Basic jwt with GatewayExtension

[npolshakova]

Description

Define a basic JWT policy to support configuration of Envoy-based proxies and agentgateway. #11192

Motivation:

We would like to add support for JWT in kgateway for configuring both the upstream
Envoy JWT Authentication filter
and configuring agentgateway JWT authentication.

What changed:

• Adds new JWT Authentication API on TrafficPolicy
• Adds new JWT Provider type to GatewayExtension
• Note: RBAC will be done in a separate PR (Basic rbac api #11441)

Change Type

/kind new_feature

Changelog

Added JWT Authentication configuration to the TrafficPolicy and support for JWT Providers to the GatewayExtension.

Additional Notes

See the Enhancement Proposal: #11194

Test locally:

1. Setup cluster with ./hack/kind/setup-kind.sh
2. Install kgateway

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml

helm upgrade -i -n kgateway-system kgateway-crds ./_test/kgateway-crds-1.0.0-ci1.tgz --create-namespace

helm upgrade -i -n kgateway-system kgateway ./_test/kgateway-1.0.0-ci1.tgz --create-namespace

3. Apply config

 k apply -f kgateway/test/kubernetes/e2e/features/jwt/testdata/setup.yaml
 k apply -f kgateway/test/kubernetes/e2e/features/jwt/testdata/jwt.yaml

4. Setup jwt:

export  export TOKEN=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2Rldi5leGFtcGxlLmNvbSIsImV4cCI6NDgwNDMyNDczNiwiaWF0IjoxNjQ4NjUxMTM2LCJvcmciOiJpbnRlcm5hbCIsImVtYWlsIjoiZGV2MUBzb2xvLmlvIiwiZ3JvdXAiOiJlbmdpbmVlcmluZyIsInNjb3BlIjoiaXM6ZGV2ZWxvcGVyIn0.WtqyZagpEcLnam5v5VpPqTpF-Ow_IvnLKdJgoFoXX_BaHzIgBvx2vdczpjiZxlSw4sBP1x4z1u-nEvohcmjLWlQgW_saAKuOrQMhBWRJtsj7-Ql_cVNqIej4eS7QofYyCuJSzHC9H3KGoIUHd5oQdnTvaTFt07k8xiwgaBOmRvNKVgSbi5B4KxXi59RB4YaoPFut3Em4s9i26U6H5Eqy4OgA39b6vDvQ71DbZGzhncboRQ4KdCkwsk-lMsavooG5OKIuQj3xZH1qzM8g70UOmj-Dg7VTsNGw9QbdOVw-hddFlv6AQ-bqNNA_1jbmEoHaVLfvM4-LUzoPt7_4giSApw

5. Send request:

Works on non-jwt path:

curl localhost:8080/status/200 -v \
  -H "Host: httpbin" 

Works with token:

curl localhost:8080/get -v \
  -H "Host: httpbin" \
  -H "Authorization: Bearer $TOKEN"

Invalid (Jwt is not in the form of Header.Payload.Signature)

curl localhost:8080/get -v \
  -H "Host: httpbin" \
  -H "Authorization: Bearer fake" 

Invalid (missing):

 curl localhost:8080/get -v \
  -H "Host: httpbin"

Invalid (fails verification)

curl localhost:8080/get -v -H "host: httpbin" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2Rldi5leGFtcGxlLmNvbSIsImV4cCI6NDgwNDMyNDczNiwiaWF0IjoxNjQ4NjUxMTM2LCJvcmciOiJpbnRlcm5hbCIsImVtYWlsIjoiZGV2MUBrZ2F0ZXdheS5pbyIsImdyb3VwIjoiZW5naW5lZXJpbmciLCJzY29wZSI6ImlzOmRldmVsb3BlciJ9.pqzk87Gny6mT8Gk7CVfkminm3u9CrNPhRt0oElwmfwZ7Jak1Ss4iOZ7MSZEgZFPxGiaz3DQyvos65dqbM_e4RaLYXb9fFYylaBl8kE8bhqMnXfPBNp9C4XTsSz4mR-eUvnkXXZ31dhMkoZvwIswWXR50wZ0rC6NF60Tye0sHJRdDcwL5778wDzLnualvtIiL-CbhWzXgRmjcrK3sbikLCHBjQiTEyBMPOVqS5NqJBgd7ZW1UASoxuxjCLsN8tBIaAFSACf8FZggAh9vEUJ_uc39kvOKQ0vs0pxvoYtsMPcndBYhws6IUhx_iF__qs_zz9mDNp8aMbXSlEdJG30w123"

[Copilot]

Pull Request Overview

This PR adds JWT authentication support by extending TrafficPolicy and GatewayExtension APIs and CRDs, along with necessary codegen updates.

• Introduce a jwt field on TrafficPolicySpec with CRD schema and API types
• Add a jwtProviders map to GatewayExtensionSpec and corresponding CRD validation
• Generate deep‐copy, applyconfiguration, OSS compliance, and go.mod updates for new JWT types

Reviewed Changes

Copilot reviewed 20 out of 35 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
install/helm/kgateway-crds/templates/gateway.kgateway.dev_trafficpolicies.yaml	Add jwt object schema to TrafficPolicy CRD
install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml	Add jwtProviders schema and validation to GatewayExtension CRD
hack/utils/oss_compliance/osa_provided.md	Include go-jose/v3 in provided OSS compliance
hack/utils/oss_compliance/osa_included.md	Add hashicorp/go-multierror to included OSS list
go.mod	Move go-jose/v3 and go-multierror to direct deps
api/v1alpha1/zz_generated.deepcopy.go	Generate DeepCopy methods for JWT types
api/v1alpha1/traffic_policy_types.go	Add JWT *JWTValidation to TrafficPolicySpec
api/v1alpha1/jwt.go	Define JWTValidation, JWTProvider, and related types
api/v1alpha1/gateway_extensions_types.go	Add JWTProviders to GatewayExtensionSpec
api/applyconfiguration/utils.go	Register new JWT types in applyconfiguration utils
api/applyconfiguration/internal/internal.go	Add JWT types to internal schema YAML
api/applyconfiguration/api/v1alpha1/trafficpolicyspec.go	Add WithJWT builder for TrafficPolicySpec
api/applyconfiguration/api/v1alpha1/*	Generated applyconfiguration types for JWT and related structs

Comments suppressed due to low confidence (2)

api/v1alpha1/jwt.go:46

• Update this comment to reference the enum values (Forward/Remove) rather than false, e.g., "if set to Remove, the header containing the token will be removed".

	// KeepToken configures if the token forwarded upstream. if false, the header containing the token will be removed.

go.mod:266

• [nitpick] This module appears only as an indirect dependency in this PR; consider restoring the // indirect comment or removing the direct requirement if it’s not used directly in the code.

	github.com/go-jose/go-jose/v3 v3.0.3