Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support BackendCluster for Remote JWKS #5011

Merged
merged 18 commits into from
Jan 17, 2025
+2,545 −1,083
Merged

feat: support BackendCluster for Remote JWKS #5011

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
7a54634
api
zhaohuabing Jan 6, 2025
74ed5fe
impl
zhaohuabing Jan 7, 2025
d76a3d1
gateway api translation
zhaohuabing Jan 7, 2025
7a3f2ec
xds translation
zhaohuabing Jan 7, 2025
a9bfe43
e2e test
zhaohuabing Jan 7, 2025
9c6e27a
minor wording
zhaohuabing Jan 8, 2025
b423ce3
add CEL validation
zhaohuabing Jan 8, 2025
82a48aa
fix gen
zhaohuabing Jan 8, 2025
86413f0
Merge remote-tracking branch 'origin/main' into jwks-custom-ca
zhaohuabing Jan 13, 2025
122ee44
Merge remote-tracking branch 'origin/main' into jwks-custom-ca
zhaohuabing Jan 14, 2025
1547842
validate APIKeyAuth
zhaohuabing Jan 16, 2025
9ed8b03
Merge remote-tracking branch 'origin/main' into jwks-custom-ca
zhaohuabing Jan 16, 2025
666955c
fix gen
zhaohuabing Jan 16, 2025
830b67c
fix lint
zhaohuabing Jan 16, 2025
b33fc71
delete the test file for mepty sp validation
zhaohuabing Jan 16, 2025
33c0d63
add test for APIKeyAuth
zhaohuabing Jan 16, 2025
e77e8af
rename
zhaohuabing Jan 16, 2025
4cbf407
fix gen
zhaohuabing Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions api/v1alpha1/jwt_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,17 +75,28 @@ type JWTProvider struct {
ExtractFrom *JWTExtractor `json:"extractFrom,omitempty"`
}

// RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
// HTTP/HTTPS endpoint.
// RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
// +kubebuilder:validation:XValidation:rule="!has(self.backendRef)",message="BackendRefs must be used, backendRef is not supported."
// +kubebuilder:validation:XValidation:rule="has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? !has(self.backendSettings.retry.perRetry.timeout):true):true):true",message="Retry timeout is not supported."
// +kubebuilder:validation:XValidation:rule="has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true",message="HTTPStatusCodes is not supported."
type RemoteJWKS struct {
// URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
// validate the server certificate.
// BackendRefs is used to specify the address of the Remote JWKS. The BackendRefs are optional, if not specified,
// the backend service is extracted from the host and port of the URI field.
//
// TLS configuration can be specified in a BackendTLSConfig resource and target the BackendRefs.
//
// Other settings for the connection to remote JWKS can be specified in the BackendSettings resource.
// Currently, only the retry policy is supported.
//
// +optional
BackendCluster `json:",inline"`

// URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.
// If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
URI string `json:"uri"`

// TODO: Add TBD remote JWKS fields based on defined use cases.
}

// ClaimToHeader defines a configuration to convert JWT claims into HTTP headers
Expand Down
1 change: 1 addition & 0 deletions api/v1alpha1/oidc_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ type OIDCProvider struct {
// TLS configuration can be specified in a BackendTLSConfig resource and target the BackendRefs.
//
// Other settings for the connection to the OIDC Provider can be specified in the BackendSettings resource.
// Currently, only the retry policy is supported.
//
// +optional
BackendCluster `json:",inline"`
Expand Down
154 changes: 0 additions & 154 deletions api/v1alpha1/validation/securitypolicy_validate.go
View file
Open in desktop
Copy link
Member Author

@zhaohuabing zhaohuabing Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecuritcyPolicy validation has been moved from the xds translation to the API translation. This change allows validation errors to be caught earlier and reflected in the SecurityPolicy status.

This file was deleted.

Loading
Loading