Merge branch 'main' into image-pull-secrets

envoyproxy · Dec 23, 2023 · 6f9ad3b · 6f9ad3b
2 parents 061fa22 + c692458
commit 6f9ad3b
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 41 deletions.
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml
@@ -86,11 +86,11 @@ securityPolicies:
         - header: one-route-example-key
           claim: claim1
       - name: example2
-        issuer: https://two.example.com
+        issuer: http://two.example.com
         audiences:
         - two.foo.com
         remoteJWKS:
-          uri: https://two.example.com/jwt/public-key/jwks.json
+          uri: http://two.example.com/jwt/public-key/jwks.json
         claimToHeaders:
         - header: two-route-example-key
           claim: claim2

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml
@@ -237,10 +237,10 @@ securityPolicies:
         claimToHeaders:
         - claim: claim2
           header: two-route-example-key
-        issuer: https://two.example.com
+        issuer: http://two.example.com
         name: example2
         remoteJWKS:
-          uri: https://two.example.com/jwt/public-key/jwks.json
+          uri: http://two.example.com/jwt/public-key/jwks.json
     targetRef:
       group: gateway.networking.k8s.io
       kind: Gateway
@@ -295,10 +295,10 @@ xdsIR:
             claimToHeaders:
             - claim: claim2
               header: two-route-example-key
-            issuer: https://two.example.com
+            issuer: http://two.example.com
             name: example2
             remoteJWKS:
-              uri: https://two.example.com/jwt/public-key/jwks.json
+              uri: http://two.example.com/jwt/public-key/jwks.json
         name: grpcroute/default/grpcroute-1/rule/0/match/-1/*
   envoy-gateway/gateway-2:
     accessLog:

diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
@@ -109,7 +109,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 		for i := range route.JWT.Providers {
 			irProvider := route.JWT.Providers[i]
 			// Create the cluster for the remote jwks, if it doesn't exist.
-			jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI)
+			jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI, false)
 			if err != nil {
 				return nil, err
 			}
@@ -262,7 +262,7 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo
 			)
 
 			provider := route.JWT.Providers[i]
-			jwks, err = url2Cluster(provider.RemoteJWKS.URI)
+			jwks, err = url2Cluster(provider.RemoteJWKS.URI, false)
 			if err != nil {
 				errs = multierror.Append(errs, err)
 				continue
@@ -273,18 +273,21 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo
 				Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(jwks.hostname, jwks.port)},
 			}
 
-			tSocket, err = buildXdsUpstreamTLSSocket()
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-
-			if err = addXdsCluster(tCtx, &xdsClusterArgs{
+			clusterArgs := &xdsClusterArgs{
 				name:         jwks.name,
 				settings:     []*ir.DestinationSetting{ds},
-				tSocket:      tSocket,
 				endpointType: jwks.endpointType,
-			}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+			}
+			if jwks.tls {
+				tSocket, err = buildXdsUpstreamTLSSocket()
+				if err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+				clusterArgs.tSocket = tSocket
+			}
+
+			if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 				errs = multierror.Append(errs, err)
 			}
 		}

diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go
@@ -109,7 +109,7 @@ func oauth2FilterName(route *ir.HTTPRoute) string {
 }
 
 func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
-	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint)
+	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
 	if err != nil {
 		return nil, err
 	}
@@ -218,7 +218,7 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable,
 			err     error
 		)
 
-		cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint)
+		cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
 		if err != nil {
 			errs = multierror.Append(errs, err)
 			continue

diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml
@@ -16,7 +16,7 @@ http:
         audiences:
         - foo.com
         remoteJWKS:
-          uri: https://localhost/jwt/public-key/jwks.json
+          uri: http://localhost/jwt/public-key/jwks.json
         claimToHeaders:
         - header: one-route-example-key1
           claim: claim.neteased.key
@@ -49,7 +49,7 @@ http:
         audiences:
         - foo.com
         remoteJWKS:
-          uri: https://localhost/jwt/public-key/jwks.json
+          uri: http://localhost/jwt/public-key/jwks.json
         claimToHeaders:
         - header: second-route-example-key1
           claim: claim.neteased.key

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml
@@ -33,30 +33,22 @@
   dnsRefreshRate: 30s
   lbPolicy: LEAST_REQUEST
   loadAssignment:
-    clusterName: localhost_443
+    clusterName: localhost_80
     endpoints:
     - lbEndpoints:
       - endpoint:
           address:
             socketAddress:
               address: localhost
-              portValue: 443
+              portValue: 80
         loadBalancingWeight: 1
       loadBalancingWeight: 1
       locality:
-        region: localhost_443/backend/0
-  name: localhost_443
+        region: localhost_80/backend/0
+  name: localhost_80
   outlierDetection: {}
   perConnectionBufferLimitBytes: 32768
   respectDnsTtl: true
-  transportSocket:
-    name: envoy.transport_sockets.tls
-    typedConfig:
-      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-      commonTlsContext:
-        validationContext:
-          trustedCa:
-            filename: /etc/ssl/certs/ca-certificates.crt
   type: STRICT_DNS
 - commonLbConfig:
     localityWeightedLbConfig: {}

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml
@@ -31,9 +31,9 @@
                   asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
-                    cluster: localhost_443
+                    cluster: localhost_80
                     timeout: 5s
-                    uri: https://localhost/jwt/public-key/jwks.json
+                    uri: http://localhost/jwt/public-key/jwks.json
                   retryPolicy: {}
               first-route-www.test.com/example2:
                 audiences:
@@ -68,9 +68,9 @@
                   asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
-                    cluster: localhost_443
+                    cluster: localhost_80
                     timeout: 5s
-                    uri: https://localhost/jwt/public-key/jwks.json
+                    uri: http://localhost/jwt/public-key/jwks.json
                   retryPolicy: {}
               second-route-www.test.com/example2:
                 audiences:

diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go
@@ -20,7 +20,8 @@ import (
 )
 
 const (
-	defaultPort = 443
+	defaultHTTPSPort = 443
+	defaultHTTPPort  = 80
 )
 
 // urlCluster is a cluster that is created from a URL.
@@ -29,10 +30,11 @@ type urlCluster struct {
 	hostname     string
 	port         uint32
 	endpointType EndpointType
+	tls          bool
 }
 
 // url2Cluster returns a urlCluster from the provided url.
-func url2Cluster(strURL string) (*urlCluster, error) {
+func url2Cluster(strURL string, secure bool) (*urlCluster, error) {
 	epType := EndpointTypeDNS
 
 	// The URL should have already been validated in the gateway API translator.
@@ -41,11 +43,17 @@ func url2Cluster(strURL string) (*urlCluster, error) {
 		return nil, err
 	}
 
-	if u.Scheme != "https" {
+	if secure && u.Scheme != "https" {
 		return nil, fmt.Errorf("unsupported URI scheme %s", u.Scheme)
 	}
 
-	port := defaultPort
+	var port int
+	if u.Scheme == "https" {
+		port = defaultHTTPSPort
+	} else {
+		port = defaultHTTPPort
+	}
+
 	if u.Port() != "" {
 		port, err = strconv.Atoi(u.Port())
 		if err != nil {
@@ -66,6 +74,7 @@ func url2Cluster(strURL string) (*urlCluster, error) {
 		hostname:     u.Hostname(),
 		port:         uint32(port),
 		endpointType: epType,
+		tls:          u.Scheme == "https",
 	}, nil
 }