search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.53k stars 328 forks source link

Unexpected additional characters on JWT Authentication #2615

Open ardikabs opened 7 months ago

ardikabs commented 7 months ago

Description: I observed an additional character of ? under the JWT Authentication filter spec in the provider and requirementMap field names, whenever a corresponding HTTPRoute has a long name. The provider name referred to a combination of {HTTPRoute's namespace}/{HTTPRoute's name}/rule/{HTTPRoute's rules index}/match/{HTTPRoute's matches index}/{host}/{JWT Provider name}, and whenever the total characters more than equal to 130 (CMIIW), the unexpected additional character of ? appended in the prefix of its value. For example:

HTTPRoute Name: httproute-with-long-name-like-superhero-agent-phil-coulson-the-shield-liaison-for-the-avengers
HTTPRoute Namespace: envoy-gateway-system
Rule Index: 0
Match Index: 0
Host: example.com
Provider Name: example

Envoy Gateway will generate the name like envoy-gateway-system/ httproute-with-long-name-like-superhero-agent-phil-coulson-the-shield-liaison-for-the-avengers/rule/0/match/0/example_com/example, and you will see the listener config in Envoy instance like below:

defaultFilterChain:
  filters:
  - name: envoy.filters.network.http_connection_manager
    typedConfig:
      '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager

      <REDUCTED>

      httpFilters:
      - name: envoy.filters.http.jwt_authn
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
          providers:
            ? envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com/example:
              claimToHeaders:
                - claimName: name
                  headerName: x-name
              remoteJwks:
                cacheDuration: 300s
                httpUri:
                  cluster: raw_githubusercontent_com_443
                  timeout: 5s
                  uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
          requirementMap:
            ? envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com:
              providerName: envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com/example

Question

  1. I'm curious whether this behavior stems from Envoy's limitations and if so, whether it might pose issues down the line.
  2. AFAIK, the HTTPRoute name has a limitation of 256 characters. Given this constraint and in alignment with point 1, it appears that Envoy Gateway may have a potential bug in this case.

Repro steps:

  1. Create and apply HTTPRoute 
    
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
namespace: envoy-gateway-system
spec:
hostnames:
- example.com
parentRefs:
- group: gateway.networking.k8s.io
  kind: Gateway
  name: default-gateway
  namespace: envoy-gateway-system
rules:
- backendRefs:
    - group: ""
      kind: Service
      name: echoserver
      namespace: testing
      port: 80
      weight: 100
  matches:
    - path:
        type: PathPrefix
        value: /testing2
4. Create and apply SecurityPolicy
```yaml
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
  namespace: envoy-gateway-system
spec:
  jwt:
    providers:
      - claimToHeaders:
          - claim: name
            header: x-name
        name: example
        remoteJWKS:
          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
    namespace: envoy-gateway-system
  1. Fetch LDS using egctl CLI 
    egctl c envoy-proxy listener <envoy-instance-pod-name> -oyaml

Note: If there are privacy concerns, sanitize the data prior to sharing.

Environment: latest

Logs:

Include the access logs and the Envoy logs.

arkodg commented 7 months ago

cc @cpakulski

github-actions[bot] commented 4 months ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] commented 2 weeks ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days.