diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go index 21cac85398d..e5c60882003 100644 --- a/api/v1alpha1/securitypolicy_types.go +++ b/api/v1alpha1/securitypolicy_types.go @@ -37,7 +37,7 @@ type SecurityPolicy struct { // SecurityPolicySpec defines the desired state of SecurityPolicy. type SecurityPolicySpec struct { // +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'", message="this policy can only have a targetRef.group of gateway.networking.k8s.io" - // +kubebuilder:validation:XValidation:rule="self.kind == 'Gateway'", message="this policy can only have a targetRef.kind of Gateway" + // +kubebuilder:validation:XValidation:rule="self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute']", message="this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute" // +kubebuilder:validation:XValidation:rule="!has(self.sectionName)",message="this policy does not yet support the sectionName field" // // TargetRef is the name of the Gateway resource this policy diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 544e8dbe867..7fefb8b9d77 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -238,8 +238,8 @@ spec: x-kubernetes-validations: - message: this policy can only have a targetRef.group of gateway.networking.k8s.io rule: self.group == 'gateway.networking.k8s.io' - - message: this policy can only have a targetRef.kind of Gateway - rule: self.kind == 'Gateway' + - message: this policy can only have a targetRef.kind of Gateway/HTTPRoute/GRPCRoute + rule: self.kind in ['Gateway', 'HTTPRoute', 'GRPCRoute'] - message: this policy does not yet support the sectionName field rule: '!has(self.sectionName)' required: diff --git a/examples/kubernetes/jwt/grpc-jwt.yaml b/examples/kubernetes/jwt/grpc-jwt.yaml index a5da840eb66..c992f524fe8 100644 --- a/examples/kubernetes/jwt/grpc-jwt.yaml +++ b/examples/kubernetes/jwt/grpc-jwt.yaml @@ -11,7 +11,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json --- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: GRPCRoute diff --git a/examples/kubernetes/jwt/jwt.yaml b/examples/kubernetes/jwt/jwt.yaml index dcf580edde9..46381b13a2f 100644 --- a/examples/kubernetes/jwt/jwt.yaml +++ b/examples/kubernetes/jwt/jwt.yaml @@ -11,7 +11,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml b/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml index 2b41c1a3eb4..14efe586c4e 100644 --- a/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml +++ b/internal/cmd/egctl/testdata/translate/in/jwt-single-route-single-match-to-xds.yaml @@ -83,7 +83,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json index 6b6655a7989..9adf09f0e52 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json @@ -397,7 +397,7 @@ "httpUri": { "cluster": "raw_githubusercontent_com_443", "timeout": "5s", - "uri": "https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json" + "uri": "https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json" }, "retryPolicy": {} } diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml index 165e110d67b..1eb76aa4ce6 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml @@ -238,7 +238,7 @@ xds: httpUri: cluster: raw_githubusercontent_com_443 timeout: 5s - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json retryPolicy: {} requirementMap: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com: diff --git a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml index 38158d8d227..273ca89e7c7 100644 --- a/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml +++ b/internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml @@ -54,7 +54,7 @@ xds: httpUri: cluster: raw_githubusercontent_com_443 timeout: 5s - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json retryPolicy: {} requirementMap: httproute/envoy-gateway-system/backend/rule/0/match/0/www_example_com: diff --git a/site/content/en/latest/design/rate-limit.md b/site/content/en/latest/design/rate-limit.md index d2f68c7e78d..e35d44c8239 100644 --- a/site/content/en/latest/design/rate-limit.md +++ b/site/content/en/latest/design/rate-limit.md @@ -232,7 +232,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json claimToHeaders: - claim: name header: custom-request-header diff --git a/site/content/en/latest/design/security-policy.md b/site/content/en/latest/design/security-policy.md index 89508d5727f..b7413b92ad0 100644 --- a/site/content/en/latest/design/security-policy.md +++ b/site/content/en/latest/design/security-policy.md @@ -73,7 +73,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json targetRef: group: gateway.networking.k8s.io kind: Gateway diff --git a/site/content/en/latest/user/rate-limit.md b/site/content/en/latest/user/rate-limit.md index c27eefaf90a..e8a38ac7740 100644 --- a/site/content/en/latest/user/rate-limit.md +++ b/site/content/en/latest/user/rate-limit.md @@ -607,7 +607,7 @@ spec: jwtProviders: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json claimToHeaders: - claim: name header: x-claim-name diff --git a/site/content/en/v0.5.0/design/rate-limit.md b/site/content/en/v0.5.0/design/rate-limit.md index 28ebbab8b36..5a8288a79d1 100644 --- a/site/content/en/v0.5.0/design/rate-limit.md +++ b/site/content/en/v0.5.0/design/rate-limit.md @@ -228,7 +228,7 @@ spec: jwtProviders: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json claimToHeaders: - claim: name header: custom-request-header diff --git a/site/content/en/v0.5.0/user/rate-limit.md b/site/content/en/v0.5.0/user/rate-limit.md index 3c780c730a6..2bb1169daf6 100644 --- a/site/content/en/v0.5.0/user/rate-limit.md +++ b/site/content/en/v0.5.0/user/rate-limit.md @@ -590,7 +590,7 @@ spec: jwtProviders: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json claimToHeaders: - claim: name header: x-claim-name diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 0c7db9c2e65..1c6d5b22f92 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -41,12 +41,9 @@ func TestE2E(t *testing.T) { *flags.GatewayClassName, *flags.CleanupBaseResources, *flags.ShowDebug, *flags.SupportedFeatures, *flags.ExemptFeatures) cSuite := suite.New(suite.Options{ - Client: client, - GatewayClassName: *flags.GatewayClassName, - Debug: *flags.ShowDebug, - SkipTests: []string{ - tests.RateLimitBasedJwtClaimsTest.ShortName, - }, + Client: client, + GatewayClassName: *flags.GatewayClassName, + Debug: *flags.ShowDebug, CleanupBaseResources: *flags.CleanupBaseResources, FS: &Manifests, }) diff --git a/test/e2e/testdata/ratelimit-based-jwt-claims.yaml b/test/e2e/testdata/ratelimit-based-jwt-claims.yaml index edfcb8ad6aa..d16e9c1ebdb 100644 --- a/test/e2e/testdata/ratelimit-based-jwt-claims.yaml +++ b/test/e2e/testdata/ratelimit-based-jwt-claims.yaml @@ -13,7 +13,7 @@ spec: providers: - name: example remoteJWKS: - uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json + uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json claimToHeaders: - claim: name header: x-claim-name