Skip to content
Merged
7 changes: 6 additions & 1 deletion api/v2/apisixconsumer_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,11 @@ type ApisixConsumerJwtAuth struct {
}

// ApisixConsumerJwtAuthValue defines configuration for JWT authentication.
// Exactly one of the following must be provided depending on the algorithm:
// - For symmetric algorithms (HS256, HS384, HS512): use secret. private_key and public_key are not required.
// - For asymmetric algorithms (RS*, ES*, PS*, EdDSA): at least one of public_key or private_key must be provided.
Comment thread
AlinsRan marked this conversation as resolved.
Outdated
Comment thread
AlinsRan marked this conversation as resolved.
Outdated
//
Comment thread
AlinsRan marked this conversation as resolved.
Outdated
// +kubebuilder:validation:XValidation:rule="!has(self.algorithm) || self.algorithm in ['HS256','HS384','HS512'] || (has(self.public_key) && self.public_key != ”) || (has(self.private_key) && self.private_key != ”)",message="asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require at least one of public_key or private_key"
Comment thread
AlinsRan marked this conversation as resolved.
Outdated
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
type ApisixConsumerJwtAuthValue struct {
// Key is the unique identifier for the JWT credential.
Key string `json:"key" yaml:"key"`
Expand All @@ -138,7 +143,7 @@ type ApisixConsumerJwtAuthValue struct {
// PublicKey is the public key used to verify JWT signatures (for asymmetric algorithms).
PublicKey string `json:"public_key,omitempty" yaml:"public_key,omitempty"`
// PrivateKey is the private key used to sign the JWT (for asymmetric algorithms).
PrivateKey string `json:"private_key" yaml:"private_key,omitempty"`
PrivateKey string `json:"private_key,omitempty" yaml:"private_key,omitempty"`
Comment thread
AlinsRan marked this conversation as resolved.
// Algorithm specifies the signing algorithm.
// Can be `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, or `EdDSA`.
// Currently APISIX only supports `HS256`, `HS512`, `RS256`, and `ES256`. API7 Enterprise supports all algorithms.
Expand Down
7 changes: 6 additions & 1 deletion config/crd/bases/apisix.apache.org_apisixconsumers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -210,8 +210,13 @@ spec:
type: string
required:
- key
- private_key
type: object
x-kubernetes-validations:
- message: asymmetric JWT algorithms (RS*/ES*/PS*/EdDSA) require
at least one of public_key or private_key
rule: '!has(self.algorithm) || self.algorithm in [''HS256'',''HS384'',''HS512'']
|| (has(self.public_key) && self.public_key != ”) || (has(self.private_key)
&& self.private_key != ”)'
Comment thread
AlinsRan marked this conversation as resolved.
Outdated
type: object
keyAuth:
description: KeyAuth configures the key authentication details.
Expand Down
Loading