-
Notifications
You must be signed in to change notification settings - Fork 369
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft: feat(translation): expand sources of JWKS required to validate JWTs #4684
base: main
Are you sure you want to change the base?
Conversation
…required to validate JWTs Currently only HTTPS endpoints are supported via remoteJWKS field of the JWTProvider. This is deprecated in favor of a jwksSource field that expands the available locations JWKS content can be retireved from. Sources include an inline string in the source resource, a local file in the Gateway Container or from a Configmap/Secret. Signed-off-by: Steve Gargan <[email protected]>
64ac449
to
f7a8756
Compare
// Inline, URI and Configmap/Secret contents are supported. | ||
// | ||
// +optional | ||
JWKSSource *JWKSSource `json:"jwksSource"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the jwks.Type
idea !
we have been meaning to also add a backendRefs
field to remoteJwks
so upstream connection/traffic parameters can be controlled, relates to #3536
so the 2 options here are
- Represent backendRefs as a
Type
- Keep the
remoteJwks
field, and add a new onelocalJwks
to support the inline and valueRef cases
cc @envoyproxy/gateway-maintainers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for 2 as the structure is more straightfoward and less levels. It's a bit messy to add BackendCluster, URL, inline, and valueRef in a single structure.
remoteJWKS:
backendRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: backend-fqdn
port: 443
backendSettings:
retry:
numRetries: 3
perRetry:
backOff:
baseInterval: 1s
maxInterval: 5s
retryOn:
triggers: ["5xx", "gateway-error", "reset"]
localJWKS:
type: inline
vaule: xxxxxxx
jwksSource:
type: BackendCluster
backendCluster:
backendRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: backend-fqdn
port: 443
backendSettings:
retry:
numRetries: 3
perRetry:
backOff:
baseInterval: 1s
maxInterval: 5s
retryOn:
triggers: ["5xx", "gateway-error", "reset"]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for 2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for sharing your thoughts folks, lets go with 2.
@sgargan link error: Error: ./api/v1alpha1/jwt_types.go:28: specfied ==> specified |
Hi @sgargan, I wanted to check in and see if you’re planning to continue working on this? |
I am, I've just been caught up with other deadlines, hoping to get back to
it next week.
…On Wed, Dec 11, 2024 at 4:52 AM Huabing Zhao ***@***.***> wrote:
Hi @sgargan <https://github.com/sgargan>, I wanted to check in and see if
you’re planning to continue working on this?
—
Reply to this email directly, view it on GitHub
<#4684 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAA7RYPNKRQTIVQVR5B2XUT2E7AHNAVCNFSM6AAAAABRNXKM3GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZTGYZDQMBVHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
hey @sgargan checking in to see if you'd be able to find time to work on this PR this month, will accordingly keep it/move it out of the v1.3 Milestone (aiming to release v1.3 by the end of this month) |
I'm back after vacation and hope to have some time to spend on this over the next couple of weeks. |
Currently only HTTPS endpoints are supported via remoteJWKS field of the JWTProvider. This is deprecated in favour of a jwksSource field that expands the available locations JWKS content can be retrieved from. Sources include an inline string in the source resource, a local file in the Gateway Container or from a Configmap/Secret.
This is a draft of the proposed JWKSource structure for discussion ahead of implentation.
Fixes #2419