chore: adjust comment and use pointer for non-manandatory field

Signed-off-by: Ardika Bagus <me@ardikabs.com>
envoyproxy · Apr 17, 2024 · 33b3bc0 · 33b3bc0
1 parent 566aa30
commit 33b3bc0
Show file tree

Hide file tree

Showing 9 changed files with 75 additions and 67 deletions.
diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go
@@ -8,9 +8,9 @@ package v1alpha1
 // JWT defines the configuration for JSON Web Token (JWT) authentication.
 type JWT struct {
 
-	// AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented.
-	//
-	AllowMissing bool `json:"allowMissing,omitempty"`
+	// AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.
+	// Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented.
+	AllowMissing *bool `json:"allowMissing,omitempty"`
 
 	// Providers defines the JSON Web Token (JWT) authentication provider type.
 	// When multiple JWT providers are specified, the JWT is considered valid if

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -423,8 +423,9 @@ spec:
                   authentication.
                 properties:
                   allowMissing:
-                    description: AllowMissing specifies whether a missing JWT is acceptable,
-                      but it will fail if an invalid JWT is presented.
+                    description: |-
+                      AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.
+                      Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented.
                     type: boolean
                   providers:
                     description: |-

diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -527,7 +527,7 @@ func wildcard2regex(wildcard string) string {
 
 func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT {
 	return &ir.JWT{
-		AllowMissing: jwt.AllowMissing,
+		AllowMissing: ptr.Deref(jwt.AllowMissing, false),
 		Providers:    jwt.Providers,
 	}
 }

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml
@@ -307,27 +307,28 @@ xdsIR:
             weight: 1
         hostname: '*'
         isHTTP2: true
-        jwt:
-          providers:
-          - audiences:
-            - one.foo.com
-            claimToHeaders:
-            - claim: claim1
-              header: one-route-example-key
-            issuer: https://one.example.com
-            name: example1
-            remoteJWKS:
-              uri: https://one.example.com/jwt/public-key/jwks.json
-          - audiences:
-            - two.foo.com
-            claimToHeaders:
-            - claim: claim2
-              header: two-route-example-key
-            issuer: https://two.example.com
-            name: example2
-            remoteJWKS:
-              uri: https://two.example.com/jwt/public-key/jwks.json
         name: grpcroute/default/grpcroute-1/rule/0/match/-1/*
+        security:
+          jwt:
+            providers:
+            - audiences:
+              - one.foo.com
+              claimToHeaders:
+              - claim: claim1
+                header: one-route-example-key
+              issuer: https://one.example.com
+              name: example1
+              remoteJWKS:
+                uri: https://one.example.com/jwt/public-key/jwks.json
+            - audiences:
+              - two.foo.com
+              claimToHeaders:
+              - claim: claim2
+                header: two-route-example-key
+              issuer: https://two.example.com
+              name: example2
+              remoteJWKS:
+                uri: https://two.example.com/jwt/public-key/jwks.json
   envoy-gateway/gateway-2:
     accessLog:
       text:
@@ -357,28 +358,29 @@ xdsIR:
             weight: 1
         hostname: gateway.envoyproxy.io
         isHTTP2: false
-        jwt:
-          allowMissing: true
-          providers:
-          - audiences:
-            - three.foo.com
-            claimToHeaders:
-            - claim: claim3
-              header: three-route-example-key
-            extractFrom:
-              cookies:
-              - session_access_token
-              headers:
-              - name: Authorization
-                valuePrefix: 'Bearer '
-              params:
-              - token
-            issuer: https://three.example.com
-            name: example3
-            remoteJWKS:
-              uri: https://three.example.com/jwt/public-key/jwks.json
         name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
         pathMatch:
           distinct: false
           name: ""
           prefix: /
+        security:
+          jwt:
+            allowMissing: true
+            providers:
+            - audiences:
+              - three.foo.com
+              claimToHeaders:
+              - claim: claim3
+                header: three-route-example-key
+              extractFrom:
+                cookies:
+                - session_access_token
+                headers:
+                - name: Authorization
+                  valuePrefix: 'Bearer '
+                params:
+                - token
+              issuer: https://three.example.com
+              name: example3
+              remoteJWKS:
+                uri: https://three.example.com/jwt/public-key/jwks.json
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
@@ -570,7 +570,7 @@ type CORS struct {
 //
 // +k8s:deepcopy-gen=true
 type JWT struct {
-	// AllowMissing specifies whether JWT authentication could be optionally required.
+	// AllowMissing determines whether a missing JWT is acceptable.
 	//
 	AllowMissing bool `json:"allowMissing,omitempty" yaml:"allowMissing,omitempty"`
 

diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
@@ -165,7 +165,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 			})
 		}
 
-		if route.JWT.AllowMissing {
+		if route.Security.JWT.AllowMissing {
 			reqs = append(reqs, &jwtauthnv3.JwtRequirement{
 				RequiresType: &jwtauthnv3.JwtRequirement_AllowMissing{
 					AllowMissing: &emptypb.Empty{},

diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml
@@ -12,23 +12,24 @@ http:
     hostname: "*"
     pathMatch:
       exact: "foo/bar"
-    jwt:
-      providers:
-      - name: example
-        issuer: https://www.example.com
-        audiences:
-        - foo.com
-        remoteJWKS:
-          uri: https://localhost/jwt/public-key/jwks.json
-        extractFrom:
-          cookies:
-          - session_access_token
-          headers:
-          - name: Authorization
-            valuePrefix: 'Bearer '
-          params:
-          - token
-      allowMissing: true
+    security:
+      jwt:
+        providers:
+        - name: example
+          issuer: https://www.example.com
+          audiences:
+          - foo.com
+          remoteJWKS:
+            uri: https://localhost/jwt/public-key/jwks.json
+          extractFrom:
+            cookies:
+            - session_access_token
+            headers:
+            - name: Authorization
+              valuePrefix: 'Bearer '
+            params:
+            - token
+        allowMissing: true
     destination:
       name: "first-route-dest"
       settings:

diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
@@ -1626,9 +1626,8 @@ _Appears in:_
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `allowMissing` | _boolean_ |  true  | AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented. |
-| `providers` | _[JWTProvider](#jwtprovider) array_ |  true  | Providers defines the JSON Web Token (JWT) authentication provider type.<br />When multiple JWT providers are specified, the JWT is considered valid if<br />any of the providers successfully validate the JWT. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
 
+| `allowMissing` | _boolean_ |  true  | AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.<br />Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented. |
 | `providers` | _[JWTProvider](#jwtprovider) array_ |  true  | Providers defines the JSON Web Token (JWT) authentication provider type.<br />When multiple JWT providers are specified, the JWT is considered valid if<br />any of the providers successfully validate the JWT. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |