diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt index 44e00d836..8caf656c0 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt @@ -48,6 +48,7 @@ data class ListenersConfig( val accessLogPath: String = defaultAccessLogPath, val addUpstreamExternalAddressHeader: Boolean = defaultAddUpstreamExternalAddressHeader, val addUpstreamServiceTags: AddUpstreamServiceTagsCondition = AddUpstreamServiceTagsCondition.NEVER, + val addJwtFailureStatus: Boolean = false, val accessLogFilterSettings: AccessLogFilterSettings, val hasStaticSecretsDefined: Boolean = defaultHasStaticSecretsDefined, val useTransparentProxy: Boolean = defaultUseTransparentProxy diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt index b60a06edb..a37fd5d87 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt @@ -12,6 +12,8 @@ import io.envoyproxy.envoy.config.core.v3.Node as NodeV3 @Suppress("MagicNumber") val MIN_ENVOY_VERSION_SUPPORTING_UPSTREAM_METADATA = envoyVersion(1, 24) +val MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS = envoyVersion(1, 26) + class MetadataNodeGroup( val properties: SnapshotProperties @@ -133,6 +135,8 @@ class MetadataNodeGroup( val useTransparentProxy = metadata.fieldsMap["use_transparent_proxy"]?.boolValue ?: ListenersConfig.defaultUseTransparentProxy + val addJwtFailureStatus = envoyVersion.version >= MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS + return ListenersConfig( listenersHostPort.ingressHost, listenersHostPort.ingressPort, @@ -146,6 +150,7 @@ class MetadataNodeGroup( accessLogPath, addUpstreamExternalAddressHeader, addUpstreamServiceTags, + addJwtFailureStatus, accessLogFilterSettings, hasStaticSecretsDefined, useTransparentProxy diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt index e99dbc798..2184ad17f 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt @@ -25,20 +25,26 @@ class JwtFilterFactory( private val properties: JwtFilterProperties ) { - private val jwtProviders: Map = getJwtProviders() + private val jwtProviders: Map = getJwtProviders() private val clientToOAuthProviderName: Map = properties.providers.entries.flatMap { (providerName, provider) -> provider.matchings.keys.map { client -> client to providerName } }.toMap() fun createJwtFilter(group: Group): HttpFilter? { + val finalizedJwtProviders = if (group.listenersConfig?.addJwtFailureStatus == true && properties.failedStatusInMetadataEnabled) { + jwtProviders.mapValues { it.value.setFailedStatusInMetadata(properties.failedStatusInMetadata).build() } + } else { + jwtProviders.mapValues { it.value.clearFailedStatusInMetadata().build() } + } + return if (shouldCreateFilter(group)) { HttpFilter.newBuilder() .setName("envoy.filters.http.jwt_authn") .setTypedConfig( Any.pack( JwtAuthentication.newBuilder().putAllProviders( - jwtProviders + finalizedJwtProviders ) .addAllRules(createRules(group.proxySettings.incoming.endpoints)) .build() @@ -59,13 +65,12 @@ class JwtFilterFactory( private fun containsClientsWithSelector(it: IncomingEndpoint) = clientToOAuthProviderName.keys.intersect(it.clients.map { it.name }).isNotEmpty() - private fun getJwtProviders(): Map = + private fun getJwtProviders(): Map = properties.providers.entries.associate { it.key to createProvider(it.value) } - private fun createProvider(provider: OAuthProvider): JwtProvider { - val jwtProvider = JwtProvider.newBuilder() + private fun createProvider(provider: OAuthProvider) = JwtProvider.newBuilder() .setRemoteJwks( RemoteJwks.newBuilder().setHttpUri( HttpUri.newBuilder() @@ -81,13 +86,6 @@ class JwtFilterFactory( .setForwardPayloadHeader(properties.forwardPayloadHeader) .setPayloadInMetadata(properties.payloadInMetadata) - if (properties.failedStatusInMetadataEnabled) { - jwtProvider.setFailedStatusInMetadata(properties.failedStatusInMetadata) - } - - return jwtProvider.build() - } - private fun createRules(endpoints: List): Set { return endpoints.mapNotNull(this::createRuleForEndpoint).toSet() }