diff --git a/.changelog/22168.txt b/.changelog/22168.txt new file mode 100644 index 000000000000..8e4d1fa2f337 --- /dev/null +++ b/.changelog/22168.txt @@ -0,0 +1,3 @@ +```release-note:improvement +agent: send TLS SNI in JWT auth provider +``` \ No newline at end of file diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index 244585dfdf3e..79c6e5932dad 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -242,6 +242,7 @@ func makeJWTProviderCluster(p *structs.JWTProviderConfigEntry) (*envoy_cluster_v if scheme == "https" { jwksTLSContext, err := makeUpstreamTLSTransportSocket( &envoy_tls_v3.UpstreamTlsContext{ + Sni: hostname, CommonTlsContext: &envoy_tls_v3.CommonTlsContext{ ValidationContextType: &envoy_tls_v3.CommonTlsContext_ValidationContext{ ValidationContext: makeJWTCertValidationContext(p.JSONWebKeySet.Remote.JWKSCluster), diff --git a/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden b/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden index a370a6b8517f..cb0b3794c041 100644 --- a/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden +++ b/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden @@ -138,7 +138,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "test.test.com" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden index ef4a341f6bfb..d279a51d1a90 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "example-okta.com" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden index f75b2c4f1ef2..6f6ed3556d43 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "example-okta.com" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden index c396e70deb18..0390f0edecf8 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "127.0.0.1" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden index cf1a77039b18..766f895cc449 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "127.0.0.1" } }, "type": "STATIC"