Skip to content

Dynamically create jwks clusters for jwt providers #17944

Merged
roncodingenthusiast merged 1 commit intomainfrom
issue-17886-jwks
Jun 29, 2023
Merged

Dynamically create jwks clusters for jwt providers #17944
roncodingenthusiast merged 1 commit intomainfrom
issue-17886-jwks

Conversation

@roncodingenthusiast
Copy link
Copy Markdown
Contributor

@roncodingenthusiast roncodingenthusiast commented Jun 28, 2023
edited
Loading

Description

  • 1/n PRs to improve jwks clusters for jwt providers authentication with intention
  • This PR allows us to create a cluster per jwt-config entry. Prior to this, the envoy config would fail with the following message: failed: [cluster = jwks_cluster] is not configured
  • The cluster has more configuration like certs and other entries that we can expose. We will be exposing them as part of a follow up PR.

Testing & Reproduction steps

  • create a jwt provider that has a remote JWKS
  • write an intention referencing that jwt provider
  • make a request without a jwt (this request should fail with Jwt is missing% )
  • make a request with a correct jwt (this should be successful)

PR Checklist

  • Follow up PRs with config entry changes and fixing the todos

@roncodingenthusiast roncodingenthusiast added pr/no-changelog PR does not need a corresponding .changelog entry backport/1.16 This release series is no longer active on CE. Use backport/ent/1.16. labels Jun 28, 2023
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label Jun 28, 2023
@roncodingenthusiast roncodingenthusiast changed the title Dynamically create jwks clusters for jwt providers WIP: Dynamically create jwks clusters for jwt providers Jun 28, 2023
@roncodingenthusiast roncodingenthusiast force-pushed the issue-17886-jwks branch 2 times, most recently from e01d5a8 to dabfaa6 Compare June 29, 2023 11:41
@roncodingenthusiast roncodingenthusiast changed the title WIP: Dynamically create jwks clusters for jwt providers Dynamically create jwks clusters for jwt providers Jun 29, 2023
@roncodingenthusiast roncodingenthusiast requested review from a team, cthain and pglass and removed request for a team June 29, 2023 11:58
@roncodingenthusiast roncodingenthusiast marked this pull request as ready for review June 29, 2023 11:58
pglass
pglass reviewed Jun 29, 2023
View reviewed changes
cthain
cthain reviewed Jun 29, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@cthain cthain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good! A couple of minor questions/suggestions?

@pglass
Copy link
Copy Markdown

pglass commented Jun 29, 2023

linking to #17886

johnlanda
johnlanda approved these changes Jun 29, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@johnlanda johnlanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Just some super minor comment styling suggestions.

@roncodingenthusiast roncodingenthusiast enabled auto-merge (squash) June 29, 2023 20:20
@roncodingenthusiast roncodingenthusiast merged commit 1512ea3 into main Jun 29, 2023
@roncodingenthusiast roncodingenthusiast deleted the issue-17886-jwks branch June 29, 2023 20:37
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Jun 29, 2023
Merged
1 task
hc-github-team-consul-core added a commit that referenced this pull request Jul 21, 2023
@hc-github-team-consul-core @zalimeni
@roncodingenthusiast @erichaberkorn @lkysow @rboyer @trujillo-adam @boruszak @mkeeler @nathancoleman @JadhavPoonam @im2nguyen @cthain @ramramhariram @sfarkas-hashicorp @Jeff-Apple @asheshvidyut @DanStough @curtbushko @tcraxs @jkirschner-hashicorp @analogue @dependabot @chapmanc @hashi-derek @jmurret @markcampv @boxofrad @stevenzamborsky @gbolo @xwa153 @huikang @cn0047 @ishustava @shamil @loshz @sarahalsmiller @mr-miles @natemollica-nm @jm96441n @beautifulentropy @Ranjandas @evanphx @karras @jcjones @fulviodenza @jjacobson93
Backport of [CC-5718] Remove HCP token requirement during bootstrap i…
32761e2 
…nto release/1.16.x (#18229)

* [OSS] Post Consul 1.16 updates (#17606)

* chore: update dev build to 1.17

* chore(ci): add nightly 1.16 test

Drop the oldest and add the newest running release branch to nightly
builds.

* Add writeAuditRPCEvent to agent_oss (#17607)

* Add writeAuditRPCEvent to agent_oss

* fix the other diffs

* backport change log

* Add Envoy and Consul version constraints to Envoy extensions (#17612)

* [API Gateway] Fix trust domain for external peered services in synthesis code (#17609)

* [API Gateway] Fix trust domain for external peered services in synthesis code

* Add changelog

* backport ent changes to oss (#17614)

* backport ent changes to oss

* Update .changelog/_5669.txt

Co-authored-by: Michael Zalimeni <[email protected]>

---------

Co-authored-by: Michael Zalimeni <[email protected]>

* Update intentions.mdx (#17619)

Make behaviour of L7 intentions clearer

* enterprise changelog update for audit (#17625)

* Update list of Envoy versions (#17546)

* [API Gateway] Fix rate limiting for API gateways (#17631)

* [API Gateway] Fix rate limiting for API gateways

* Add changelog

* Fix failing unit tests

* Fix operator usage tests for api package

* sort some imports that are wonky between oss and ent (#17637)

* PmTLS and tproxy improvements with failover and L7 traffic mgmt for k8s (#17624)

* porting over changes from enterprise repo to oss

* applied feedback on service mesh for k8s overview

* fixed typo

* removed ent-only build script file

* Apply suggestions from code review

Co-authored-by: Jeff Boruszak <[email protected]>

* Apply suggestions from code review

Co-authored-by: David Yu <[email protected]>
Co-authored-by: Jeff Boruszak <[email protected]>

---------

Co-authored-by: Jeff Boruszak <[email protected]>
Co-authored-by: David Yu <[email protected]>

* Delete check-legacy-links-format.yml (#17647)

* docs: Reference doc updates for permissive mTLS settings (#17371)

* Reference doc updates for permissive mTLS settings
* Document config entry filtering
* Fix minor doc errors (double slashes in link url paths)

---------

Co-authored-by: trujillo-adam <[email protected]>

* Add generic experiments configuration and use it to enable catalog v2 resources (#17604)

* Add generic experiments configuration and use it to enable catalog v2 resources

* Run formatting with -s as CI will validate that this has been done

* api-gateway: stop adding all header filters to virtual host when generating xDS (#17644)

* Add header filter to api-gateway xDS golden test

* Stop adding all header filters to virtual host when generating xDS for api-gateway

* Regenerate xDS golden file for api-gateway w/ header filter

* fix: add agent info reporting log (