diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml index b7eec111123..4e51d2c903c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt.in.yaml @@ -86,11 +86,11 @@ securityPolicies: - header: one-route-example-key claim: claim1 - name: example2 - issuer: https://two.example.com + issuer: http://two.example.com audiences: - two.foo.com remoteJWKS: - uri: https://two.example.com/jwt/public-key/jwks.json + uri: http://two.example.com/jwt/public-key/jwks.json claimToHeaders: - header: two-route-example-key claim: claim2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml index e9a19c80c8d..18ce17f5d26 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt.out.yaml @@ -237,10 +237,10 @@ securityPolicies: claimToHeaders: - claim: claim2 header: two-route-example-key - issuer: https://two.example.com + issuer: http://two.example.com name: example2 remoteJWKS: - uri: https://two.example.com/jwt/public-key/jwks.json + uri: http://two.example.com/jwt/public-key/jwks.json targetRef: group: gateway.networking.k8s.io kind: Gateway @@ -295,10 +295,10 @@ xdsIR: claimToHeaders: - claim: claim2 header: two-route-example-key - issuer: https://two.example.com + issuer: http://two.example.com name: example2 remoteJWKS: - uri: https://two.example.com/jwt/public-key/jwks.json + uri: http://two.example.com/jwt/public-key/jwks.json name: grpcroute/default/grpcroute-1/rule/0/match/-1/* envoy-gateway/gateway-2: accessLog: diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index 2978c548505..abb4f0b13f6 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -109,7 +109,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, for i := range route.JWT.Providers { irProvider := route.JWT.Providers[i] // Create the cluster for the remote jwks, if it doesn't exist. - jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI) + jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI, false) if err != nil { return nil, err } @@ -262,7 +262,7 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo ) provider := route.JWT.Providers[i] - jwks, err = url2Cluster(provider.RemoteJWKS.URI) + jwks, err = url2Cluster(provider.RemoteJWKS.URI, false) if err != nil { errs = multierror.Append(errs, err) continue @@ -273,18 +273,21 @@ func (*jwt) patchResources(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRo Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(jwks.hostname, jwks.port)}, } - tSocket, err = buildXdsUpstreamTLSSocket() - if err != nil { - errs = multierror.Append(errs, err) - continue - } - - if err = addXdsCluster(tCtx, &xdsClusterArgs{ + clusterArgs := &xdsClusterArgs{ name: jwks.name, settings: []*ir.DestinationSetting{ds}, - tSocket: tSocket, endpointType: jwks.endpointType, - }); err != nil && !errors.Is(err, ErrXdsClusterExists) { + } + if jwks.tls { + tSocket, err = buildXdsUpstreamTLSSocket() + if err != nil { + errs = multierror.Append(errs, err) + continue + } + clusterArgs.tSocket = tSocket + } + + if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) { errs = multierror.Append(errs, err) } } diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index e2cadc9a958..018ad0a120b 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -109,7 +109,7 @@ func oauth2FilterName(route *ir.HTTPRoute) string { } func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) { - cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint) + cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint, true) if err != nil { return nil, err } @@ -218,7 +218,7 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable, err error ) - cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint) + cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint, true) if err != nil { errs = multierror.Append(errs, err) continue diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml index 6abee5f0575..91b17b0f7be 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-multi-route-multi-provider.yaml @@ -16,7 +16,7 @@ http: audiences: - foo.com remoteJWKS: - uri: https://localhost/jwt/public-key/jwks.json + uri: http://localhost/jwt/public-key/jwks.json claimToHeaders: - header: one-route-example-key1 claim: claim.neteased.key @@ -49,7 +49,7 @@ http: audiences: - foo.com remoteJWKS: - uri: https://localhost/jwt/public-key/jwks.json + uri: http://localhost/jwt/public-key/jwks.json claimToHeaders: - header: second-route-example-key1 claim: claim.neteased.key diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml index fd188612f27..ecb9808182b 100755 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.clusters.yaml @@ -33,30 +33,22 @@ dnsRefreshRate: 30s lbPolicy: LEAST_REQUEST loadAssignment: - clusterName: localhost_443 + clusterName: localhost_80 endpoints: - lbEndpoints: - endpoint: address: socketAddress: address: localhost - portValue: 443 + portValue: 80 loadBalancingWeight: 1 loadBalancingWeight: 1 locality: - region: localhost_443/backend/0 - name: localhost_443 + region: localhost_80/backend/0 + name: localhost_80 outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true - transportSocket: - name: envoy.transport_sockets.tls - typedConfig: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - commonTlsContext: - validationContext: - trustedCa: - filename: /etc/ssl/certs/ca-certificates.crt type: STRICT_DNS - commonLbConfig: localityWeightedLbConfig: {} diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml index 23990992ee7..5eec374480d 100755 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-multi-route-multi-provider.listeners.yaml @@ -31,9 +31,9 @@ asyncFetch: {} cacheDuration: 300s httpUri: - cluster: localhost_443 + cluster: localhost_80 timeout: 5s - uri: https://localhost/jwt/public-key/jwks.json + uri: http://localhost/jwt/public-key/jwks.json retryPolicy: {} first-route-www.test.com/example2: audiences: @@ -68,9 +68,9 @@ asyncFetch: {} cacheDuration: 300s httpUri: - cluster: localhost_443 + cluster: localhost_80 timeout: 5s - uri: https://localhost/jwt/public-key/jwks.json + uri: http://localhost/jwt/public-key/jwks.json retryPolicy: {} second-route-www.test.com/example2: audiences: diff --git a/internal/xds/translator/utils.go b/internal/xds/translator/utils.go index 407d646408c..dbb6897336b 100644 --- a/internal/xds/translator/utils.go +++ b/internal/xds/translator/utils.go @@ -20,7 +20,8 @@ import ( ) const ( - defaultPort = 443 + defaultHTTPSPort = 443 + defaultHTTPPort = 80 ) // urlCluster is a cluster that is created from a URL. @@ -29,10 +30,11 @@ type urlCluster struct { hostname string port uint32 endpointType EndpointType + tls bool } // url2Cluster returns a urlCluster from the provided url. -func url2Cluster(strURL string) (*urlCluster, error) { +func url2Cluster(strURL string, secure bool) (*urlCluster, error) { epType := EndpointTypeDNS // The URL should have already been validated in the gateway API translator. @@ -41,11 +43,17 @@ func url2Cluster(strURL string) (*urlCluster, error) { return nil, err } - if u.Scheme != "https" { + if secure && u.Scheme != "https" { return nil, fmt.Errorf("unsupported URI scheme %s", u.Scheme) } - port := defaultPort + var port int + if u.Scheme == "https" { + port = defaultHTTPSPort + } else { + port = defaultHTTPPort + } + if u.Port() != "" { port, err = strconv.Atoi(u.Port()) if err != nil { @@ -66,6 +74,7 @@ func url2Cluster(strURL string) (*urlCluster, error) { hostname: u.Hostname(), port: uint32(port), endpointType: epType, + tls: u.Scheme == "https", }, nil }