diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 608c73bde47..abb4f0b13f6 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -273,18 +273,21 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(jwks.hostname, jwks.port)}, } - tSocket, err = buildXdsUpstreamTLSSocket() - if err != nil { - errs = multierror.Append(errs, err) - continue - } - - if err = addXdsCluster(tCtx, &xdsClusterArgs{ + clusterArgs := &xdsClusterArgs{ name: jwks.name, settings: []*ir.DestinationSetting{ds}, - tSocket: tSocket, endpointType: jwks.endpointType, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + } + if jwks.tls { + tSocket, err = buildXdsUpstreamTLSSocket() + if err != nil { + errs = multierror.Append(errs, err) + continue + } + clusterArgs.tSocket = tSocket + } + + if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { errs = multierror.Append(errs, err) } } diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml index 6abee5f0575..7078616e87b 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml @@ -21,12 +21,12 @@ http: - header: one-route-example-key1 claim: claim.neteased.key - name: example2 - issuer: https://www.two.example.com + issuer: http://www.two.example.com audiences: - one.foo.com - two.foo.com remoteJWKS: - uri: https://192.168.1.250:8080/jwt/public-key/jwks.json + uri: http://192.168.1.250:8080/jwt/public-key/jwks.json claimToHeaders: - header: one-route-example2-key1 claim: claim.neteased.key @@ -54,12 +54,12 @@ http: - header: second-route-example-key1 claim: claim.neteased.key - name: example2 - issuer: https://www.two.example.com + issuer: http://www.two.example.com audiences: - one.foo.com - two.foo.com remoteJWKS: - uri: https://192.168.1.250:8080/jwt/public-key/jwks.json + uri: http://192.168.1.250:8080/jwt/public-key/jwks.json destination: name: "second-route-www.test.com-dest" settings: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index fd188612f27..09b27391e18 100755 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -71,12 +71,4 @@ name: "192_168_1_250_8080" outlierDetection: {} perConnectionBufferLimitBytes: 32768 - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - validationContext: - trustedCa: - filename: /etc/ssl/certs/ca-certificates.crt type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index 23990992ee7..6f5414e4f5a 100755 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -45,15 +45,15 @@ - claimName: name headerName: one-route-example2-key2 forward: true - issuer: https://www.two.example.com - payloadInMetadata: https://www.two.example.com + issuer: http://www.two.example.com + payloadInMetadata: http://www.two.example.com remoteJwks: asyncFetch: {} cacheDuration: 300s httpUri: cluster: "192_168_1_250_8080" timeout: 5s - uri: https://192.168.1.250:8080/jwt/public-key/jwks.json + uri: http://192.168.1.250:8080/jwt/public-key/jwks.json retryPolicy: {} second-route-www.test.com/example: audiences: @@ -77,15 +77,15 @@ - one.foo.com - two.foo.com forward: true - issuer: https://www.two.example.com - payloadInMetadata: https://www.two.example.com + issuer: http://www.two.example.com + payloadInMetadata: http://www.two.example.com remoteJwks: asyncFetch: {} cacheDuration: 300s httpUri: cluster: "192_168_1_250_8080" timeout: 5s - uri: https://192.168.1.250:8080/jwt/public-key/jwks.json + uri: http://192.168.1.250:8080/jwt/public-key/jwks.json retryPolicy: {} requirementMap: first-route-www.test.com: diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index 5bf08c6066d..2b2e661122d 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -29,6 +29,7 @@ type urlCluster struct { hostname string port uint32 endpointType EndpointType + tls bool } // url2Cluster returns a urlCluster from the provided url. @@ -66,6 +67,7 @@ func url2Cluster(strURL string, secure bool) (*urlCluster, error) { hostname: u.Hostname(), port: uint32(port), endpointType: epType, + tls: u.Scheme == "https", }, nil }