seems to be implemented.

[rshriram]

Currently, the user would have to do ext_authz filter (and implement ext_authz protocol on their side) for authz, and then ext_proc filter for body transformation etc (and implement ext_proc protocol on their side). This is going to lead to toil and a situation where they refuse to use one or other due to additional work involved.

ext_proc is marked as production ready. What part of it is WIP?

[ashutosh-narkar]

Thanks for the context.

ext_proc is marked as production ready. What part of it is WIP?

From https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter

This filter is a work in progress. Most of the major bits of functionality are complete. The updated list of supported features and implementation status may be found on the reference page.

From https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#envoy-v3-api-msg-extensions-filters-http-ext-proc-v3-externalprocessor

Current Implementation Status: All options and processing modes are implemented except for the following:
“async mode” is not implemented.

[rshriram]

Async mode is completely irrelevant for OPA. async is an enhancement for observability use cases. Could we get some estimate on how long it would take to support this?

[ashutosh-narkar]

This seems like a good addition. If you'd like to contribute the feature that would be great! We'd be happy to help with any questions, reviews etc. We could also leave this open for sometime for other folks in the community wanting this feature as well to chime in and perhaps submit a contribution.

[stale]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.