Skip to content

Conversation

@fabriziofiorucci
Copy link
Contributor

Proposed changes

The current NGINX Ingress Controller implementation doesn't set the SNI field when fetching the JWT secret from an HTTPS URL. This breaks compatibility with idPs requiring SNI to be set.

This PR adds two directives to turn on SNI and set the hostname.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@fabriziofiorucci fabriziofiorucci requested a review from a team as a code owner March 12, 2025 13:59
@github-actions github-actions bot added the documentation Pull requests/issues for documentation label Mar 12, 2025
@shaun-nx shaun-nx linked an issue Mar 12, 2025 that may be closed by this pull request
Copy link
Contributor Author

@fabriziofiorucci fabriziofiorucci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes reviewed

pdabelf5
pdabelf5 previously approved these changes Apr 3, 2025
AlexFenlon
AlexFenlon previously approved these changes Apr 3, 2025
@pdabelf5
Copy link
Collaborator

pdabelf5 commented May 1, 2025

@fabriziofiorucci can you remove the documentation updates unrelated to this change and we will try to get this merged. Thanks

@fabriziofiorucci fabriziofiorucci dismissed stale reviews from AlexFenlon and pdabelf5 via 83ab922 May 2, 2025 12:41
@github-actions github-actions bot removed the documentation Pull requests/issues for documentation label May 2, 2025
@AlexFenlon
Copy link
Contributor

@fabriziofiorucci can you plrease run make test-update-snaps to fix the unit tests

AlexFenlon
AlexFenlon previously approved these changes May 8, 2025
Copy link
Contributor

@AlexFenlon AlexFenlon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Screenshot 2025-05-08 at 14 25 10

Other than fixing unit tests with that command mentioned above, it looks and works as expected 👍

@jjngx
Copy link
Contributor

jjngx commented May 19, 2025

@fabriziofiorucci, could you please update your branch and run:

make test-update-snaps

to update test data (snapshots)? Then please commit the change and it will be ready to merge.

I tested this and it works:

kubernetes-ingress git:(pull_7500) make test-update-snaps
UPDATE_SNAPS=true go test -tags=aws,helmunit -shuffle=on ./...
ok  	github.com/nginx/kubernetes-ingress/charts/tests	8.057s
ok  	github.com/nginx/kubernetes-ingress/cmd/nginx-ingress	0.757s
...
kubernetes-ingress git:(pull_7500) ✗ git st
On branch pull_7500
Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
	modified:   internal/configs/version2/__snapshots__/templates_test.snap

Run tests:

kubernetes-ingress git:(pull_7500) make test
go test -tags=aws,helmunit -shuffle=on ./...
...

Copy link
Contributor

@javorszky javorszky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny change, outside of merging main branch into this and potentially running make test-update-snaps again

{{- end }}
{{- with .JwksURI }}
proxy_set_header Host {{ .JwksHost }};
proxy_ssl_name {{ .JwksHost }};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is not needed. By default the value of proxy_ssl_name is the host part of the proxy_pass URL, which is defined 4 lines later.

I've asked about the port part of the URL though, so we might still need this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this probably isn't needed. Could be moved to be after the line set $idp_backend with the value proxy_ssl_name $idp_backend

@javorszky
Copy link
Contributor

This needs a bit more work. Both the proxy_ssl_server_name option and the proxy_ssl_name should be configurable.

There may be unintended consequences if SNI is turned on for all customers, as it can compromise privacy among other things.

@AlexFenlon
Copy link
Contributor

Tiny change, outside of merging main branch into this and potentially running make test-update-snaps again

Do above and make sure you update your Kubernetes version to 1.33.2 or 1.33.3 to remove the minReadySeconds that shows up in the snaps.

@vepatel
Copy link
Contributor

vepatel commented Jul 15, 2025

closing in favour of #7993

@vepatel vepatel closed this Jul 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add SNI for JWT policy

6 participants