Type check error in AuthorizationRule of a SecurityPolicy

[s8wtt]

Description:

On this page https://gateway.envoyproxy.io/docs/api/extension_types/#authorizationrule The principal field is pointing to an incorrect type. It results in rules being rejected by the helm chart schema.

W1107 15:30:48.618351   85806 warnings.go:70] unknown field "spec.authorization.rules[0].principal.jwt"
Error: UPGRADE FAILED: cannot patch "sp-jwt-okta" with kind SecurityPolicy: SecurityPolicy.gateway.envoyproxy.io "sp-jwt-okta" is invalid: [spec.authorization.rules[0].principal.clientCIDRs: Required value, <nil>: Invalid value: "null": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation]

Repro steps:

Take the example from the docs and simple upgrade the helm app.

authorization:
defaultAction: Deny
rules:
- name: "allow"
action: Allow
principal:
jwt:
provider: okta
scopes: ["read"]
claims:
- name: groups
valueType: StringArray
values: ["foobar123"]

Note: If there are privacy concerns, sanitize the data prior to sharing.

Environment:

v1.2.1 and v0.0.0-latest

Logs:

Include the access logs and the Envoy logs.

[arkodg]

hey @s8wtt did you upgrade from a previous version ?

Helm upgrade does not update CRDs, so the CRDs will need to be updated manually https://gateway.envoyproxy.io/docs/install/install-yaml/#upgrading-from-v11

[s8wtt]

Thanks very much @arkodg . I really appreciate your help! This seems to be the root cause. Since it has been resolved I will close this issue. Thank you again!