envoyproxy
Unexpected additional characters on JWT Authentication
Description:
I observed an additional character of ? under the JWT Authentication filter spec in the provider and requirementMap field names, whenever a corresponding HTTPRoute has a long name.
The provider name referred to a combination of {HTTPRoute's namespace}/{HTTPRoute's name}/rule/{HTTPRoute's rules index}/match/{HTTPRoute's matches index}/{host}/{JWT Provider name}, and whenever the total characters more than equal to 130 (CMIIW), the unexpected additional character of ? appended in the prefix of its value.
For example:
HTTPRoute Name: httproute-with-long-name-like-superhero-agent-phil-coulson-the-shield-liaison-for-the-avengers
HTTPRoute Namespace: envoy-gateway-system
Rule Index: 0
Match Index: 0
Host: example.com
Provider Name: example
Envoy Gateway will generate the name like envoy-gateway-system/ httproute-with-long-name-like-superhero-agent-phil-coulson-the-shield-liaison-for-the-avengers/rule/0/match/0/example_com/example, and you will see the listener config in Envoy instance like below:
defaultFilterChain:
filters:
- name: envoy.filters.network.http_connection_manager
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
<REDUCTED>
httpFilters:
- name: envoy.filters.http.jwt_authn
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
? envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com/example:
claimToHeaders:
- claimName: name
headerName: x-name
remoteJwks:
cacheDuration: 300s
httpUri:
cluster: raw_githubusercontent_com_443
timeout: 5s
uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
requirementMap:
? envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com:
providerName: envoy-gateway-system/sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character/rule/0/match/0/example_com/example
Question
- I'm curious whether this behavior stems from Envoy's limitations and if so, whether it might pose issues down the line.
- AFAIK, the HTTPRoute name has a limitation of 256 characters. Given this constraint and in alignment with point 1, it appears that Envoy Gateway may have a potential bug in this case.
Repro steps:
- Create and apply HTTPRoute
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
namespace: envoy-gateway-system
spec:
hostnames:
- example.com
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: default-gateway
namespace: envoy-gateway-system
rules:
- backendRefs:
- group: ""
kind: Service
name: echoserver
namespace: testing
port: 80
weight: 100
matches:
- path:
type: PathPrefix
value: /testing2
- Create and apply SecurityPolicy
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
namespace: envoy-gateway-system
spec:
jwt:
providers:
- claimToHeaders:
- claim: name
header: x-name
name: example
remoteJWKS:
uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: sample-with-hundred-and-thirty-characters-that-result-with-unexpected-character
namespace: envoy-gateway-system
- Fetch LDS using
egctlCLI
egctl c envoy-proxy listener <envoy-instance-pod-name> -oyaml
Note: If there are privacy concerns, sanitize the data prior to sharing.
Environment: latest
Logs:
Include the access logs and the Envoy logs.
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}