relax https for jwks

Signed-off-by: huabing zhao <[email protected]>
envoyproxy · Dec 20, 2023 · 0b00588 · 0b00588
1 parent d13c329
commit 0b00588
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 11 deletions.
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml
@@ -86,11 +86,11 @@ securityPolicies:
         - header: one-route-example-key
           claim: claim1
       - name: example2
-        issuer: https://two.example.com
+        issuer: http://two.example.com
         audiences:
         - two.foo.com
         remoteJWKS:
-          uri: https://two.example.com/jwt/public-key/jwks.json
+          uri: http://two.example.com/jwt/public-key/jwks.json
         claimToHeaders:
         - header: two-route-example-key
           claim: claim2

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml
@@ -235,10 +235,10 @@ securityPolicies:
         claimToHeaders:
         - claim: claim2
           header: two-route-example-key
-        issuer: https://two.example.com
+        issuer: http://two.example.com
         name: example2
         remoteJWKS:
-          uri: https://two.example.com/jwt/public-key/jwks.json
+          uri: http://two.example.com/jwt/public-key/jwks.json
     targetRef:
       group: gateway.networking.k8s.io
       kind: Gateway
@@ -293,10 +293,10 @@ xdsIR:
             claimToHeaders:
             - claim: claim2
               header: two-route-example-key
-            issuer: https://two.example.com
+            issuer: http://two.example.com
             name: example2
             remoteJWKS:
-              uri: https://two.example.com/jwt/public-key/jwks.json
+              uri: http://two.example.com/jwt/public-key/jwks.json
         name: grpcroute/default/grpcroute-1/rule/0/match/-1/*
   envoy-gateway/gateway-2:
     accessLog:

diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
@@ -109,7 +109,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 		for i := range route.JWT.Providers {
 			irProvider := route.JWT.Providers[i]
 			// Create the cluster for the remote jwks, if it doesn't exist.
-			jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI)
+			jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI, false)
 			if err != nil {
 				return nil, err
 			}

diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
@@ -109,7 +109,7 @@ func oauth2FilterName(route *ir.HTTPRoute) string {
 }
 
 func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
-	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint)
+	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
 	if err != nil {
 		return nil, err
 	}
@@ -218,7 +218,7 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable,
 			err     error
 		)
 
-		cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint)
+		cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
 		if err != nil {
 			errs = multierror.Append(errs, err)
 			continue

diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go
@@ -32,7 +32,7 @@ type urlCluster struct {
 }
 
 // url2Cluster returns a urlCluster from the provided url.
-func url2Cluster(strURL string) (*urlCluster, error) {
+func url2Cluster(strURL string, secure bool) (*urlCluster, error) {
 	epType := EndpointTypeDNS
 
 	// The URL should have already been validated in the gateway API translator.
@@ -41,7 +41,7 @@ func url2Cluster(strURL string) (*urlCluster, error) {
 		return nil, err
 	}
 
-	if u.Scheme != "https" {
+	if secure && u.Scheme != "https" {
 		return nil, fmt.Errorf("unsupported URI scheme %s", u.Scheme)
 	}