Skip to content

JWT Authentication with service intentions: xds package update#17414

Merged
roncodingenthusiast merged 6 commits intomainfrom
NET-3092
May 19, 2023
Merged

JWT Authentication with service intentions: xds package update#17414
roncodingenthusiast merged 6 commits intomainfrom
NET-3092

Conversation

@roncodingenthusiast
Copy link
Contributor

@roncodingenthusiast roncodingenthusiast commented May 19, 2023
edited
Loading

Description

This PR enables envoy config updates when we write jwt providers/intentions. Porting these changes from the enterprise PR

Testing & Reproduction steps

  • Startup a consul server with grpc enabled: eg. ./bin/consul agent -dev
  • register a service and a proxy: eg. consul services register your-service.hcl your-proxy.hcl
  • startup envoy process consul connect envoy -sidecar-for your-service -grpc-addr 127.0.0.1:8502
  • Write a jwt provider and intention consul config write provider.hcl intention.hcl
  • get an envoy dump: curl "localhost:19000/config_dump?format=json" > test.json
  • Look for the jwt_authn config in the http_filters. Should be similar to the *.golden in this PR
# sample provider 

Kind = "jwt-provider"
Name = "okta"


// Issuer is the entity that must have issued the JWT.
Issuer = "auth0"

JSONWebKeySet = {
    Local = {
        JWKS = "eyJrZXlzIjogW3sKICAiY3J2IjogIlAtMjU2IiwKICAia2V5X29wcyI6IFsKICAgICJ2ZXJpZnkiCiAgXSwKICAia3R5IjogIkVDIiwKICAieCI6ICJXYzl1WnVQYUI3S2gyRk1jOXd0SmpSZThYRDR5VDJBWU5BQWtyWWJWanV3IiwKICAieSI6ICI2OGhSVEppSk5Pd3RyaDRFb1BYZVZuUnVIN2hpU0RKX2xtYmJqZkRmV3EwIiwKICAiYWxnIjogIkVTMjU2IiwKICAidXNlIjogInNpZyIsCiAgImtpZCI6ICJhYzFlOGY5MGVkZGY2MWM0MjljNjFjYTA1YjRmMmUwNyIKfV19"
    }
}

sample intention

# Copyright (c) HashiCorp, Inc.

Kind = "service-intentions"
Name = "redis"

JWT = {
  Providers = [
    {
      // Provider must contain the name of an existing jwt-provider.
      Name = "okta"
    }
  ]
}

Sources = [
  {
    Name = "*"
    Action = "allow"
  }
]

proxy-default to enable http mode

Kind = "proxy-defaults"
name = "global"
config {
  protocol = "http"
}

Links

todo

  • Follow up with this PR with verifyClaim PR

@roncodingenthusiast roncodingenthusiast requested review from a team, johnlanda, kisunji and pglass and removed request for a team May 19, 2023 15:27
@github-actions github-actions bot added the theme/envoy/xds Related to Envoy support label May 19, 2023
@roncodingenthusiast roncodingenthusiast added pr/no-changelog PR does not need a corresponding .changelog entry pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. pr/no-backport labels May 19, 2023
kisunji
kisunji suggested changes May 19, 2023
View reviewed changes
Copy link
Contributor

@kisunji kisunji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! Working in xds is not easy but this looks good.
I had a few blocking comments and general questions

kisunji
kisunji reviewed May 19, 2023
View reviewed changes
agent/xds/jwt_authn.go Outdated
Copy link
Contributor

@kisunji kisunji May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be moved before the for-loop over intentions for the early return

Copy link

@pglass pglass May 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to check for len(providers) == 0 following the loop as well, right? For the common case where there are intentions but no intentions contain any JWT requirements.

Copy link
Contributor

@kisunji kisunji May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, thanks for the correction. Maybe this can stay here and simplify to if len(providers) == 0

Copy link
Contributor Author

@roncodingenthusiast roncodingenthusiast May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah true, i will update it! thank you both

kisunji
kisunji approved these changes May 19, 2023
View reviewed changes
Copy link
Contributor

@kisunji kisunji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more minor comment but LGTM! 👍

@roncodingenthusiast roncodingenthusiast merged commit 113202d into main May 19, 2023
@roncodingenthusiast roncodingenthusiast deleted the NET-3092 branch May 19, 2023 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johnlanda johnlanda Awaiting requested review from johnlanda

2 more reviewers

@kisunji kisunji kisunji approved these changes

@pglass pglass pglass approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr/no-backport pr/no-changelog PR does not need a corresponding .changelog entry pr/no-docs PR does not include docs and should not trigger reminder for cherrypicking them. theme/envoy/xds Related to Envoy support

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roncodingenthusiast @pglass @kisunji