Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion api/v1alpha1/jwt_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,15 @@ import (
// JWT defines the configuration for JSON Web Token (JWT) authentication.
type JWT struct {
// Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
// Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
// Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT
// is presented. See IgnoreFailure if this is necessary for your use case.
Optional *bool `json:"optional,omitempty"`

// IgnoreFailure allows a request to pass the JWT filter even when its JWT is
// missing or invalid. Supersedes Optional and maps to Envoy's `allow_missing_or_failed`.
// It does not enforce authentication on its own, so pair it with an Authorization policy.
IgnoreFailure *bool `json:"ignoreFailure,omitempty"`

// Providers defines the JSON Web Token (JWT) authentication provider type.
// When multiple JWT providers are specified, the JWT is considered valid if
// any of the providers successfully validate the JWT. For additional details,
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -3795,10 +3795,17 @@ spec:
description: JWT defines the configuration for JSON Web Token (JWT)
authentication.
properties:
ignoreFailure:
description: |-
IgnoreFailure allows a request to pass the JWT filter even when its JWT is
missing or invalid. Supersedes Optional and maps to Envoy's `allow_missing_or_failed`.
It does not enforce authentication on its own, so pair it with an Authorization policy.
type: boolean
optional:
description: |-
Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT
is presented. See IgnoreFailure if this is necessary for your use case.
type: boolean
providers:
description: |-
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3794,10 +3794,17 @@ spec:
description: JWT defines the configuration for JSON Web Token (JWT)
authentication.
properties:
ignoreFailure:
description: |-
IgnoreFailure allows a request to pass the JWT filter even when its JWT is
missing or invalid. Supersedes Optional and maps to Envoy's `allow_missing_or_failed`.
It does not enforce authentication on its own, so pair it with an Authorization policy.
type: boolean
optional:
description: |-
Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT
is presented. See IgnoreFailure if this is necessary for your use case.
type: boolean
providers:
description: |-
Expand Down
5 changes: 3 additions & 2 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -1388,8 +1388,9 @@ func (t *Translator) buildJWT(
}

return &ir.JWT{
AllowMissing: ptr.Deref(policy.Spec.JWT.Optional, false),
Providers: providers,
AllowMissing: ptr.Deref(policy.Spec.JWT.Optional, false),
AllowMissingOrFailed: ptr.Deref(policy.Spec.JWT.IgnoreFailure, false),
Providers: providers,
}, nil
}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: http
rules:
- matches:
- path:
value: "/"
backendRefs:
- name: service-1
port: 8080
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: policy-for-route
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
jwt:
ignoreFailure: true
providers:
- name: example
issuer: https://www.example.com
remoteJWKS:
uri: https://www.example.com/jwt/public-key/jwks.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,220 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway-1
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: All
name: http
port: 80
protocol: HTTP
status:
listeners:
- attachedRoutes: 1
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: null
message: Listener has been successfully translated
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: http
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: httproute-1
namespace: default
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- name: gateway-1
namespace: envoy-gateway
sectionName: http
rules:
- backendRefs:
- name: service-1
port: 8080
matches:
- path:
value: /
status:
parents:
- conditions:
- lastTransitionTime: null
message: Route is accepted
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Resolved all the Object references for the Route
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
controllerName: gateway.envoyproxy.io/gatewayclass-controller
parentRef:
name: gateway-1
namespace: envoy-gateway
sectionName: http
infraIR:
envoy-gateway/gateway-1:
proxy:
listeners:
- name: envoy-gateway/gateway-1/http
ports:
- containerPort: 10080
name: http-80
protocol: HTTP
servicePort: 80
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: gateway-1
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
ownerReference:
kind: GatewayClass
name: envoy-gateway-class
name: envoy-gateway/gateway-1
namespace: envoy-gateway-system
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: policy-for-route
namespace: default
spec:
jwt:
ignoreFailure: true
providers:
- issuer: https://www.example.com
name: example
remoteJWKS:
uri: https://www.example.com/jwt/public-key/jwks.json
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
status:
ancestors:
- ancestorRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
namespace: envoy-gateway
sectionName: http
conditions:
- lastTransitionTime: null
message: Policy has been accepted.
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: spec.targetRef is deprecated, use spec.targetRefs instead
reason: DeprecatedField
status: "True"
type: Warning
controllerName: gateway.envoyproxy.io/gatewayclass-controller
xdsIR:
envoy-gateway/gateway-1:
accessLog:
json:
- path: /dev/stdout
globalResources:
proxyServiceCluster:
metadata:
kind: Service
name: envoy-envoy-gateway-gateway-1-196ae069
namespace: envoy-gateway-system
sectionName: "8080"
name: envoy-gateway/gateway-1
settings:
- addressType: IP
endpoints:
- host: 7.6.5.4
port: 8080
zone: zone1
metadata:
kind: Service
name: envoy-envoy-gateway-gateway-1-196ae069
namespace: envoy-gateway-system
sectionName: "8080"
name: envoy-gateway/gateway-1
protocol: TCP
http:
- address: 0.0.0.0
externalPort: 80
hostnames:
- '*'
metadata:
kind: Gateway
name: gateway-1
namespace: envoy-gateway
sectionName: http
name: envoy-gateway/gateway-1/http
path:
escapedSlashesAction: UnescapeAndRedirect
mergeSlashes: true
port: 10080
routes:
- destination:
metadata:
kind: HTTPRoute
name: httproute-1
namespace: default
name: httproute/default/httproute-1/rule/0
settings:
- addressType: IP
endpoints:
- host: 7.7.7.7
port: 8080
metadata:
kind: Service
name: service-1
namespace: default
sectionName: "8080"
name: httproute/default/httproute-1/rule/0/backend/0
protocol: HTTP
weight: 1
hostname: gateway.envoyproxy.io
isHTTP2: false
metadata:
kind: HTTPRoute
name: httproute-1
namespace: default
name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
pathMatch:
distinct: false
name: ""
prefix: /
security:
jwt:
allowMissingOrFailed: true
providers:
- issuer: https://www.example.com
name: example
remoteJWKS:
uri: https://www.example.com/jwt/public-key/jwks.json
readyListener:
address: 0.0.0.0
ipFamily: IPv4
path: /ready
port: 19003
4 changes: 4 additions & 0 deletions internal/ir/xds.go
Original file line number Diff line number Diff line change
Expand Up @@ -1203,6 +1203,10 @@ type JWT struct {
// AllowMissing determines whether a missing JWT is acceptable.
AllowMissing bool `json:"allowMissing,omitempty" yaml:"allowMissing,omitempty"`

// AllowMissingOrFailed determines whether a missing or invalid JWT is tolerated.
// When true it supersedes AllowMissing and maps to Envoy's `allow_missing_or_failed`.
AllowMissingOrFailed bool `json:"allowMissingOrFailed,omitempty" yaml:"allowMissingOrFailed,omitempty"`

// Providers defines a list of JSON Web Token (JWT) authentication providers.
Providers []JWTProvider `json:"providers,omitempty" yaml:"providers,omitempty"`
}
Expand Down
11 changes: 10 additions & 1 deletion internal/xds/translator/jwt.go
Original file line number Diff line number Diff line change
Expand Up @@ -215,7 +215,16 @@ func buildJWTAuthn(irListener *ir.HTTPListener, jwtAuthn *jwtauthnv3.JwtAuthenti
})
}

if route.Security.JWT.AllowMissing {
// AllowMissingOrFailed supersedes AllowMissing: it tolerates a missing or
// invalid token, whereas AllowMissing still rejects an invalid one.
switch {
case route.Security.JWT.AllowMissingOrFailed:
reqs = append(reqs, &jwtauthnv3.JwtRequirement{
RequiresType: &jwtauthnv3.JwtRequirement_AllowMissingOrFailed{
AllowMissingOrFailed: &emptypb.Empty{},
},
})
case route.Security.JWT.AllowMissing:
reqs = append(reqs, &jwtauthnv3.JwtRequirement{
RequiresType: &jwtauthnv3.JwtRequirement_AllowMissing{
AllowMissing: &emptypb.Empty{},
Expand Down
Loading
Loading