feat: add support for optional JWT authentication

Signed-off-by: Ardika Bagus <me@ardikabs.com>
envoyproxy · Apr 17, 2024 · 1af6608 · 1af6608
1 parent c41247b
commit 1af6608
Show file tree

Hide file tree

Showing 14 changed files with 836 additions and 111 deletions.
diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go
@@ -8,6 +8,10 @@ package v1alpha1
 // JWT defines the configuration for JSON Web Token (JWT) authentication.
 type JWT struct {
 
+	// AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented.
+	//
+	AllowMissing bool `json:"allowMissing,omitempty"`
+
 	// Providers defines the JSON Web Token (JWT) authentication provider type.
 	// When multiple JWT providers are specified, the JWT is considered valid if
 	// any of the providers successfully validate the JWT. For additional details,

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -422,6 +422,10 @@ spec:
                 description: JWT defines the configuration for JSON Web Token (JWT)
                   authentication.
                 properties:
+                  allowMissing:
+                    description: AllowMissing specifies whether a missing JWT is acceptable,
+                      but it will fail if an invalid JWT is presented.
+                    type: boolean
                   providers:
                     description: |-
                       Providers defines the JSON Web Token (JWT) authentication provider type.

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -527,7 +527,8 @@ func wildcard2regex(wildcard string) string {
 
 func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT {
 	return &ir.JWT{
-		Providers: jwt.Providers,
+		AllowMissing: jwt.AllowMissing,
+		Providers:    jwt.Providers,
 	}
 }
 

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.in.yaml
@@ -0,0 +1,127 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-2
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+grpcRoutes:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+  kind: GRPCRoute
+  metadata:
+    namespace: default
+    name: grpcroute-1
+  spec:
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - backendRefs:
+      - name: service-1
+        port: 8080
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-1
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-2
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/"
+      backendRefs:
+      - name: service-1
+        port: 8080
+securityPolicies:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: SecurityPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: policy-for-gateway
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      namespace: envoy-gateway
+    jwt:
+      providers:
+      - name: example1
+        issuer: https://one.example.com
+        audiences:
+        - one.foo.com
+        remoteJWKS:
+          uri: https://one.example.com/jwt/public-key/jwks.json
+        claimToHeaders:
+        - header: one-route-example-key
+          claim: claim1
+      - name: example2
+        issuer: https://two.example.com
+        audiences:
+        - two.foo.com
+        remoteJWKS:
+          uri: https://two.example.com/jwt/public-key/jwks.json
+        claimToHeaders:
+        - header: two-route-example-key
+          claim: claim2
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: SecurityPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-1
+      namespace: default
+    jwt:
+      providers:
+      - name: example3
+        issuer: https://three.example.com
+        audiences:
+        - three.foo.com
+        remoteJWKS:
+          uri: https://three.example.com/jwt/public-key/jwks.json
+        claimToHeaders:
+        - header: three-route-example-key
+          claim: claim3
+        extractFrom:
+          headers:
+          - name: Authorization
+            valuePrefix: 'Bearer '
+          cookies:
+          - session_access_token
+          params:
+          - token
+      allowMissing: true