envoy: add hash policy and routing key for hash-based load balancers (#2791)

* envoy: add hash policy and routing key for hash-based load balancers * fix integration test * fix nginx
2025-08-04 09:19:39 +02:00 · 2021-12-01 13:42:12 -07:00 · 2021-12-01 13:42:12 -07:00 · c97dcf7e0f
commit c97dcf7e0f
parent bd0a5389bf
56 changed files with 12935 additions and 182 deletions
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"

+	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	"github.com/open-policy-agent/opa/rego"

 	"github.com/pomerium/pomerium/authorize/evaluator/opa"
@ -16,6 +17,7 @@ import (
 // HeadersRequest is the input to the headers.rego script.
 type HeadersRequest struct {
 	EnableGoogleCloudServerlessAuthentication bool           `json:"enable_google_cloud_serverless_authentication"`
+	EnableRoutingKey                          bool           `json:"enable_routing_key"`
 	FromAudience                              string         `json:"from_audience"`
 	KubernetesServiceAccountToken             string         `json:"kubernetes_service_account_token"`
 	ToAudience                                string         `json:"to_audience"`
@ -26,6 +28,8 @@ type HeadersRequest struct {
 func NewHeadersRequestFromPolicy(policy *config.Policy) *HeadersRequest {
 	input := new(HeadersRequest)
 	input.EnableGoogleCloudServerlessAuthentication = policy.EnableGoogleCloudServerlessAuthentication
+	input.EnableRoutingKey = policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_RING_HASH ||
+		policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_MAGLEV
 	if u, err := urlutil.ParseAndValidateURL(policy.From); err == nil {
 		input.FromAudience = u.Hostname()
 	}
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@ -2,6 +2,7 @@ package pomerium.headers

 # input:
 #   enable_google_cloud_serverless_authentication: boolean
+#   enable_routing_key: boolean
 #   from_audience: string
 #   kubernetes_service_account_token: string
 #   session:
@ -206,6 +207,15 @@ google_cloud_serverless_headers = h {
 	true
 }

+routing_key_headers = h {
+    input.enable_routing_key
+    h := [
+        ["x-pomerium-routing-key", crypto.sha256(input.session.id)]
+    ]
+} else = [] {
+    true
+}
+
 identity_headers := {key: values |
 	h1 := [["x-pomerium-jwt-assertion", signed_jwt]]
 	h2 := [[header_name, header_value] |
@ -223,8 +233,9 @@ identity_headers := {key: values |

 	h3 := kubernetes_headers
 	h4 := [[k, v] | v := google_cloud_serverless_headers[k]]
+	h5 := routing_key_headers

-	h := array.concat(array.concat(array.concat(h1, h2), h3), h4)
+	h := array.concat(array.concat(array.concat(array.concat(h1, h2), h3), h4), h5)

 	some i
 	[key, v1] := h[i]