Support insecure Remote JWKS endpoint

[ardikabs]

Description:

Follow up from #1930, regarding support for insecure remote JWKS endpoint.

Currently, JWT policy only supports secure endpoints through HTTPS for the remote JWKS endpoint. For particular reasons such as when the JWKS endpoint is expected to be internally accessible within the Kubernetes cluster, in that case adding a secure layer might not needed.

The workaround that we have done so far was to patch the code to add support when the JWKS endpoint uses http://..., thus it will omit the tls socket config under the cluster config. The example patch can be seen here.

With the above patch, you can apply the below configuration.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: sp-any-endpoint
  namespace: envoy-gateway-system
spec:
  jwt:
    providers:
      - claimToHeaders:
          - claim: userId
            header: x-user-id
          - claim: email
            header: x-username
          - claim: sessionId
            header: x-session-id
        name: internal
        remoteJWKS:
          uri: http://auth-service.auth-service-ns.svc.cluster.local/.well-known/jwks
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: hr-any-endpoint
    namespace: envoy-gateway-system

[optional Relevant Links:]

Any extra documentation required to understand the issue.

[zhaohuabing]

@ardikabs Thanks for the feedback. I think it's reasonable to support plain HTTP jwks and ext auth servers, but OIDC servers should stick to HTTPS. WDYT @arkodg ?