From 66de87a64141fbca51414f1f13e14d4dfbb8492d Mon Sep 17 00:00:00 2001 From: Sreeram Narayanan Date: Mon, 17 Feb 2025 13:30:10 +0530 Subject: [PATCH 1/3] update: send hostname in SNI for JWT provider envoy request --- agent/xds/clusters.go | 1 + 1 file changed, 1 insertion(+) diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index 244585dfdf3e..79c6e5932dad 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -242,6 +242,7 @@ func makeJWTProviderCluster(p *structs.JWTProviderConfigEntry) (*envoy_cluster_v if scheme == "https" { jwksTLSContext, err := makeUpstreamTLSTransportSocket( &envoy_tls_v3.UpstreamTlsContext{ + Sni: hostname, CommonTlsContext: &envoy_tls_v3.CommonTlsContext{ ValidationContextType: &envoy_tls_v3.CommonTlsContext_ValidationContext{ ValidationContext: makeJWTCertValidationContext(p.JSONWebKeySet.Remote.JWKSCluster), From 64f751a486e5f48091ba86ea052ad92a60965ee9 Mon Sep 17 00:00:00 2001 From: Sreeram Narayanan Date: Mon, 17 Feb 2025 13:31:04 +0530 Subject: [PATCH 2/3] update: add sni in golden files for JWT --- ...-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden | 3 ++- .../https-provider-with-hostname-and-port.golden | 3 ++- .../https-provider-with-hostname-no-port.golden | 3 ++- .../jwt_authn_clusters/https-provider-with-ip-and-port.golden | 3 ++- .../jwt_authn_clusters/https-provider-with-ip-no-port.golden | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden b/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden index a370a6b8517f..cb0b3794c041 100644 --- a/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden +++ b/agent/xds/testdata/clusters/connect-proxy-with-jwt-config-entry-with-remote-jwks.latest.golden @@ -138,7 +138,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "test.test.com" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden index ef4a341f6bfb..d279a51d1a90 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-and-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "example-okta.com" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden index f75b2c4f1ef2..6f6ed3556d43 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-hostname-no-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "example-okta.com" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden index c396e70deb18..0390f0edecf8 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-and-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "127.0.0.1" } }, "type": "STATIC" diff --git a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden index cf1a77039b18..766f895cc449 100644 --- a/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden +++ b/agent/xds/testdata/jwt_authn_clusters/https-provider-with-ip-no-port.golden @@ -30,7 +30,8 @@ "filename": "mycert.crt" } } - } + }, + "sni": "127.0.0.1" } }, "type": "STATIC" From 6b706dad983abbf5f11086dc166c6e289fdf77e2 Mon Sep 17 00:00:00 2001 From: Sreeram Narayanan Date: Mon, 17 Feb 2025 13:42:19 +0530 Subject: [PATCH 3/3] add: changelog for TLS SNI in JWT auth provider --- .changelog/22168.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/22168.txt diff --git a/.changelog/22168.txt b/.changelog/22168.txt new file mode 100644 index 000000000000..8e4d1fa2f337 --- /dev/null +++ b/.changelog/22168.txt @@ -0,0 +1,3 @@ +```release-note:improvement +agent: send TLS SNI in JWT auth provider +``` \ No newline at end of file