feature: support third-party-jwt for istio access authentication (#93)

2026-03-07 10:00:48 +08:00 · 2022-12-02 17:00:25 +08:00
parent 1e448da8e9
commit cf50b6edce
3 changed files with 20 additions and 2 deletions
--- a/helm/higress/templates/deployment.yaml
+++ b/helm/higress/templates/deployment.yaml
@@ -122,7 +122,7 @@ spec:
          - name: ENABLE_INGRESS_GATEWAY_SDS
            value: "false"
          - name: JWT_POLICY
-            value: first-party-jwt
+            value: {{ .Values.gateway.jwtPolicy }}
          - name: ISTIO_META_HTTP10
            value: "1"
          - name: ISTIO_META_CLUSTER_ID
@@ -166,6 +166,11 @@ spec:
            {{- toYaml .Values.gateway.resources | nindent 12 }}
          {{- end }}
          volumeMounts:
+          {{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }}
+          - name: istio-token
+            mountPath: /var/run/secrets/tokens
+            readOnly: true
+          {{- end }}
          - name: config
            mountPath: /etc/istio/config
          - name: istio-ca-root-cert
@@ -189,6 +194,15 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      volumes:
+      {{- if eq .Values.gateway.jwtPolicy "third-party-jwt" }}
+      - name: istio-token
+        projected:
+          sources:
+            - serviceAccountToken:
+                audience: istio-ca
+                expirationSeconds: 43200
+                path: istio-token
+      {{- end }}
      - name: istio-ca-root-cert
        configMap:
          name: istio-ca-root-cert
--- a/helm/higress/values.yaml
+++ b/helm/higress/values.yaml
@@ -35,6 +35,10 @@ gateway:
  # Pod environment variables
  env: {}

+  # Configure the policy for validating JWT, it is used for istio authentication.
+  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
+  jwtPolicy: "third-party-jwt"
+
  # Labels to apply to all resources
  labels: {}

--- a/helm/istiod/values.yaml
+++ b/helm/istiod/values.yaml
@@ -416,7 +416,7 @@ global:

  # Configure the policy for validating JWT.
  # Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
-  jwtPolicy: "first-party-jwt"
+  jwtPolicy: "third-party-jwt"

  # Mesh ID means Mesh Identifier. It should be unique within the scope where
  # meshes will interact with each other, but it is not required to be