Adds JWT Authn Support to XDS Translator

[danehans]

Adds initial JWT authentication support to xDS translator.

Signed-off-by: danehans daneyonhansen@gmail.com

[danehans]

Marked PR as a draft until:

• I can verify the typedPerFilterConfig is constructed properly.
• Add additional integration tests.

[codecov-commenter]

Codecov Report

Merging #934 (5c8705b) into main (84044da) will decrease coverage by 0.02%.
The diff coverage is 66.58%.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##             main     #934      +/-   ##
==========================================
- Coverage   63.84%   63.83%   -0.02%     
==========================================
  Files          54       55       +1     
  Lines        7834     8221     +387     
==========================================
+ Hits         5002     5248     +246     
- Misses       2519     2629     +110     
- Partials      313      344      +31     

Impacted Files	Coverage Δ
internal/ir/zz_generated.deepcopy.go	11.66% <0.00%> (-0.69%)	⬇️
internal/xds/translator/listener.go	80.83% <0.00%> (-0.74%)	⬇️
internal/xds/translator/route.go	82.60% <0.00%> (-1.00%)	⬇️
internal/ir/xds.go	75.77% <50.00%> (-0.09%)	⬇️
internal/xds/translator/translator.go	76.04% <64.70%> (+0.55%)	⬆️
internal/xds/translator/ratelimit.go	94.97% <66.66%> (-1.15%)	⬇️
internal/xds/translator/authentication.go	70.03% <70.03%> (ø)
internal/gatewayapi/filters.go	80.84% <96.29%> (+0.36%)	⬆️
api/v1alpha1/validation/authenticationfilter.go	85.24% <100.00%> (+5.70%)	⬆️
internal/gatewayapi/route.go	89.17% <100.00%> (ø)
... and 7 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[danehans]

Per #813 (comment), this PR uses per filter config to configure the JWT provider for matched traffic. @lizan @arkodg PTAL when you have a moment, PTAL and let me know if this looks correct to you. I did not include any match in requirements since the route provides the match.

[arkodg]

yeah look good from a config perspective

[danehans]

Removing "draft" since commit a933248 expands xds translator integration tests and the jwt requirements align with upstream docs.

[danehans]

Converted back to draft since Envoy is not accepting the jwt config:

cache/logrwrapper.go:29	handling v3 xDS resource request, response_nonce 1, nodeID envoy-default-eg-64656661-7db8b55db6-r25fn, node_version v1.26.0, resource_names_subscribe [], resource_names_unsubscribe [], type_url type.googleapis.com/envoy.config.route.v3.RouteConfiguration, errorCode 13, errorMessage Unable to unpack as envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig: [type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication] {
  providers {
    key: "example"
    value {
      issuer: "testing@secure.istio.io"
      remote_jwks {
        http_uri {
          uri: "https://raw.githubusercontent.com/istio/istio/release-1.16/security/tools/jwt/samples/jwks.json"
          cluster: "raw_githubusercontent_com_443"
          timeout {
            seconds: 5
          }
        }
        cache_duration {
          seconds: 300
        }
      }
      payload_in_metadata: "testing@secure.istio.io"
    }
  }
  rules {
    match {
      prefix: "/"
    }
    requirement_name: "requirement-0"
  }
  requirement_map {
    key: "requirement-0"
    value {
      provider_name: "example"
    }
  }
}
	{"runner": "xds-server"}

Let me know if see something I’m missing.

[danehans]

@arkodg thanks for the review. Commit 91e0b2b resolves your feedback above.

[arkodg]

you for the case when two listeners have the same port, addFilterChain is false for the second listener, which means mgr is nil, which is being passed to this function.
rather than do this I suggest calling GetHTTPConnectionManagerFromListener here

func GetHTTPConnectionManagerFromListener(l *listener.Listener) (*hcm.HttpConnectionManager, error) {
	for _, filterChain := range l.FilterChains {
		for _, filter := range filterChain.Filters {
			if filter.Name == wellknown.HTTPConnectionManager {
				m := new(hcm.HttpConnectionManager)
				if err := filter.GetTypedConfig().UnmarshalTo(m); err != nil {
					return nil, err
				}
				return m, nil
			}
		}
	}
	return nil, ErrHcmNotFound
}

[danehans]

I've updated buildXdsRoute() to take the xds listener as a param. The authn code gets the hcm HTTP filters from the listener and creates the PerRouteConfig requirement for jwt.

[arkodg]

instead of using rIdx and fIdx in Gateway API, you could just use routeIdx and providerIdx here to build a unique providerKey

[danehans]

Thanks for catching this. Now that the IR no longer uses a keyed list of jwt providers, I removed the gatewayapi translator changes.