Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Authentication with service intentions: xds package update #17414

Merged
merged 6 commits into from
May 19, 2023
Merged

JWT Authentication with service intentions: xds package update #17414

merged 6 commits into from
May 19, 2023

Conversation

roncodingenthusiast
Copy link
Contributor

@roncodingenthusiast roncodingenthusiast commented May 19, 2023
edited
Loading

Description

This PR enables envoy config updates when we write jwt providers/intentions. Porting these changes from the enterprise PR

Testing & Reproduction steps

  • Startup a consul server with grpc enabled: eg. ./bin/consul agent -dev
  • register a service and a proxy: eg. consul services register your-service.hcl your-proxy.hcl
  • startup envoy process consul connect envoy -sidecar-for your-service -grpc-addr 127.0.0.1:8502
  • Write a jwt provider and intention consul config write provider.hcl intention.hcl
  • get an envoy dump: curl "localhost:19000/config_dump?format=json" > test.json
  • Look for the jwt_authn config in the http_filters. Should be similar to the *.golden in this PR
# sample provider 

Kind = "jwt-provider"
Name = "okta"


// Issuer is the entity that must have issued the JWT.
Issuer = "auth0"

JSONWebKeySet = {
    Local = {
        JWKS = "eyJrZXlzIjogW3sKICAiY3J2IjogIlAtMjU2IiwKICAia2V5X29wcyI6IFsKICAgICJ2ZXJpZnkiCiAgXSwKICAia3R5IjogIkVDIiwKICAieCI6ICJXYzl1WnVQYUI3S2gyRk1jOXd0SmpSZThYRDR5VDJBWU5BQWtyWWJWanV3IiwKICAieSI6ICI2OGhSVEppSk5Pd3RyaDRFb1BYZVZuUnVIN2hpU0RKX2xtYmJqZkRmV3EwIiwKICAiYWxnIjogIkVTMjU2IiwKICAidXNlIjogInNpZyIsCiAgImtpZCI6ICJhYzFlOGY5MGVkZGY2MWM0MjljNjFjYTA1YjRmMmUwNyIKfV19"
    }
}

sample intention

# Copyright (c) HashiCorp, Inc.

Kind = "service-intentions"
Name = "redis"

JWT = {
  Providers = [
    {
      // Provider must contain the name of an existing jwt-provider.
      Name = "okta"
    }
  ]
}

Sources = [
  {
    Name = "*"
    Action = "allow"
  }
]

proxy-default to enable http mode

Kind = "proxy-defaults"
name = "global"
config {
  protocol = "http"
}

Links

todo

  • Follow up with this PR with verifyClaim PR

@roncodingenthusiast roncodingenthusiast requested review from a team, johnlanda, kisunji and pglass and removed request for a team May 19, 2023 15:27
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label May 19, 2023
@roncodingenthusiast roncodingenthusiast added pr/no-changelog PR does not need a corresponding .changelog entry pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. pr/no-backport labels May 19, 2023
kisunji
kisunji suggested changes May 19, 2023
View reviewed changes
Copy link
Contributor

@kisunji kisunji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! Working in xds is not easy but this looks good.
I had a few blocking comments and general questions

agent/proxycfg/connect_proxy.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn.go Show resolved Hide resolved
agent/xds/jwt_authn.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn_test.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn_test.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn.go Outdated Show resolved Hide resolved
agent/xds/jwt_authn_test.go Show resolved Hide resolved
kisunji
kisunji reviewed May 19, 2023
View reviewed changes
agent/xds/jwt_authn.go Outdated
rule := buildRouteRule(provider, nil, "/")
rules = append(rules, rule)
}
}
}

if len(intentions) == 0 && len(providers) == 0 {
if len(intentions) == 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be moved before the for-loop over intentions for the early return

Copy link

@pglass pglass May 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to check for len(providers) == 0 following the loop as well, right? For the common case where there are intentions but no intentions contain any JWT requirements.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, thanks for the correction. Maybe this can stay here and simplify to if len(providers) == 0

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah true, i will update it! thank you both

kisunji
kisunji approved these changes May 19, 2023
View reviewed changes
Copy link
Contributor

@kisunji kisunji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more minor comment but LGTM! 👍

@roncodingenthusiast roncodingenthusiast merged commit 113202d into main May 19, 2023
@roncodingenthusiast roncodingenthusiast deleted the NET-3092 branch May 19, 2023 22:14
nickethier pushed a commit that referenced this pull request May 26, 2023
@roncodingenthusiast @nickethier
JWT Authentication with service intentions: xds package update (#17414)
2092b0a 
* JWT Authentication with service intentions: update xds package to translate config to envoy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kisunji kisunji kisunji approved these changes

@pglass pglass pglass approved these changes

@johnlanda johnlanda Awaiting requested review from johnlanda

Assignees
No one assigned
Labels
pr/no-backport pr/no-changelog PR does not need a corresponding .changelog entry pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. theme/envoy/xds Related to Envoy support
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@roncodingenthusiast @pglass @kisunji