support remote jwks #12939
Merged
support remote jwks #12939
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gateway-bot
added
do-not-merge/description-invalid
do-not-merge/kind-invalid
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for remote JWKS (JSON Web Key Set) in JWT authentication, allowing JWT validation keys to be fetched from a remote JWKS server instead of only supporting local inline or ConfigMap-based keys.
Key Changes:
- Added
RemoteJWKSAPI type with URL, backend reference, and optional cache duration - Extended JWT translation logic to handle remote JWKS with cluster references and HTTP timeouts
- Added comprehensive unit tests and an end-to-end test case for remote JWKS
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
api/v1alpha1/jwt_types.go |
Adds RemoteJWKS struct with URL, BackendRef, and CacheDuration fields; updates JWKS to include optional RemoteJWKS |
api/v1alpha1/zz_generated.deepcopy.go |
Auto-generated DeepCopy methods for RemoteJWKS struct |
install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml |
Adds CRD schema for remote JWKS with validation rules for BackendRef and cacheDuration |
internal/kgateway/extensions2/plugins/trafficpolicy/jwt.go |
Implements remote JWKS translation to Envoy RemoteJwks config with cluster resolution and timeout handling |
internal/kgateway/extensions2/plugins/trafficpolicy/jwt_test.go |
Adds unit tests for remote JWKS translation including success and error cases |
internal/kgateway/extensions2/plugins/trafficpolicy/gateway_extension.go |
Updates JWT provider resolution to pass backend resolver and object source for remote JWKS support |
internal/kgateway/translator/gateway/gateway_translator_test.go |
Adds integration test case for remote JWKS functionality |
internal/kgateway/translator/gateway/testutils/inputs/jwt/httproute-remote-jwks.yaml |
Test input with remote JWKS configuration referencing a service backend |
internal/kgateway/translator/gateway/testutils/outputs/jwt/httproute-remote-jwks.yaml |
Expected Envoy configuration output with remote JWKS cluster reference and cache settings |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml
Show resolved
Hide resolved
gateway-bot
added
kind/feature
Signed-off-by: omar <[email protected]>
puertomontt
force-pushed
the
remotejwks
branch
from
7388a48 to
ea30c45
Compare
lgadban
reviewed
Nov 23, 2025
| jwtFilterNamePrefix = "jwt" | ||
| jwtConfigMapKey = "jwks" | ||
|
|
||
| remoteJWKSTimeoutSecs = 5 |
Contributor
There was a problem hiding this comment.
I don't see an API value for this, is this just hardcoded?
internal/kgateway/extensions2/plugins/trafficpolicy/gateway_extension.go
Outdated
Show resolved
Hide resolved
- rename policySrc to gwExtObj - remove unneeded nil check for resolver Signed-off-by: omar <[email protected]>
Signed-off-by: omar <[email protected]>
Signed-off-by: omar <[email protected]>
lgadban
reviewed
Nov 24, 2025
internal/kgateway/translator/gateway/testutils/inputs/jwt/cross-namespace.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: omar <[email protected]>
lgadban
approved these changes
Nov 24, 2025
Comment on lines
+190
to
+193
| message: Successfully resolved all references | ||
| reason: ResolvedRefs | ||
| status: "True" | ||
| type: ResolvedRefs |
Contributor
There was a problem hiding this comment.
this doesn't seem correct but is likely existing behavior.
i.e. it's hard for policy to influence the ResolvedRefs condition of the route
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
add support for remote JWKS leveraging envoy.
Change Type
/kind new_feature
Changelog
Additional Notes