New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for configuring JWKS using local file #3173
Conversation
🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test? Courtesy of your friendly test nag. |
😊 Welcome @wulianglongrd! This is either your first contribution to the Istio api repo, or it's been You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
be6f3c2
to
ab2fdb6
Compare
Is the real use case here "load from secret" and we are implementing it by "load from file" when its maybe not the best option? Or do we think file is a primary use case? |
update: I realize that we are not describing the same thing: I meant that the file is local to envoy, not to istiod. |
Isn't the use case in istio/istio#50196 that is linked stating it is private for their use case? |
Oh yes. From what I understand, the @ks-yim Can you describe your operation in detail? It would be nice to describe how envoy reads and uses mounted |
Correct. But Istio can also read Secrets directly and send them to envoy. On that note - JWKS are generally considered public and shown directly in envoy config dumps, logs, etc. Secrets are not shown. This may be problematic |
No matter if the jwks is public or private, it should be public to envoy. We can use I think this api just tells envoy to read a file from a certain address, and envoy doesn’t care why the file exists. Also, like you said, if istio reads the |
No, certificate private keys are sent from Secret to envoy and obscured in config dumps, logs, etc. |
Loading jwks from local file is commonly used in microservice. But in istio managed no matter sidecar or gateway, mounting secret seems not that native. |
The motivation of istio/istio#50196 was that there's no easy way to securely validate JWTs signed by symmetric key algorithms without leaking private jwks somewhere in plaintext and I wish istio has a native API to support this use case. The original workflow that I had in mind was mounting a This, though, requires users an extra work to mount the secret on their own to istio-proxy container and if there's still a room for improvement on how istio-proxy reads the secret, I am up for it. (BTW, glad that someone in Istio team looked into this. Many thanks!) |
Send using SDS? Otherwise, how does it work? |
friendly ping @louiscryan @costinm @aryan16 Could you please take a look and provide some suggestions for improvement? |
How about just allowing jwksURI to use a file:// prefix ? I.e. just doc change in this PR. |
I think it's good. |
Close, it looks like implementing it by extending jwksURI is possible. |
fix istio/istio#50196