-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Routing based on JWT Claims #2452
Comments
|
there's a
it doesnt look like it needs to be set |
@arkodg, Its comments may be ambiguous, requiring |
nice find @tmsnan, does that logic need to be updated to
? |
No changes needed @arkodg. Recalculating routes may cause performance issues. In some scenarios, only header or metadata information needs to be added without requiring rerouting, such as ratelimit-based JWT claims. |
Add a field called `useForRouting` that signals to Envoy Gateway that the headers generated from the claims are used to make routing decisions Internally this field will be used to * insert a catch-all route with a 404 direct response identical to envoyproxy#2586 which makes sure the jwt filter with `claimToHeader` is applied before recomputing routing decision * enable `clear_route_cache` to recompute routing decision https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtprovider Relates to envoyproxy#2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
This issue has been automatically marked as stale because it has not had activity in the last 30 days. |
Add a field called `useForRouting` that signals to Envoy Gateway that the headers generated from the claims are used to make routing decisions Internally this field will be used to * insert a catch-all route with a 404 direct response identical to envoyproxy#2586 which makes sure the jwt filter with `claimToHeader` is applied before recomputing routing decision * enable `clear_route_cache` to recompute routing decision https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtprovider Relates to envoyproxy#2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Add a field called `useForRouting` that signals to Envoy Gateway that the headers generated from the claims are used to make routing decisions Internally this field will be used to * insert a catch-all route with a 404 direct response identical to envoyproxy#2586 which makes sure the jwt filter with `claimToHeader` is applied before recomputing routing decision * enable `clear_route_cache` to recompute routing decision https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtprovider Relates to envoyproxy#2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
* api: useForRouting field in JWT Add a field called `useForRouting` that signals to Envoy Gateway that the headers generated from the claims are used to make routing decisions Internally this field will be used to * enable `clear_route_cache` to recompute routing decision https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtprovider Relates to #2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * helm Signed-off-by: Arko Dasgupta <arko@tetrate.io> * optional Signed-off-by: Arko Dasgupta <arko@tetrate.io> * rename to recomputeRoute Signed-off-by: Arko Dasgupta <arko@tetrate.io> * address comments Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Relates to envoyproxy#2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Relates to #2452 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
I added this to my jwt path and trying to figure out why it is not working:
worth of adding new issue or? |
are you using the latest of |
sorry, forgot to compile newest egctl. With newest egctl I can dump the configuration. However, the JWT based routing does not work with the PR which added clear_route_cache to JWT. configuration:
my application behind httproute is echoserver, if I remove that headers filter. I can see the x-sub and that same value in the response. Also if I remove securitypolicy and just use -H 'x-sub: ca28333f-177f-4b7a-90c3-83951bc0eda4' as curl parameters, the routing will work. So as I see it: new |
@zetaab plan on wrapping up a few higher priority work items for v1 rc before adding e2e and docs for this feature, should hopefully complete it by next week. |
Description:
Users would like to route to a specific backend by matching on JWT claims
Looks like a popular issue raised in upstream as well kubernetes-sigs/gateway-api#920 but was closed due to lack of ownership
[optional Relevant Links:]
The text was updated successfully, but these errors were encountered: