6_grove

import RemoteMarkdown from '@site/src/components/RemoteMarkdown';

🌿 GROVE ONLY

This section is only relevant to Grove's Portal authentication implementation.

If you are not using Grove's Portal authentication, you will likely not find anything of value here.

But feel free to take a look if you're curious.

Overview

GUARD contains configurations to implement authentication for PATH in a way that is compatible with Grove's Portal.

This Grove-specific implementation utilizes Envoy Gateway's External Authorization feature, which wraps Envoy Proxy's ext_authz gRPC interface.

🫛 `PEAS` - PATH External Auth Server

PEAS Repo

PEAS is the Grove-specific implementation of Envoy Gateway's External Authorization feature.

This is a gRPC server that is responsible for checking if a request is authorized to access a specific service.
Connects to the Grove Portal database to get the auth data and stores in an in-memory cache.

Architecture Diagram

graph TD
    User[/"<big>PATH<br>User</big>"\]
    Envoy[<big>Envoy Proxy</big>]

    AUTH["PEAS (PATH External Auth Server)"]
    AUTH_DECISION{Did<br>Authorize<br>Request?}
    PATH[<big>PATH</big>]

    Error[[Error Returned to User]]
    Result[[Result Returned to User]]

    GroveDB[("Grove Portal Database<br>(Postgres)")]

    subgraph AUTH["PEAS<br/>PATH External Auth Server"]
    end

    User -->|1.Send Request| Envoy
    Envoy -.->|2.Authorization Check<br>gRPC| AUTH
    AUTH -.->|3.Authorization Result<br>gRPC| Envoy
    Envoy --> AUTH_DECISION
    AUTH_DECISION -->|4.No <br> Forward Request| Error
    AUTH_DECISION -->|4.Yes <br> Forward Request| PATH
    PATH -->|5.Response| Result

    GroveDB <-->|Postgres Connection| AUTH

Enabling Grove Auth

To enable Grove Auth, you need to set the following values in the values.yaml file:

guard.auth.groveLegacy.enabled = true
guard.auth.groveLegacy.peas.enabled = true

PEAS Documentation

Grove Portal Database

README.md

PEAS README.md

Documentation References

Helm Charts

For the full GUARD Helm Chart documentation, see GUARD Helm Chart.

For the Grove Auth code in the Helm Charts repo, see:

Envoy External Docs

For an example walkthrough of implementing external authorization with Envoy Gateway, see:

Envoy Gateway External Auth Docs

For Envoy Proxy's ext_authz HTTP Filter documentation (how PEAS communicates with Envoy), see:

Envoy Proxy External Auth Docs

Previous3_adding_new_archival

Was this helpful?