envoyproxy · zhaohuabing · Dec 23, 2023 · Dec 20, 2023 · Dec 21, 2023 · Dec 21, 2023
@@ -86,11 +86,11 @@ securityPolicies:
         - header: one-route-example-key
           claim: claim1
       - name: example2
-        issuer: https://two.example.com
+        issuer: http://two.example.com
         audiences:
         - two.foo.com
         remoteJWKS:
-          uri: https://two.example.com/jwt/public-key/jwks.json
+          uri: http://two.example.com/jwt/public-key/jwks.json
         claimToHeaders:
         - header: two-route-example-key
           claim: claim2

@@ -237,10 +237,10 @@ securityPolicies:
         claimToHeaders:
         - claim: claim2
           header: two-route-example-key
-        issuer: https://two.example.com
+        issuer: http://two.example.com
         name: example2
         remoteJWKS:
-          uri: https://two.example.com/jwt/public-key/jwks.json
+          uri: http://two.example.com/jwt/public-key/jwks.json
     targetRef:
       group: gateway.networking.k8s.io
       kind: Gateway
@@ -295,10 +295,10 @@ xdsIR:
             claimToHeaders:
             - claim: claim2
               header: two-route-example-key
-            issuer: https://two.example.com
+            issuer: http://two.example.com
             name: example2
             remoteJWKS:
-              uri: https://two.example.com/jwt/public-key/jwks.json
+              uri: http://two.example.com/jwt/public-key/jwks.json
         name: grpcroute/default/grpcroute-1/rule/0/match/-1/*
   envoy-gateway/gateway-2:
     accessLog:

@@ -109,7 +109,7 @@
 		for i := range route.JWT.Providers {
 			irProvider := route.JWT.Providers[i]
 			// Create the cluster for the remote jwks, if it doesn't exist.
-			jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI)
+			jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI, false)
 			if err != nil {
 				return nil, err
 			}
@@ -262,7 +262,7 @@
 			)
 
 			provider := route.JWT.Providers[i]
-			jwks, err = url2Cluster(provider.RemoteJWKS.URI)
+			jwks, err = url2Cluster(provider.RemoteJWKS.URI, false)
 			if err != nil {
 				errs = multierror.Append(errs, err)
 				continue
@@ -273,18 +273,21 @@
 				Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(jwks.hostname, jwks.port)},
 			}
 
-			tSocket, err = buildXdsUpstreamTLSSocket()
-			if err != nil {
-				errs = multierror.Append(errs, err)
-				continue
-			}
-
-			if err = addXdsCluster(tCtx, &xdsClusterArgs{
+			clusterArgs := &xdsClusterArgs{
 				name:         jwks.name,
 				settings:     []*ir.DestinationSetting{ds},
-				tSocket:      tSocket,
 				endpointType: jwks.endpointType,
-			}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
+			}
+			if jwks.tls {
+				tSocket, err = buildXdsUpstreamTLSSocket()
+				if err != nil {
+					errs = multierror.Append(errs, err)
+					continue
+				}
+				clusterArgs.tSocket = tSocket
+			}
+
+			if err = addXdsCluster(tCtx, clusterArgs); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 				errs = multierror.Append(errs, err)
 			}
 		}

@@ -109,7 +109,7 @@ func oauth2FilterName(route *ir.HTTPRoute) string {
 }
 
 func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
-	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint)
+	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
 	if err != nil {
 		return nil, err
 	}
@@ -218,7 +218,7 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable,
 			err     error
 		)
 
-		cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint)
+		cluster, err = url2Cluster(route.OIDC.Provider.TokenEndpoint, true)
 		if err != nil {
 			errs = multierror.Append(errs, err)
 			continue

@@ -21,12 +21,12 @@ http:
         - header: one-route-example-key1
           claim: claim.neteased.key
       - name: example2
-        issuer: https://www.two.example.com
+        issuer: http://www.two.example.com
         audiences:
         - one.foo.com
         - two.foo.com
         remoteJWKS:
-          uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+          uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
         claimToHeaders:
         - header: one-route-example2-key1
           claim: claim.neteased.key
@@ -54,12 +54,12 @@ http:
         - header: second-route-example-key1
           claim: claim.neteased.key
       - name: example2
-        issuer: https://www.two.example.com
+        issuer: http://www.two.example.com
         audiences:
         - one.foo.com
         - two.foo.com
         remoteJWKS:
-          uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+          uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
     destination:
       name: "second-route-www.test.com-dest"
       settings:

@@ -71,12 +71,4 @@
   name: "192_168_1_250_8080"
   outlierDetection: {}
   perConnectionBufferLimitBytes: 32768
-  transportSocket:
-    name: envoy.transport_sockets.tls
-    typedConfig:
-      '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
-      commonTlsContext:
-        validationContext:
-          trustedCa:
-            filename: /etc/ssl/certs/ca-certificates.crt
   type: EDS
@@ -45,15 +45,15 @@
                 - claimName: name
                   headerName: one-route-example2-key2
                 forward: true
-                issuer: https://www.two.example.com
-                payloadInMetadata: https://www.two.example.com
+                issuer: http://www.two.example.com
+                payloadInMetadata: http://www.two.example.com
                 remoteJwks:
                   asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
                     cluster: "192_168_1_250_8080"
                     timeout: 5s
-                    uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+                    uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
                   retryPolicy: {}
               second-route-www.test.com/example:
                 audiences:
@@ -77,15 +77,15 @@
                 - one.foo.com
                 - two.foo.com
                 forward: true
-                issuer: https://www.two.example.com
-                payloadInMetadata: https://www.two.example.com
+                issuer: http://www.two.example.com
+                payloadInMetadata: http://www.two.example.com
                 remoteJwks:
                   asyncFetch: {}
                   cacheDuration: 300s
                   httpUri:
                     cluster: "192_168_1_250_8080"
                     timeout: 5s
-                    uri: https://192.168.1.250:8080/jwt/public-key/jwks.json
+                    uri: http://192.168.1.250:8080/jwt/public-key/jwks.json
                   retryPolicy: {}
             requirementMap:
               first-route-www.test.com:

@@ -29,10 +29,11 @@ type urlCluster struct {
 	hostname     string
 	port         uint32
 	endpointType EndpointType
+	tls          bool
 }
 
 // url2Cluster returns a urlCluster from the provided url.
-func url2Cluster(strURL string) (*urlCluster, error) {
+func url2Cluster(strURL string, secure bool) (*urlCluster, error) {
 	epType := EndpointTypeDNS
 
 	// The URL should have already been validated in the gateway API translator.
@@ -41,7 +42,7 @@ func url2Cluster(strURL string) (*urlCluster, error) {
 		return nil, err
 	}
 
-	if u.Scheme != "https" {
+	if secure && u.Scheme != "https" {
 		return nil, fmt.Errorf("unsupported URI scheme %s", u.Scheme)
 	}
 
@@ -66,6 +67,7 @@ func url2Cluster(strURL string) (*urlCluster, error) {
 		hostname:     u.Hostname(),
 		port:         uint32(port),
 		endpointType: epType,
+		tls:          u.Scheme == "https",
 	}, nil
 }