feat: support BackendCluster for Remote JWKS (#5011)

* api Signed-off-by: Huabing Zhao <[email protected]> * impl Signed-off-by: Huabing Zhao <[email protected]> * gateway api translation Signed-off-by: Huabing Zhao <[email protected]> * xds translation Signed-off-by: Huabing Zhao <[email protected]> * e2e test Signed-off-by: Huabing Zhao <[email protected]> * minor wording Signed-off-by: Huabing Zhao <[email protected]> * add CEL validation Signed-off-by: Huabing Zhao <[email protected]> * fix gen Signed-off-by: Huabing Zhao <[email protected]> * validate APIKeyAuth Signed-off-by: Huabing Zhao <[email protected]> * fix gen Signed-off-by: Huabing Zhao <[email protected]> * fix lint Signed-off-by: Huabing Zhao <[email protected]> * delete the test file for mepty sp validation Signed-off-by: Huabing Zhao <[email protected]> * add test for APIKeyAuth Signed-off-by: Huabing Zhao <[email protected]> * rename Signed-off-by: Huabing Zhao <[email protected]> * fix gen Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]>
envoyproxy · Jan 17, 2025 · 75b2d84 · 75b2d84
1 parent c499b41
commit 75b2d84
Show file tree

Hide file tree

Showing 28 changed files with 2,545 additions and 1,083 deletions.
diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go
@@ -75,17 +75,28 @@ type JWTProvider struct {
 	ExtractFrom *JWTExtractor `json:"extractFrom,omitempty"`
 }
 
-// RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
-// HTTP/HTTPS endpoint.
+// RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
+// +kubebuilder:validation:XValidation:rule="!has(self.backendRef)",message="BackendRefs must be used, backendRef is not supported."
+// +kubebuilder:validation:XValidation:rule="has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.perRetry)? !has(self.backendSettings.retry.perRetry.timeout):true):true):true",message="Retry timeout is not supported."
+// +kubebuilder:validation:XValidation:rule="has(self.backendSettings)? (has(self.backendSettings.retry)?(has(self.backendSettings.retry.retryOn)? !has(self.backendSettings.retry.retryOn.httpStatusCodes):true):true):true",message="HTTPStatusCodes is not supported."
 type RemoteJWKS struct {
-	// URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to
-	// validate the server certificate.
+	// BackendRefs is used to specify the address of the Remote JWKS. The BackendRefs are optional, if not specified,
+	// the backend service is extracted from the host and port of the URI field.
+	//
+	// TLS configuration can be specified in a BackendTLSConfig resource and target the BackendRefs.
+	//
+	// Other settings for the connection to remote JWKS can be specified in the BackendSettings resource.
+	// Currently, only the retry policy is supported.
+	//
+	// +optional
+	BackendCluster `json:",inline"`
+
+	// URI is the HTTPS URI to fetch the JWKS. Envoy's system trust bundle is used to validate the server certificate.
+	// If a custom trust bundle is needed, it can be specified in a BackendTLSConfig resource and target the BackendRefs.
 	//
 	// +kubebuilder:validation:MinLength=1
 	// +kubebuilder:validation:MaxLength=253
 	URI string `json:"uri"`
-
-	// TODO: Add TBD remote JWKS fields based on defined use cases.
 }
 
 // ClaimToHeader defines a configuration to convert JWT claims into HTTP headers

diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -116,6 +116,7 @@ type OIDCProvider struct {
 	// TLS configuration can be specified in a BackendTLSConfig resource and target the BackendRefs.
 	//
 	// Other settings for the connection to the OIDC Provider can be specified in the BackendSettings resource.
+	// Currently, only the retry policy is supported.
 	//
 	// +optional
 	BackendCluster `json:",inline"`

diff --git a/api/v1alpha1/validation/securitypolicy_validate.go b/api/v1alpha1/validation/securitypolicy_validate.go