Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support BackendCluster for Remote JWKS #5011

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat: support BackendCluster for Remote JWKS #5011

wants to merge 18 commits into from

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Jan 6, 2025
edited
Loading

This PR introduces support for representing JWT remote JWKS as Backend resources. With this enhancement, users can:

  • Specify a self-signed CA: use BackendTLSPolicy to define a self-signed CA for the remote JWKS
  • Configure retry policies: use rmoteJWKS.backendSettings.retry to sepecify the retry policy for the remote JWKS

Implements: #3536
Release Notes: Yes

@zhaohuabing zhaohuabing requested a review from a team as a code owner January 6, 2025 09:03
@zhaohuabing zhaohuabing marked this pull request as draft January 6, 2025 09:03
@codecov Codecov
Copy link

codecov bot commented Jan 6, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 76.33136% with 40 lines in your changes missing coverage. Please review.

Project coverage is 66.80%. Comparing base (8b89dad) to head (4cbf407).

Files with missing lines Patch % Lines
internal/gatewayapi/securitypolicy.go 78.94% 19 Missing and 9 partials ⚠️
internal/xds/translator/jwt.go 66.66% 8 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5011      +/-   ##
==========================================
- Coverage   66.84%   66.80%   -0.04%     
==========================================
  Files         211      210       -1     
  Lines       32916    32943      +27     
==========================================
+ Hits        22004    22009       +5     
- Misses       9586     9598      +12     
- Partials     1326     1336      +10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing changed the title api feat: support Backend for Remote JWKS Jan 7, 2025
@zhaohuabing zhaohuabing force-pushed the jwks-custom-ca branch 4 times, most recently from 00cf16b to 2a68252 Compare January 8, 2025 01:33
zhaohuabing
zhaohuabing commented Jan 8, 2025
View reviewed changes
api/v1alpha1/validation/securitypolicy_validate.go
Copy link
Member Author

@zhaohuabing zhaohuabing Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecuritcyPolicy validation has been moved from the xds translation to the API translation. This change allows validation errors to be caught earlier and reflected in the SecurityPolicy status.

@zhaohuabing
api
7a54634 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
impl
74ed5fe 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
gateway api translation
d76a3d1 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
xds translation
7a3f2ec 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
e2e test
a9bfe43 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
minor wording
9c6e27a 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing marked this pull request as ready for review January 8, 2025 01:48
@zhaohuabing zhaohuabing changed the title feat: support Backend for Remote JWKS feat: support BackendCluster for Remote JWKS Jan 8, 2025
zhaohuabing
zhaohuabing commented Jan 16, 2025
View reviewed changes
api/v1alpha1/validation/securitypolicy_validate.go
case spec.ExtAuth != nil:
sum++
case spec.OIDC != nil:
sum++
Copy link
Member Author

@zhaohuabing zhaohuabing Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove this empty spec check because other policy types don't do this check. We can apply the check to all the policy types through CEL in a follow-up PR if it's needed.

zhaohuabing
zhaohuabing commented Jan 16, 2025
View reviewed changes
api/v1alpha1/validation/securitypolicy_validate.go
@@ -1,154 +0,0 @@
// Copyright Envoy Gateway Authors
Copy link
Member Author

@zhaohuabing zhaohuabing Jan 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file was deleted from the API package and the validations have been moved into the gatewapi translator.

@zhaohuabing zhaohuabing requested a review from arkodg January 16, 2025 01:29
@zhaohuabing
fix gen
666955c 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix lint
830b67c 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
delete the test file for mepty sp validation
b33fc71 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
add test for APIKeyAuth
33c0d63 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
rename
e77e8af 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix gen
4cbf407 
Signed-off-by: Huabing Zhao <[email protected]>
@StephenRobin
Copy link

@zhaohuabing Thank you for working on this! It's been blocking us from adopting Envoy Gateway and I'm looking forward to seeing this merged.

I notice this PR doesn't update the documentation, it would be good to see an example added there. Also for using OIDC with an internal certificate, it took me a couple of hours to work out how to do that.

arkodg
arkodg approved these changes Jan 16, 2025
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@arkodg arkodg requested review from a team and removed request for sanposhiho January 16, 2025 22:30
@zhaohuabing
Copy link
Member Author

@StephenRobin

I notice this PR doesn't update the documentation, it would be good to see an example added there.

Will update the docs in a follow-up PR.

Also for using OIDC with an internal certificate, it took me a couple of hours to work out how to do that.

You can find an example for OIDC here: https://gateway.envoyproxy.io/docs/tasks/security/oidc/#connect-to-an-oidc-provider-with-self-signed-certificate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkodg arkodg arkodg approved these changes

@sanposhiho sanposhiho Awaiting requested review from sanposhiho

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zhaohuabing @StephenRobin @arkodg @sanposhiho