remoteJWKS needs a caCert option

[vacan1t]

Description: When setting up JWT authentication we need to be able to set custom CA-certificate to allow Envoy to trust our internal HTTPS JWKS server.

Snippet from SecurityPolicy:

  jwt:
    providers:
    - name: poc-oidc
      remoteJWKS:
        uri: https://poc-oidc.internal.domain.com/keys

Relevant debug logs:

[2024-06-04 13:15:36.191][1][debug][connection] [source/extensions/transport_sockets/tls/cert_validator/default_validator.cc:325] verify cert failed: X509_verify_cert: certificate verification error at depth 1: unable to get local issuer certificate 2024-06-04T15:15:36.191711347+02:00 [2024-06-04 13:15:36.191][1][debug][connection] [source/extensions/transport_sockets/tls/ssl_socket.cc:241] [Tags: "ConnectionId":"8"] remote address:10.X.X.254:443,TLS_error:|268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED:TLS_error_end

[optional Relevant Links:]

Any extra documentation required to understand the issue. https://gateway.envoyproxy.io/latest/tasks/security/jwt-authentication/ https://gateway.envoyproxy.io/contributions/design/security-policy/

[arkodg]

I'd vote for adding a caCertificateRefs field in here to solve this

[phantooom]

/assign

[phantooom]

I'd vote for adding a caCertificateRefs field in here to solve this

is caCertificateRef field ok？ is there a scenario where users might need multiple CAs?

[arkodg]

I'd vote for adding a caCertificateRefs field in here to solve this

is caCertificateRef field ok？ is there a scenario where users might need multiple CAs?

@phantooom lets follow the BackendTLSPolicy spec https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ as a guide and use caCertificateRefs and append them into one internally

[phantooom]

I'd vote for adding a caCertificateRefs field in here to solve this

is caCertificateRef field ok？ is there a scenario where users might need multiple CAs?

@phantooom lets follow the BackendTLSPolicy spec https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ as a guide and use caCertificateRefs and append them into one internally

ok

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[arkodg]

hey @phantooom this was discussed in the the community meeting a few weeks ago and the decision is to represent the remote jwks endpoint as a backendCluster. similar to what's done in ext auth https://github.com/envoyproxy/gateway/blob/262e0466f14dace834f1b0d712c2492c27e9bb03/api/v1alpha1/ext_auth_types.go#L54

This would be an additional field in the existing struct allowing the user to define custom cluster level properties like custom caCert

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[s0uky]

+1 Is there any progress on this feat?

[arkodg]

hey @phantooom do you any cycles to address the above comments ? this is similar to https://github.com/envoyproxy/gateway/pull/4227

[phantooom]

hey @phantooom do you any cycles to address the above comments ?嘿，你有空处理上面的评论吗？ this is similar to #4227这与 #4227 类似

sorry. my work has recently changed, and I am no longer able to continue following up on this pull request.

[phantooom]

/unassign

[wengyao04]

Hi, we also need remoteJWKS to support extra CA, do we have any process for this issue ?

[arkodg]

hey @wengyao04 to implement this, we'd need to add and implement the backendRefs field similar to what was done for OIDC https://github.com/envoyproxy/gateway/pull/4227, which would allow the user to specify a Backend/ Service resource as a backendRef + a BackendTLSPolicy as a policy to specify the custom CA