implement localJWKS documented in JWT verification design

Add LocalJWKS backed by a Kubernetes Opaque Secret (secretName and key) so
HTTPProxy JWT providers can supply JWKS without embedding JSON in the spec.

Contour loads and validates the Secret during DAG build (type and JWKS shape),
then configures Envoy jwt_authn with inline local JWKS bytes. JWKS Secrets do
not use TLS certificate delegation.

Includes CRD and API reference updates, DAG/cache/secret handling, listener
construction, status and unit tests, xdscache expectations, and featuretests.

Signed-off-by: nissy-dev <nd.12021218@gmail.com>

Author: nissy-dev

apis/projectcontour/v1/httpproxy.go

@@ -386,9 +386,13 @@ type JWTProvider struct {
 	// +optional
 	Audiences []string `json:"audiences,omitempty"`
 
-	// Remote JWKS to use for verifying JWT signatures.
-	// +kubebuilder:validation:Required
-	RemoteJWKS RemoteJWKS `json:"remoteJWKS"`
+	// Remote JWKS fetches signing keys from an HTTP(S) endpoint.
+	// +optional
+	RemoteJWKS *RemoteJWKS `json:"remoteJWKS,omitempty"`
+
+	// Local JWKS loads signing keys from a Kubernetes Secret
+	// +optional
+	LocalJWKS *LocalJWKS `json:"localJWKS,omitempty"`
 
 	// Whether the JWT should be forwarded to the backend
 	// service after successful verification. By default,
@@ -397,6 +401,19 @@ type JWTProvider struct {
 	ForwardJWT bool `json:"forwardJWT,omitempty"`
 }
 
+// LocalJWKS defines how to fetch a JWKS from a Kubernetes secret.
+type LocalJWKS struct {
+	// The name of the secret that contains the JWKS.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	SecretName string `json:"secretName,omitempty"`
+
+	// The key of the secret that contains the JWKS.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	Key string `json:"key,omitempty"`
+}
+
 // RemoteJWKS defines how to fetch a JWKS from an HTTP endpoint.
 type RemoteJWKS struct {
 	// The URI for the JWKS.

apis/projectcontour/v1/zz_generated.deepcopy.go

@@ -7882,12 +7882,31 @@ spec:
                             Issuer that JWTs are required to have in the "iss" field.
                             If not provided, JWT issuers are not checked.
                           type: string
+                        localJWKS:
+                          description: Local JWKS loads signing keys from a Kubernetes
+                            Secret
+                          properties:
+                            key:
+                              description: The key of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                            secretName:
+                              description: The name of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                          required:
+                          - key
+                          - secretName
+                          type: object
                         name:
                           description: Unique name for the provider.
                           minLength: 1
                           type: string
                         remoteJWKS:
-                          description: Remote JWKS to use for verifying JWT signatures.
+                          description: Remote JWKS fetches signing keys from an HTTP(S)
+                            endpoint.
                           properties:
                             cacheDuration:
                               description: |-
@@ -7968,7 +7987,6 @@ spec:
                           type: object
                       required:
                       - name
-                      - remoteJWKS
                       type: object
                     type: array
                   rateLimitPolicy:

examples/contour/01-crds.yaml

@@ -8101,12 +8101,31 @@ spec:
                             Issuer that JWTs are required to have in the "iss" field.
                             If not provided, JWT issuers are not checked.
                           type: string
+                        localJWKS:
+                          description: Local JWKS loads signing keys from a Kubernetes
+                            Secret
+                          properties:
+                            key:
+                              description: The key of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                            secretName:
+                              description: The name of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                          required:
+                          - key
+                          - secretName
+                          type: object
                         name:
                           description: Unique name for the provider.
                           minLength: 1
                           type: string
                         remoteJWKS:
-                          description: Remote JWKS to use for verifying JWT signatures.
+                          description: Remote JWKS fetches signing keys from an HTTP(S)
+                            endpoint.
                           properties:
                             cacheDuration:
                               description: |-
@@ -8187,7 +8206,6 @@ spec:
                           type: object
                       required:
                       - name
-                      - remoteJWKS
                       type: object
                     type: array
                   rateLimitPolicy:

examples/render/contour-deployment.yaml

@@ -7893,12 +7893,31 @@ spec:
                             Issuer that JWTs are required to have in the "iss" field.
                             If not provided, JWT issuers are not checked.
                           type: string
+                        localJWKS:
+                          description: Local JWKS loads signing keys from a Kubernetes
+                            Secret
+                          properties:
+                            key:
+                              description: The key of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                            secretName:
+                              description: The name of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                          required:
+                          - key
+                          - secretName
+                          type: object
                         name:
                           description: Unique name for the provider.
                           minLength: 1
                           type: string
                         remoteJWKS:
-                          description: Remote JWKS to use for verifying JWT signatures.
+                          description: Remote JWKS fetches signing keys from an HTTP(S)
+                            endpoint.
                           properties:
                             cacheDuration:
                               description: |-
@@ -7979,7 +7998,6 @@ spec:
                           type: object
                       required:
                       - name
-                      - remoteJWKS
                       type: object
                     type: array
                   rateLimitPolicy:

examples/render/contour-gateway-provisioner.yaml

@@ -7918,12 +7918,31 @@ spec:
                             Issuer that JWTs are required to have in the "iss" field.
                             If not provided, JWT issuers are not checked.
                           type: string
+                        localJWKS:
+                          description: Local JWKS loads signing keys from a Kubernetes
+                            Secret
+                          properties:
+                            key:
+                              description: The key of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                            secretName:
+                              description: The name of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                          required:
+                          - key
+                          - secretName
+                          type: object
                         name:
                           description: Unique name for the provider.
                           minLength: 1
                           type: string
                         remoteJWKS:
-                          description: Remote JWKS to use for verifying JWT signatures.
+                          description: Remote JWKS fetches signing keys from an HTTP(S)
+                            endpoint.
                           properties:
                             cacheDuration:
                               description: |-
@@ -8004,7 +8023,6 @@ spec:
                           type: object
                       required:
                       - name
-                      - remoteJWKS
                       type: object
                     type: array
                   rateLimitPolicy:

examples/render/contour-gateway.yaml

@@ -8101,12 +8101,31 @@ spec:
                             Issuer that JWTs are required to have in the "iss" field.
                             If not provided, JWT issuers are not checked.
                           type: string
+                        localJWKS:
+                          description: Local JWKS loads signing keys from a Kubernetes
+                            Secret
+                          properties:
+                            key:
+                              description: The key of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                            secretName:
+                              description: The name of the secret that contains the
+                                JWKS.
+                              minLength: 1
+                              type: string
+                          required:
+                          - key
+                          - secretName
+                          type: object
                         name:
                           description: Unique name for the provider.
                           minLength: 1
                           type: string
                         remoteJWKS:
-                          description: Remote JWKS to use for verifying JWT signatures.
+                          description: Remote JWKS fetches signing keys from an HTTP(S)
+                            endpoint.
                           properties:
                             cacheDuration:
                               description: |-
@@ -8187,7 +8206,6 @@ spec:
                           type: object
                       required:
                       - name
-                      - remoteJWKS
                       type: object
                     type: array
                   rateLimitPolicy:

examples/render/contour.yaml

@@ -264,7 +264,9 @@ func (d *DAG) GetDNSNameClusters() []*DNSNameCluster {
 	for _, listener := range d.Listeners {
 		for _, svhost := range listener.SecureVirtualHosts {
 			for _, provider := range svhost.JWTProviders {
-				res = append(res, &provider.RemoteJWKS.Cluster)
+				if provider.RemoteJWKS != nil {
+					res = append(res, &provider.RemoteJWKS.Cluster)
+				}
 			}
 		}
 	}

internal/dag/accessors.go

@@ -563,6 +563,14 @@ func (kc *KubernetesCache) secretTriggersRebuild(secretObj *core_v1.Secret) bool
 			// not a root ingress
 			continue
 		}
+		for _, jp := range vh.JWTProviders {
+			if jp.LocalJWKS == nil || jp.LocalJWKS.SecretName == "" {
+				continue
+			}
+			if secret == k8s.NamespacedNameFrom(jp.LocalJWKS.SecretName, k8s.DefaultNamespace(proxy.Namespace)) {
+				return true
+			}
+		}
 		tls := vh.TLS
 		if tls == nil {
 			// no tls spec
@@ -736,6 +744,27 @@ func (kc *KubernetesCache) LookupCRLSecret(name types.NamespacedName, targetName
 	return sec, nil
 }
 
+// LookupJWKSFromSecret returns JWKS JSON from the named Secret data entry.
+func (kc *KubernetesCache) LookupJWKSFromSecret(name types.NamespacedName, key string) ([]byte, error) {
+	sec, ok := kc.secrets[name]
+	if !ok {
+		return nil, fmt.Errorf("Secret not found")
+	}
+
+	// Compute and store the validation result if not
+	// already stored.
+	if sec.ValidJWKSSecret == nil {
+		sec.ValidJWKSSecret = &SecretValidationStatus{
+			Error: validJWKSSecret(sec.Object, key),
+		}
+	}
+
+	if err := sec.ValidJWKSSecret.Error; err != nil {
+		return nil, err
+	}
+	return sec.Object.Data[key], nil
+}
+
 // LookupUpstreamValidation constructs PeerValidationContext with CA certificate from the cache.
 // If name (referred Secret) is in different namespace than targetNamespace (the referring object),
 // then delegation check is performed.

internal/dag/cache.go

@@ -820,7 +820,8 @@ type JWTProvider struct {
 	Name       string
 	Issuer     string
 	Audiences  []string
-	RemoteJWKS RemoteJWKS
+	RemoteJWKS *RemoteJWKS
+	LocalJWKS  *LocalJWKS
 	ForwardJWT bool
 }
 
@@ -831,6 +832,10 @@ type RemoteJWKS struct {
 	CacheDuration *time.Duration
 }
 
+type LocalJWKS struct {
+	JWKS []byte
+}
+
 // DNSNameCluster is a cluster that routes directly to a DNS
 // name (i.e. not a Kubernetes service).
 type DNSNameCluster struct {
@@ -1153,13 +1158,14 @@ func (s *ServiceCluster) Rebalance() {
 	}
 }
 
-// Secret represents a K8s Secret for TLS usage as a DAG Vertex. A Secret is
+// Secret represents a K8s Secret as a DAG Vertex. A Secret is
 // a leaf in the DAG.
 type Secret struct {
-	Object         *core_v1.Secret
-	ValidTLSSecret *SecretValidationStatus
-	ValidCASecret  *SecretValidationStatus
-	ValidCRLSecret *SecretValidationStatus
+	Object          *core_v1.Secret
+	ValidTLSSecret  *SecretValidationStatus
+	ValidCASecret   *SecretValidationStatus
+	ValidCRLSecret  *SecretValidationStatus
+	ValidJWKSSecret *SecretValidationStatus
 }
 
 func (s *Secret) Name() string      { return s.Object.Name }