diff --git a/agent/xds/clusters_test.go b/agent/xds/clusters_test.go index ff6b0f70fc7ce..de1c0eda29b7a 100644 --- a/agent/xds/clusters_test.go +++ b/agent/xds/clusters_test.go @@ -265,67 +265,6 @@ func TestClustersFromSnapshot(t *testing.T) { }, alsoRunTestForV2: true, }, - { - name: "connect-proxy-with-jwt-config-entry-with-local", - create: func(t testinf.T) *proxycfg.ConfigSnapshot { - return proxycfg.TestConfigSnapshot(t, nil, []proxycfg.UpdateEvent{ - { - CorrelationID: "jwt-provider", - Result: &structs.IndexedConfigEntries{ - Kind: "jwt-provider", - Entries: []structs.ConfigEntry{ - &structs.JWTProviderConfigEntry{ - Name: "okta", - JSONWebKeySet: &structs.JSONWebKeySet{ - Local: &structs.LocalJWKS{ - JWKS: "xxx", - }, - }, - }, - }, - }, - }, - }) - }, - // TODO(proxystate): jwt work will come at a later time - alsoRunTestForV2: false, - }, - { - name: "connect-proxy-with-jwt-config-entry-with-remote-jwks", - create: func(t testinf.T) *proxycfg.ConfigSnapshot { - return proxycfg.TestConfigSnapshot(t, nil, []proxycfg.UpdateEvent{ - { - CorrelationID: "jwt-provider", - Result: &structs.IndexedConfigEntries{ - Kind: "jwt-provider", - Entries: []structs.ConfigEntry{ - &structs.JWTProviderConfigEntry{ - Name: "okta", - JSONWebKeySet: &structs.JSONWebKeySet{ - Remote: &structs.RemoteJWKS{ - RequestTimeoutMs: 1000, - FetchAsynchronously: true, - URI: "https://test.test.com", - JWKSCluster: &structs.JWKSCluster{ - DiscoveryType: structs.DiscoveryTypeStatic, - ConnectTimeout: time.Duration(5) * time.Second, - TLSCertificates: &structs.JWKSTLSCertificate{ - TrustedCA: &structs.JWKSTLSCertTrustedCA{ - Filename: "mycert.crt", - }, - }, - }, - }, - }, - }, - }, - }, - }, - }) - }, - // TODO(proxystate): jwt work will come at a later time - alsoRunTestForV2: false, - }, { name: "custom-local-app", create: func(t testinf.T) *proxycfg.ConfigSnapshot { diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index dfe088f57787a..042f181e2554f 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -145,65 +145,6 @@ func makeListenerDiscoChainTests(enterprise bool) []listenerTestCase { }, alsoRunTestForV2: true, }, - { - name: "connect-proxy-with-jwt-config-entry-with-local", - create: func(t testinf.T) *proxycfg.ConfigSnapshot { - return proxycfg.TestConfigSnapshotDiscoveryChain(t, "simple", enterprise, func(ns *structs.NodeService) { - ns.Proxy.Config["protocol"] = "http" - }, - []proxycfg.UpdateEvent{ - { - CorrelationID: "jwt-provider", - Result: &structs.IndexedConfigEntries{ - Kind: "jwt-provider", - Entries: []structs.ConfigEntry{ - &structs.JWTProviderConfigEntry{ - Name: "okta", - JSONWebKeySet: &structs.JSONWebKeySet{ - Local: &structs.LocalJWKS{ - JWKS: "aGVsbG8gd29ybGQK", - }, - }, - Locations: []*structs.JWTLocation{ - { - QueryParam: &structs.JWTLocationQueryParam{ - Name: "token", - }, - }, - { - Cookie: &structs.JWTLocationCookie{ - Name: "token", - }, - }, - }, - }, - }, - }, - }, - { - CorrelationID: "intentions", - Result: structs.SimplifiedIntentions{ - { - SourceName: "*", - DestinationName: "db", - Permissions: []*structs.IntentionPermission{ - { - JWT: &structs.IntentionJWTRequirement{ - Providers: []*structs.IntentionJWTProvider{ - { - Name: "okta", - }, - }, - }, - }, - }, - }, - }, - }, - }, - ) - }, - }, } } diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index f5a4acca38b09..affbf54e81ef3 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -275,6 +275,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) { tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...) tests = append(tests, getEnterpriseGoldenTestCases(t)...) tests = append(tests, getAPIGatewayGoldenTestCases(t)...) + tests = append(tests, getConnectProxyJWTProviderGoldenTestCases()...) latestEnvoyVersion := xdscommon.EnvoyVersions[0] for _, envoyVersion := range xdscommon.EnvoyVersions { @@ -796,3 +797,69 @@ func getAPIGatewayGoldenTestCases(t *testing.T) []goldenTestCase { }, } } + +func getConnectProxyJWTProviderGoldenTestCases() []goldenTestCase { + return []goldenTestCase{ + { + name: "connect-proxy-with-jwt-config-entry-with-local", + create: func(t testinf.T) *proxycfg.ConfigSnapshot { + return proxycfg.TestConfigSnapshot(t, nil, []proxycfg.UpdateEvent{ + { + CorrelationID: "jwt-provider", + Result: &structs.IndexedConfigEntries{ + Kind: "jwt-provider", + Entries: []structs.ConfigEntry{ + &structs.JWTProviderConfigEntry{ + Name: "okta", + JSONWebKeySet: &structs.JSONWebKeySet{ + Local: &structs.LocalJWKS{ + JWKS: "xxx", + }, + }, + }, + }, + }, + }, + }) + }, + // TODO(proxystate): jwt work will come at a later time + alsoRunTestForV2: false, + }, + { + name: "connect-proxy-with-jwt-config-entry-with-remote-jwks", + create: func(t testinf.T) *proxycfg.ConfigSnapshot { + return proxycfg.TestConfigSnapshot(t, nil, []proxycfg.UpdateEvent{ + { + CorrelationID: "jwt-provider", + Result: &structs.IndexedConfigEntries{ + Kind: "jwt-provider", + Entries: []structs.ConfigEntry{ + &structs.JWTProviderConfigEntry{ + Name: "okta", + JSONWebKeySet: &structs.JSONWebKeySet{ + Remote: &structs.RemoteJWKS{ + RequestTimeoutMs: 1000, + FetchAsynchronously: true, + URI: "https://test.test.com", + JWKSCluster: &structs.JWKSCluster{ + DiscoveryType: structs.DiscoveryTypeStatic, + ConnectTimeout: time.Duration(5) * time.Second, + TLSCertificates: &structs.JWKSTLSCertificate{ + TrustedCA: &structs.JWKSTLSCertTrustedCA{ + Filename: "mycert.crt", + }, + }, + }, + }, + }, + }, + }, + }, + }, + }) + }, + // TODO(proxystate): jwt work will come at a later time + alsoRunTestForV2: false, + }, + } +} diff --git a/agent/xds/testdata/endpoints/connect-proxy-with-jwt-config-entry-with-local.latest.golden b/agent/xds/testdata/endpoints/connect-proxy-with-jwt-config-entry-with-local.latest.golden new file mode 100644 index 0000000000000..b4372a3439e81 --- /dev/null +++ b/agent/xds/testdata/endpoints/connect-proxy-with-jwt-config-entry-with-local.latest.golden @@ -0,0 +1,75 @@ +{ + "nonce": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.10.1.1", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + }, + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.10.1.2", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.10.1.1", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + }, + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.20.1.2", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "versionInfo": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/endpoints/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden b/agent/xds/testdata/endpoints/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden new file mode 100644 index 0000000000000..b4372a3439e81 --- /dev/null +++ b/agent/xds/testdata/endpoints/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden @@ -0,0 +1,75 @@ +{ + "nonce": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.10.1.1", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + }, + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.10.1.2", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "clusterName": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "endpoints": [ + { + "lbEndpoints": [ + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.10.1.1", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + }, + { + "endpoint": { + "address": { + "socketAddress": { + "address": "10.20.1.2", + "portValue": 8080 + } + } + }, + "healthStatus": "HEALTHY", + "loadBalancingWeight": 1 + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment", + "versionInfo": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-local.latest.golden b/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-local.latest.golden index e543143959774..0254a224d513b 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-local.latest.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-local.latest.golden @@ -63,179 +63,19 @@ { "filters": [ { - "name": "envoy.filters.network.http_connection_manager", + "name": "envoy.filters.network.rbac", "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager", - "forwardClientCertDetails": "APPEND_FORWARD", - "httpFilters": [ - { - "name": "envoy.filters.http.jwt_authn", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication", - "providers": { - "okta": { - "fromCookies": [ - "token" - ], - "fromParams": [ - "token" - ], - "localJwks": { - "inlineString": "hello world\n" - }, - "payloadInMetadata": "jwt_payload_okta" - } - }, - "rules": [ - { - "match": { - "prefix": "/" - }, - "requires": { - "requiresAny": { - "requirements": [ - { - "providerName": "okta" - }, - { - "allowMissingOrFailed": {} - } - ] - } - } - } - ] - } - }, - { - "name": "envoy.filters.http.rbac", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", - "rules": {} - } - }, - { - "name": "envoy.filters.http.header_to_metadata", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.header_to_metadata.v3.Config", - "requestRules": [ - { - "header": "x-forwarded-client-cert", - "onHeaderPresent": { - "key": "trust-domain", - "metadataNamespace": "consul", - "regexValueRewrite": { - "pattern": { - "googleRe2": {}, - "regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" - }, - "substitution": "\\1" - } - } - }, - { - "header": "x-forwarded-client-cert", - "onHeaderPresent": { - "key": "partition", - "metadataNamespace": "consul", - "regexValueRewrite": { - "pattern": { - "googleRe2": {}, - "regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" - }, - "substitution": "\\2" - } - } - }, - { - "header": "x-forwarded-client-cert", - "onHeaderPresent": { - "key": "namespace", - "metadataNamespace": "consul", - "regexValueRewrite": { - "pattern": { - "googleRe2": {}, - "regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" - }, - "substitution": "\\3" - } - } - }, - { - "header": "x-forwarded-client-cert", - "onHeaderPresent": { - "key": "datacenter", - "metadataNamespace": "consul", - "regexValueRewrite": { - "pattern": { - "googleRe2": {}, - "regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" - }, - "substitution": "\\4" - } - } - }, - { - "header": "x-forwarded-client-cert", - "onHeaderPresent": { - "key": "service", - "metadataNamespace": "consul", - "regexValueRewrite": { - "pattern": { - "googleRe2": {}, - "regex": ".*URI=spiffe://([^/]+.[^/]+)(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/;,]+).*" - }, - "substitution": "\\5" - } - } - } - ] - } - }, - { - "name": "envoy.filters.http.router", - "typedConfig": { - "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router" - } - } - ], - "routeConfig": { - "name": "public_listener", - "virtualHosts": [ - { - "domains": [ - "*" - ], - "name": "public_listener", - "routes": [ - { - "match": { - "prefix": "/" - }, - "route": { - "cluster": "local_app" - } - } - ] - } - ] - }, - "setCurrentClientCertDetails": { - "cert": true, - "chain": true, - "dns": true, - "subject": true, - "uri": true - }, - "statPrefix": "public_listener", - "tracing": { - "randomSampling": {} - }, - "upgradeConfigs": [ - { - "upgradeType": "websocket" - } - ] + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "cluster": "local_app", + "statPrefix": "public_listener" } } ], @@ -244,9 +84,6 @@ "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", "commonTlsContext": { - "alpnProtocols": [ - "http/1.1" - ], "tlsCertificates": [ { "certificateChain": { diff --git a/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden b/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden new file mode 100644 index 0000000000000..0254a224d513b --- /dev/null +++ b/agent/xds/testdata/listeners/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden @@ -0,0 +1,115 @@ +{ + "nonce": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "statPrefix": "upstream.db.default.default.dc1" + } + } + ] + } + ], + "name": "db:127.0.0.1:9191", + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "statPrefix": "upstream.prepared_query_geo-cache" + } + } + ] + } + ], + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "trafficDirection": "OUTBOUND" + }, + { + "@type": "type.googleapis.com/envoy.config.listener.v3.Listener", + "address": { + "socketAddress": { + "address": "0.0.0.0", + "portValue": 9999 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": {}, + "statPrefix": "connect_authz" + } + }, + { + "name": "envoy.filters.network.tcp_proxy", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy", + "cluster": "local_app", + "statPrefix": "public_listener" + } + } + ], + "transportSocket": { + "name": "tls", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext", + "commonTlsContext": { + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "tlsParams": {}, + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + } + } + } + ], + "name": "public_listener:0.0.0.0:9999", + "trafficDirection": "INBOUND" + } + ], + "typeUrl": "type.googleapis.com/envoy.config.listener.v3.Listener", + "versionInfo": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/routes/connect-proxy-with-jwt-config-entry-with-local.latest.golden b/agent/xds/testdata/routes/connect-proxy-with-jwt-config-entry-with-local.latest.golden new file mode 100644 index 0000000000000..8b919343d21a9 --- /dev/null +++ b/agent/xds/testdata/routes/connect-proxy-with-jwt-config-entry-with-local.latest.golden @@ -0,0 +1,5 @@ +{ + "nonce": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "versionInfo": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/routes/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden b/agent/xds/testdata/routes/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden new file mode 100644 index 0000000000000..8b919343d21a9 --- /dev/null +++ b/agent/xds/testdata/routes/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden @@ -0,0 +1,5 @@ +{ + "nonce": "00000001", + "typeUrl": "type.googleapis.com/envoy.config.route.v3.RouteConfiguration", + "versionInfo": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/connect-proxy-with-jwt-config-entry-with-local.latest.golden b/agent/xds/testdata/secrets/connect-proxy-with-jwt-config-entry-with-local.latest.golden new file mode 100644 index 0000000000000..82e45650658b4 --- /dev/null +++ b/agent/xds/testdata/secrets/connect-proxy-with-jwt-config-entry-with-local.latest.golden @@ -0,0 +1,5 @@ +{ + "nonce": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "versionInfo": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/secrets/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden b/agent/xds/testdata/secrets/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden new file mode 100644 index 0000000000000..82e45650658b4 --- /dev/null +++ b/agent/xds/testdata/secrets/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden @@ -0,0 +1,5 @@ +{ + "nonce": "00000001", + "typeUrl": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret", + "versionInfo": "00000001" +} \ No newline at end of file