Add SNI related options and validation

Author: javorszky

internal/configs/version2/http.go

@@ -428,12 +428,14 @@ func (rl LimitReqOptions) String() string {
 
 // JWTAuth holds JWT authentication configuration.
 type JWTAuth struct {
-	Key      string
-	Secret   string
-	Realm    string
-	Token    string
-	KeyCache string
-	JwksURI  JwksURI
+	Key            string
+	Secret         string
+	Realm          string
+	Token          string
+	KeyCache       string
+	JwksSNIName    string
+	JwksSNIEnabled bool
+	JwksURI        JwksURI
 }
 
 // JwksURI defines the components of a JwksURI

internal/configs/version2/nginx-plus.virtualserver.tmpl

@@ -236,6 +236,12 @@ server {
         proxy_cache jwks_uri_{{ $s.VSName }};
         proxy_cache_valid 200 12h;
         {{- end }}
+        {{- if .JwksSNIEnabled }}
+        proxy_ssl_server_name on;
+        {{- if .JwksSNIName }}
+        proxy_ssl_name {{ .JwksSNIName }};
+        {{- end }}
+        {{- end }}
         {{- with .JwksURI }}
         proxy_set_header Host {{ .JwksHost }};
         set $idp_backend {{ .JwksHost }};

internal/configs/virtualserver.go

@@ -1176,11 +1176,13 @@ func (p *policiesCfg) addJWTAuthConfig(
 		}
 
 		p.JWTAuth.Auth = &version2.JWTAuth{
-			Key:      polKey,
-			JwksURI:  *JwksURI,
-			Realm:    jwtAuth.Realm,
-			Token:    jwtAuth.Token,
-			KeyCache: jwtAuth.KeyCache,
+			Key:            polKey,
+			JwksURI:        *JwksURI,
+			Realm:          jwtAuth.Realm,
+			Token:          jwtAuth.Token,
+			KeyCache:       jwtAuth.KeyCache,
+			JwksSNIEnabled: jwtAuth.SNIEnabled,
+			JwksSNIName:    jwtAuth.SNIServerName,
 		}
 		p.JWTAuth.JWKSEnabled = true
 		return res

pkg/apis/configuration/v1/types.go

@@ -652,11 +652,13 @@ type VariableCondition struct {
 
 // JWTAuth holds JWT authentication configuration.
 type JWTAuth struct {
-	Realm    string `json:"realm"`
-	Secret   string `json:"secret"`
-	Token    string `json:"token"`
-	JwksURI  string `json:"jwksURI"`
-	KeyCache string `json:"keyCache"`
+	Realm         string `json:"realm"`
+	Secret        string `json:"secret"`
+	Token         string `json:"token"`
+	JwksURI       string `json:"jwksURI"`
+	KeyCache      string `json:"keyCache"`
+	SNIEnabled    bool   `json:"sniEnabled"`
+	SNIServerName string `json:"sniServerName"`
 }
 
 // BasicAuth holds HTTP Basic authentication configuration

pkg/apis/configuration/validation/policy.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 	"unicode"
 
+	validation2 "github.com/nginx/kubernetes-ingress/internal/validation"
 	v1 "github.com/nginx/kubernetes-ingress/pkg/apis/configuration/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -213,7 +214,22 @@ func validateJWT(jwt *v1.JWTAuth, fieldPath *field.Path) field.ErrorList {
 		if jwt.KeyCache == "" {
 			allErrs = append(allErrs, field.Required(fieldPath.Child("keyCache"), "key cache must be set, example value: 1h"))
 		}
-		return allErrs
+
+		// if SNI server name is provided, but SNI is not enabled, return an error
+		if jwt.SNIServerName != "" && !jwt.SNIEnabled {
+			allErrs = append(allErrs, field.Forbidden(fieldPath.Child("sniServerName"), "sniServerName can only be set when sniEnabled is true"))
+		}
+
+		// if SNI is enabled and SNI server name is provided, make sure it's a valid URI
+		if jwt.SNIEnabled && jwt.SNIServerName != "" {
+			err := validation2.ValidateURI(jwt.SNIServerName,
+				validation2.WithAllowedSchemes("https"),
+				validation2.WithUserAllowed(false),
+				validation2.WithDefaultScheme("https"))
+			if err != nil {
+				allErrs = append(allErrs, field.Invalid(fieldPath.Child("sniServerName"), jwt.SNIServerName, "sniServerName is not a valid URI"))
+			}
+		}
 	}
 	return allErrs
 }