From b65eb934804cfefef0785653f0b0f7a5622e3cad Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 7 Jan 2025 06:56:37 +0000 Subject: [PATCH] xds translation Signed-off-by: Huabing Zhao --- internal/gatewayapi/securitypolicy.go | 6 +- internal/gatewayapi/securitypolicy_test.go | 3 +- ...ritypolicy-with-jwt-backendcluster.in.yaml | 44 +++++++++++ ...itypolicy-with-jwt-backendcluster.out.yaml | 38 ++++++++++ internal/ir/xds_test.go | 46 +----------- internal/xds/translator/jwt.go | 48 +++++++++--- .../in/xds-ir/jwt-with-backend-tls-retry.yaml | 75 +++++++++++++++++++ .../jwt-with-backend-tls-retry.clusters.yaml | 68 +++++++++++++++++ .../jwt-with-backend-tls-retry.endpoints.yaml | 12 +++ .../jwt-with-backend-tls-retry.listeners.yaml | 66 ++++++++++++++++ .../jwt-with-backend-tls-retry.routes.yaml | 33 ++++++++ .../jwt-with-backend-tls-retry.secrets.yaml | 4 + 12 files changed, 386 insertions(+), 57 deletions(-) create mode 100644 internal/xds/translator/testdata/in/xds-ir/jwt-with-backend-tls-retry.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.clusters.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.endpoints.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.routes.yaml create mode 100644 internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.secrets.yaml diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 684263118ed..6585f737e84 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -578,7 +578,8 @@ func wildcard2regex(wildcard string) string { func (t *Translator) buildJWT( policy *egv1a1.SecurityPolicy, resources *resource.Resources, - envoyProxy *egv1a1.EnvoyProxy) (*ir.JWT, error) { + envoyProxy *egv1a1.EnvoyProxy, +) (*ir.JWT, error) { if err := validateJWTProvider(policy.Spec.JWT.Providers); err != nil { return nil, err } @@ -677,7 +678,8 @@ func (t *Translator) buildRemoteJWKS( remoteJWKS *egv1a1.RemoteJWKS, index int, resources *resource.Resources, - envoyProxy *egv1a1.EnvoyProxy) (*ir.RemoteJWKS, error) { + envoyProxy *egv1a1.EnvoyProxy, +) (*ir.RemoteJWKS, error) { var ( protocol ir.AppProtocol rd *ir.RouteDestination diff --git a/internal/gatewayapi/securitypolicy_test.go b/internal/gatewayapi/securitypolicy_test.go index f9a326db538..8b32d0a2406 100644 --- a/internal/gatewayapi/securitypolicy_test.go +++ b/internal/gatewayapi/securitypolicy_test.go @@ -9,9 +9,10 @@ import ( "regexp" "testing" - egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" ) func Test_wildcard2regex(t *testing.T) { diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.in.yaml index 70f2e4fb8ec..57cdd9c3840 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.in.yaml @@ -44,6 +44,50 @@ backends: - fqdn: hostname: 'foo.bar.com' port: 443 +configMaps: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: default + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls + namespace: default + spec: + targetRefs: + - group: "gateway.envoyproxy.io" + kind: Backend + name: backend-fqdn + validation: + caCertificateRefs: + - name: ca-cmap + group: "" + kind: ConfigMap + hostname: foo.bar.com securityPolicies: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml index e05aeea1877..bf6d4380286 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-backendcluster.out.yaml @@ -1,3 +1,35 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls + namespace: default + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: foo.bar.com + status: + ancestors: + - ancestorRef: + group: gateway.envoyproxy.io + kind: SecurityPolicy + name: policy-for-route + namespace: default + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend @@ -228,6 +260,12 @@ xdsIR: - host: foo.bar.com port: 443 protocol: HTTPS + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/default-ca + sni: foo.bar.com weight: 1 traffic: retry: diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index c73faf7eb44..fc733b5727b 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -501,10 +501,10 @@ var ( }, Security: &SecurityFeatures{ JWT: &JWT{ - Providers: []egv1a1.JWTProvider{ + Providers: []JWTProvider{ { Name: "test1", - RemoteJWKS: egv1a1.RemoteJWKS{ + RemoteJWKS: RemoteJWKS{ URI: "https://test1.local", }, }, @@ -1236,48 +1236,6 @@ func TestValidateStringMatch(t *testing.T) { } } -func TestValidateJWT(t *testing.T) { - tests := []struct { - name string - input JWT - want error - }{ - { - name: "nil rules", - input: JWT{ - Providers: nil, - }, - want: nil, - }, - { - name: "provider with remote jwks uri", - input: JWT{ - Providers: []egv1a1.JWTProvider{ - { - Name: "test", - Issuer: "https://test.local", - Audiences: []string{"test1", "test2"}, - RemoteJWKS: egv1a1.RemoteJWKS{ - URI: "https://test.local", - }, - }, - }, - }, - want: nil, - }, - } - for i := range tests { - test := tests[i] - t.Run(test.name, func(t *testing.T) { - if test.want == nil { - require.NoError(t, test.input.Validate()) - } else { - require.EqualError(t, test.input.Validate(), test.want.Error()) - } - }) - } -} - func TestValidateLoadBalancer(t *testing.T) { tests := []struct { name string diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index bc3e8d1b16e..2f93854b07c 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -102,11 +102,21 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, var reqs []*jwtauthnv3.JwtRequirement for i := range route.Security.JWT.Providers { - irProvider := route.Security.JWT.Providers[i] - // Create the cluster for the remote jwks, if it doesn't exist. - jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI) - if err != nil { - return nil, err + var ( + irProvider = route.Security.JWT.Providers[i] + jwks = irProvider.RemoteJWKS + jwksCluster string + err error + ) + + if jwks.Destination != nil && len(jwks.Destination.Settings) > 0 { + jwksCluster = jwks.Destination.Name + } else { + var cluster *urlCluster + if cluster, err = url2Cluster(jwks.URI); err != nil { + return nil, err + } + jwksCluster = cluster.name } remote := &jwtauthnv3.JwtProvider_RemoteJwks{ @@ -114,7 +124,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, HttpUri: &corev3.HttpUri{ Uri: irProvider.RemoteJWKS.URI, HttpUpstreamType: &corev3.HttpUri_Cluster{ - Cluster: jwksCluster.name, + Cluster: jwksCluster, }, Timeout: &durationpb.Duration{Seconds: defaultExtServiceRequestTimeout}, }, @@ -123,6 +133,15 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, }, } + // Set the retry policy if it exists. + if jwks.Traffic != nil && jwks.Traffic.Retry != nil { + var rp *corev3.RetryPolicy + if rp, err = buildNonRouteRetryPolicy(jwks.Traffic.Retry); err != nil { + return nil, err + } + remote.RemoteJwks.RetryPolicy = rp + } + claimToHeaders := []*jwtauthnv3.JwtClaimToHeader{} for _, claimToHeader := range irProvider.ClaimToHeaders { claimToHeader := &jwtauthnv3.JwtClaimToHeader{ @@ -264,17 +283,26 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo return errors.New("xds resource table is nil") } - var err, errs error + var errs error for _, route := range routes { if !routeContainsJWTAuthn(route) { continue } for i := range route.Security.JWT.Providers { - provider := route.Security.JWT.Providers[i] + jwks := route.Security.JWT.Providers[i].RemoteJWKS - if err = addClusterFromURL(provider.RemoteJWKS.URI, tCtx); err != nil { - errs = errors.Join(errs, err) + // If the rmote JWKS has a destination, use it. + if jwks.Destination != nil && len(jwks.Destination.Settings) > 0 { + if err := createExtServiceXDSCluster( + jwks.Destination, jwks.Traffic, tCtx); err != nil { + errs = errors.Join(errs, err) + } + } else { + // Create a cluster with the token endpoint url. + if err := addClusterFromURL(jwks.URI, tCtx); err != nil { + errs = errors.Join(errs, err) + } } } } diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-with-backend-tls-retry.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-with-backend-tls-retry.yaml new file mode 100644 index 00000000000..37a8c81468f --- /dev/null +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-with-backend-tls-retry.yaml @@ -0,0 +1,75 @@ +http: +- address: 0.0.0.0 + hostnames: + - '*' + isHTTP2: false + metadata: + kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http + path: + escapedSlashesAction: UnescapeAndRedirect + mergeSlashes: true + port: 10080 + routes: + - destination: + name: httproute/default/httproute-1/rule/0 + settings: + - addressType: IP + endpoints: + - host: 7.7.7.7 + port: 8080 + protocol: HTTP + weight: 1 + hostname: gateway.envoyproxy.io + isHTTP2: false + metadata: + kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + pathMatch: + distinct: false + name: "" + prefix: / + security: + jwt: + providers: + - audiences: + - foo.bar.com + claimToHeaders: + - claim: claim + header: claim-header + issuer: https://foo.bar.com + name: foobar + remoteJWKS: + destination: + name: securitypolicy/default/policy-for-route/jwt/0 + settings: + - addressType: FQDN + endpoints: + - host: foo.bar.com + port: 443 + protocol: HTTPS + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls/default-ca + sni: foo.bar.com + weight: 1 + traffic: + retry: + numRetries: 3 + perRetry: + backOff: + baseInterval: 1s + maxInterval: 5s + retryOn: + triggers: + - 5xx + - gateway-error + - reset + uri: https://foo.bar.com/jwt/public-key/jwks.json diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.clusters.yaml new file mode 100644 index 00000000000..edc7120e86c --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.clusters.yaml @@ -0,0 +1,68 @@ +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: httproute/default/httproute-1/rule/0 + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: httproute/default/httproute-1/rule/0 + perConnectionBufferLimitBytes: 32768 + type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_PREFERRED + dnsRefreshRate: 30s + lbPolicy: LEAST_REQUEST + loadAssignment: + clusterName: securitypolicy/default/policy-for-route/jwt/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: foo.bar.com + portValue: 443 + loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.transport_socket_match: + name: securitypolicy/default/policy-for-route/jwt/0/tls/0 + loadBalancingWeight: 1 + locality: + region: securitypolicy/default/policy-for-route/jwt/0/backend/0 + name: securitypolicy/default/policy-for-route/jwt/0 + perConnectionBufferLimitBytes: 32768 + respectDnsTtl: true + transportSocketMatches: + - match: + name: securitypolicy/default/policy-for-route/jwt/0/tls/0 + name: securitypolicy/default/policy-for-route/jwt/0/tls/0 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: foo.bar.com + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls/default-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: foo.bar.com + type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.endpoints.yaml new file mode 100644 index 00000000000..29bb6b4e444 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.endpoints.yaml @@ -0,0 +1,12 @@ +- clusterName: httproute/default/httproute-1/rule/0 + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 7.7.7.7 + portValue: 8080 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: httproute/default/httproute-1/rule/0/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml new file mode 100644 index 00000000000..4c1b6b0fc23 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.listeners.yaml @@ -0,0 +1,66 @@ +- address: + socketAddress: + address: 0.0.0.0 + portValue: 10080 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.jwt_authn + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication + providers: + httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io/foobar: + audiences: + - foo.bar.com + claimToHeaders: + - claimName: claim + headerName: claim-header + forward: true + issuer: https://foo.bar.com + normalizePayloadInMetadata: + spaceDelimitedClaims: + - scope + payloadInMetadata: foobar + remoteJwks: + asyncFetch: {} + cacheDuration: 300s + httpUri: + cluster: securitypolicy/default/policy-for-route/jwt/0 + timeout: 10s + uri: https://foo.bar.com/jwt/public-key/jwks.json + retryPolicy: + numRetries: 3 + retryBackOff: + baseInterval: 1s + maxInterval: 5s + retryOn: 5xx,gateway-error,reset + requirementMap: + httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io: + providerName: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io/foobar + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + mergeSlashes: true + normalizePath: true + pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: default/gateway-1/http + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-10080 + useRemoteAddress: true + name: default/gateway-1/http + name: default/gateway-1/http + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.routes.yaml new file mode 100644 index 00000000000..0eae8cd072d --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.routes.yaml @@ -0,0 +1,33 @@ +- ignorePortInHostMatching: true + name: default/gateway-1/http + virtualHosts: + - domains: + - gateway.envoyproxy.io + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: Gateway + name: gateway-1 + namespace: default + sectionName: http + name: default/gateway-1/http/gateway_envoyproxy_io + routes: + - match: + prefix: / + metadata: + filterMetadata: + envoy-gateway: + resources: + - kind: HTTPRoute + name: httproute-1 + namespace: default + name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io + route: + cluster: httproute/default/httproute-1/rule/0 + upgradeConfigs: + - upgradeType: websocket + typedPerFilterConfig: + envoy.filters.http.jwt_authn: + '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig + requirementName: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.secrets.yaml new file mode 100644 index 00000000000..da8f89db5d7 --- /dev/null +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-with-backend-tls-retry.secrets.yaml @@ -0,0 +1,4 @@ +- name: policy-btls/default-ca + validationContext: + trustedCa: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K