address comments

Signed-off-by: huabing zhao <[email protected]>
envoyproxy · Dec 21, 2023 · bdd6ffe · bdd6ffe
1 parent fc36b2b
commit bdd6ffe
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 27 deletions.
diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
@@ -273,18 +273,21 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo
 				Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(jwks.hostname, jwks.port)},
 			}
 
-			tSocket, err = buildXdsUpstreamTLSSocket()
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-
-			if err = addXdsCluster(tCtx, &xdsClusterArgs{
+			clusterArgs := &xdsClusterArgs{
 				name:         jwks.name,
 				settings:     []*ir.DestinationSetting{ds},
-				tSocket:      tSocket,
 				endpointType: jwks.endpointType,
-			}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+			}
+			if jwks.tls {
+				tSocket, err = buildXdsUpstreamTLSSocket()
+				if err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+				clusterArgs.tSocket = tSocket
+			}
+
+			if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 				errs = multierror.Append(errs, err)
 			}
 		}

diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml
@@ -21,12 +21,12 @@ http:
         - header: one-route-example-key1
           claim: claim.neteased.key
       - name: example2
-        issuer: https://www.two.example.com
+        issuer: http://www.two.example.com
         audiences:
         - one.foo.com
         - two.foo.com
         remoteJWKS:
-          uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+          uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
         claimToHeaders:
         - header: one-route-example2-key1
           claim: claim.neteased.key
@@ -54,12 +54,12 @@ http:
         - header: second-route-example-key1
           claim: claim.neteased.key
       - name: example2
-        issuer: https://www.two.example.com
+        issuer: http://www.two.example.com
         audiences:
         - one.foo.com
         - two.foo.com
         remoteJWKS:
-          uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+          uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
     destination:
       name: "second-route-www.test.com-dest"
       settings:

diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml
@@ -71,12 +71,4 @@
   name: "192_168_1_250_8080"
   outlierDetection: {}
   perConnectionBufferLimitBytes: 32768
-  transportSocket:
-    name: envoy.transport_sockets.tls
-    typedConfig:
-      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-      commonTlsContext:
-        validationContext:
-          trustedCa:
-            filename: /etc/ssl/certs/ca-certificates.crt
   type: EDS
diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml
@@ -45,15 +45,15 @@
                 - claimName: name
                   headerName: one-route-example2-key2
                 forward: true
-                issuer: https://www.two.example.com
-                payloadInMetadata: https://www.two.example.com
+                issuer: http://www.two.example.com
+                payloadInMetadata: http://www.two.example.com
                 remoteJwks:
                   asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
                     cluster: "192_168_1_250_8080"
                     timeout: 5s
-                    uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+                    uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
                   retryPolicy: {}
               second-route-www.test.com/example:
                 audiences:
@@ -77,15 +77,15 @@
                 - one.foo.com
                 - two.foo.com
                 forward: true
-                issuer: https://www.two.example.com
-                payloadInMetadata: https://www.two.example.com
+                issuer: http://www.two.example.com
+                payloadInMetadata: http://www.two.example.com
                 remoteJwks:
                   asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
                     cluster: "192_168_1_250_8080"
                     timeout: 5s
-                    uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+                    uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
                   retryPolicy: {}
             requirementMap:
               first-route-www.test.com:

diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go
@@ -29,6 +29,7 @@ type urlCluster struct {
 	hostname     string
 	port         uint32
 	endpointType EndpointType
+	tls          bool
 }
 
 // url2Cluster returns a urlCluster from the provided url.
@@ -66,6 +67,7 @@ func url2Cluster(strURL string, secure bool) (*urlCluster, error) {
 		hostname:     u.Hostname(),
 		port:         uint32(port),
 		endpointType: epType,
+		tls:          u.Scheme == "https",
 	}, nil
 }