Unexpected additional characters on JWT Authentication

[ardikabs]

Description: I observed an additional character of ? under the JWT Authentication filter spec in the provider and requirementMap field names, whenever a corresponding HTTPRoute has a long name. The provider name referred to a combination of {HTTPRoute's namespace}/{HTTPRoute's name}/rule/{HTTPRoute's rules index}/match/{HTTPRoute's matches index}/{host}/{JWT Provider name}, and whenever the total characters more than equal to 130 (CMIIW), the unexpected additional character of ? appended in the prefix of its value. For example:

HTTPRoute Name: httproute-with-long-name-like-superhero-agent-phil-coulson-the-shield-liaison-for-the-avengers
HTTPRoute Namespace: envoy-gateway-system
Rule Index: 0
Match Index: 0
Host: example.com
Provider Name: example

Envoy Gateway will generate the name like envoy-gateway-system/ httproute-with-long-name-like-superhero-agent-phil-coulson-the-shield-liaison-for-the-avengers/rule/0/match/0/example_com/example, and you will see the listener config in Envoy instance like below:

defaultFilterChain:
  filters:
  - name: envoy.filters.network.http_connection_manager
    typedConfig:
      '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager

      <REDUCTED>

      httpFilters:
      - name: envoy.filters.http.jwt_authn
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
          providers:
            ? envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com/example:
              claimToHeaders:
                - claimName: name
                  headerName: x-name
              remoteJwks:
                cacheDuration: 300s
                httpUri:
                  cluster: raw_githubusercontent_com_443
                  timeout: 5s
                  uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
          requirementMap:
            ? envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com:
              providerName: envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com/example

Question

1. I'm curious whether this behavior stems from Envoy's limitations and if so, whether it might pose issues down the line.
2. AFAIK, the HTTPRoute name has a limitation of 256 characters. Given this constraint and in alignment with point 1, it appears that Envoy Gateway may have a potential bug in this case.

Repro steps:

1. Create and apply HTTPRoute

   
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
   name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
   namespace: envoy-gateway-system
   spec:
   hostnames:
   - example.com
   parentRefs:
   - group: gateway.networking.k8s.io
     kind: Gateway
     name: default-gateway
     namespace: envoy-gateway-system
   rules:
   - backendRefs:
       - group: ""
         kind: Service
         name: echoserver
         namespace: testing
         port: 80
         weight: 100
     matches:
       - path:
           type: PathPrefix
           value: /testing2

4. Create and apply SecurityPolicy
```yaml
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
  namespace: envoy-gateway-system
spec:
  jwt:
    providers:
      - claimToHeaders:
          - claim: name
            header: x-name
        name: example
        remoteJWKS:
          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
    namespace: envoy-gateway-system

5. Fetch LDS using egctl CLI

   egctl c envoy-proxy listener <envoy-instance-pod-name> -oyaml

Note: If there are privacy concerns, sanitize the data prior to sharing.

Environment: latest

Logs:

Include the access logs and the Envoy logs.

[arkodg]

cc @cpakulski

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.