@@ -71,99 +71,27 @@ type AuthenticationSpec struct {
7171 // Type defines the type of authentication provider to use. Supported provider
7272 // types are:
7373 //
74- // * JWT
75- //
76- // JWT defines the JSON Web Token (JWT) authentication provider type.
74+ // * JWT: A provider that uses JSON Web Token (JWT) for authenticating requests.
7775 //
7876 // +unionDiscriminator
79- Type AuthenticationType ` json:"type" `
80-
77+ Type AuthenticationType
78+
8179 // JWT defines the JSON Web Token (JWT) authentication provider type. When multiple
8280 // jwtProviders are specified, the JWT is considered valid if any of the providers
83- // successfully validate the JWT. For additional details, see:
84- //
85- // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html
86- //
87- // +kubebuilder:validation:MaxItems=4
88- // +optional
89- JwtProviders []JwtAuthenticationProvider ` json:"jwtProviders,omitempty"`
90- }
91-
92- // AuthenticationType is a type of authentication provider.
93- // +kubebuilder:validation:Enum=JWT
94- type AuthenticationType string
95-
96- const (
97- // JwtAuthenticationProviderType is the JWT authentication provider type.
98- JwtAuthenticationProviderType AuthenticationType = " JWT"
99- )
100-
101- // JwtAuthenticationProvider defines the JSON Web Token (JWT) authentication provider type
102- // and how JWTs should be verified:
103- type JwtAuthenticationProvider struct {
104- // Name defines a unique name for the JWT provider. A name can have a variety of forms,
105- // including RFC1123 subdomains, RFC 1123 labels, or RFC 1035 labels.
106- //
107- // +kubebuilder:validation:MinLength=1
108- // +kubebuilder:validation:MaxLength=253
109- Name string ` json:"name"`
110-
111- // Issuer is the principal that issued the JWT. For additional details, see:
112- //
113- // https://tools.ietf.org/html/rfc7519#section-4.1.1
114- //
115- // Example:
116- // issuer: https://auth.example.com
117- //
118- // If not provided, the JWT issuer is not checked.
119- //
120- // +kubebuilder:validation:MaxLength=253
121- // +optional
122- Issuer string ` json:"issuer,omitempty"`
123-
124- // Audiences is a list of JWT audiences allowed to access. For additional details, see:
125- //
126- // https://tools.ietf.org/html/rfc7519#section-4.1.3
127- //
128- // Example:
129- // audiences:
130- // - foo.apps.example.com
131- // bar.apps.example.com
132- //
133- // If not provided, JWT audiences are not checked.
134- //
135- // +kubebuilder:validation:MaxItems=8
136- // +optional
137- Audiences []string ` json:"audiences,omitempty"`
138-
139- // RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
140- // HTTP/HTTPS endpoint.
141- RemoteJWKS RemoteJWKS ` json:"remoteJWKS"`
142-
143- // TODO: Add TBD JWT fields based on defined use cases.
81+ // successfully validate the JWT.
82+ JwtProviders []JwtAuthenticationProvider
14483}
14584
146- // RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote
147- // HTTP/HTTPS endpoint.
148- type RemoteJWKS struct {
149- // Uri is the HTTP/HTTPS URI to fetch the JWKS.
150- //
151- // Example:
152- // uri: https://www.googleapis.com/oauth2/v1/certs
153- //
154- // +kubebuilder:validation:MinLength=1
155- // +kubebuilder:validation:MaxLength=253
156- Uri string ` json:"uri"`
157-
158- // TODO: Add TBD remote JWKS fields based on defined use cases.
159- }
85+ ...
16086```
16187
88+ Refer to [ PR 773] [ ] for the detailed Authentication API spec.
89+
16290The status subresource is not included in the Authentication API. Status will be surfaced by an HTTPRoute that
16391references an Authentication. For example, an HTTPRoute will surface the ` ResolvedRefs=False ` status condition if it
164- references an Authentication that does not exist. It may be beneficial to add status fields in the future based on
165- defined use-cases. For example, a remote JWKS can be validated based on the specified URI and have an appropriate
166- status condition surfaced.
92+ references an Authentication that does not exist. It may be beneficial to add Authentication status fields in the future
93+ based on defined use-cases. For example, a remote JWKS can be validated based on the specified URI and have an
94+ appropriate status condition surfaced.
16795
16896#### Authentication Example
16997
@@ -184,8 +112,6 @@ spec:
184112 remoteJwks :
185113 uri : https://foo.com/jwt/public-key/jwks.json
186114 <TBD>
187- status :
188- <TBD>
189115```
190116
191117__ Note:__ ` type ` is a union type, allowing only one of any supported provider type such as ` jwtProviders ` to be
@@ -608,3 +534,4 @@ Authentication should support additional authentication types in the future, for
608534[ HTTPRouteFilter ] : https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1beta1.HTTPRouteFilter
609535[ JWKS ] : https://www.rfc-editor.org/rfc/rfc7517
610536[ JWT authentication filter ] : https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter#config-http-filters-jwt-authn
537+ [ PR 773 ] : https://github.com/envoyproxy/gateway/pull/733
0 commit comments