Add jwks generation and example

Author: pdabelf5

examples/.gitignore

@@ -18,6 +18,7 @@ custom-resources/foreign-namespace-upstreams/cafe-secret.yaml
 custom-resources/grpc-upstreams/greeter-secret.yaml
 custom-resources/ingress-mtls/tls-secret.yaml
 custom-resources/jwks/tls-secret.yaml
+custom-resources/jwt/jwk-secret.yaml
 custom-resources/oidc-fclo/tls-secret.yaml
 custom-resources/oidc/tls-secret.yaml
 custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml

examples/custom-resources/jwt/jwk-secret.yaml

@@ -781,5 +781,20 @@
         "tests/suite/test_auth_basic_secrets.py - needed for invalid auth basic secret tests"
       ]
     }
+  ],
+  "jwks": [
+    {
+      "secretName": "jwk-secret",
+      "fileName": "example-jwt-jwks-secret.yaml",
+      "key": "fantasticjwt",
+      "kid": "0001",
+      "kty": "oct",
+      "symlinks": [
+        "/examples/custom-resources/jwt/jwk-secret.yaml"
+      ],
+      "usedIn": [
+        "Used in jwt example in custom-resources"
+      ]
+    }
   ]
 }

hack/secrets.json

@@ -89,12 +89,7 @@ func createKubeHTPasswdSecretYaml(secret htpasswdSecret, data []byte) ([]byte, e
 		s.Namespace = secret.Namespace
 	}
 
-	sb, err := yaml.Marshal(s)
-	if err != nil {
-		return nil, fmt.Errorf("marshaling kubernetes secret into yaml %v: %w", s, err)
-	}
-
-	return sb, nil
+	return yaml.Marshal(s)
 }
 
 func removeHtpasswdFiles(logger *slog.Logger, secret htpasswdSecret) error {

hack/tls-cert-gen/htpasswd-gen.go

@@ -0,0 +1,132 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+
+	log "github.com/nginx/kubernetes-ingress/internal/logger"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+)
+
+type jwkSecret struct {
+	SecretName string        `json:"secretName"`
+	Namespace  string        `json:"namespace,omitempty"`
+	FileName   string        `json:"filename"`
+	Symlinks   []string      `json:"symlinks,omitempty"`
+	UsedIn     []string      `json:"usedIn,omitempty"`
+	Key        string        `json:"key"`
+	Kid        string        `json:"kid"`
+	Kty        string        `json:"kty"`
+	SecretType v1.SecretType `json:"secretType,omitempty"`
+	JwksKey    string        `json:"jwksKey,omitempty"`
+}
+
+type JWK struct {
+	Kty string `json:"kty"`
+	Kid string `json:"kid"`
+	Alg string `json:"alg"`
+	K   string `json:"k,omitempty"`
+}
+
+type JWKS struct {
+	Keys []JWK `json:"keys"`
+}
+
+func generateJwksFile(secret jwkSecret, projectRoot string) error {
+	jwks, err := generateJwks(secret.Kid, secret.Kty, secret.Key)
+	if err != nil {
+		return fmt.Errorf("generating JWKS for secret %s: %w", secret.SecretName, err)
+	}
+
+	fileContents, err := createKubeJwksSecretYaml(secret, jwks)
+	if err != nil {
+		return fmt.Errorf("writing valid file for %s: %w", secret.FileName, err)
+	}
+
+	err = writeFiles(fileContents, projectRoot, secret.FileName, secret.Symlinks)
+	if err != nil {
+		return fmt.Errorf("writing file for %s: %w", secret.FileName, err)
+	}
+
+	return nil
+}
+
+func generateJwks(kid, kty, key string) ([]byte, error) {
+	jwks := JWKS{
+		Keys: []JWK{
+			{
+				Kty: "Oct",   // key type
+				Kid: "0001",  // any unique identifier
+				Alg: "HS256", // signing algorithm
+				K:   base64.StdEncoding.EncodeToString([]byte(key)),
+			},
+		},
+	}
+
+	if kty != "" {
+		jwks.Keys[0].Kty = kty
+	}
+	if kid != "" {
+		jwks.Keys[0].Kid = kid
+	}
+
+	return json.Marshal(jwks)
+}
+
+func createKubeJwksSecretYaml(secret jwkSecret, data []byte) ([]byte, error) {
+	key := "jwk"
+	if secret.JwksKey != "" {
+		key = secret.JwksKey
+	}
+	s := v1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "Secret",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: secret.SecretName,
+		},
+		Type: "nginx.org/jwks",
+		Data: map[string][]byte{
+			key: data,
+		},
+	}
+
+	if secret.SecretType != "" {
+		s.Type = secret.SecretType
+	}
+
+	if secret.Namespace != "" {
+		s.Namespace = secret.Namespace
+	}
+
+	return yaml.Marshal(s)
+}
+
+func removeJwksFiles(logger *slog.Logger, secret jwkSecret) error {
+	filePath := filepath.Join(projectRoot, realSecretDirectory, secret.FileName)
+	log.Debugf(logger, "Removing file %s", filePath)
+	if _, err := os.Stat(filePath); !os.IsNotExist(err) {
+		err := os.Remove(filepath.Join(projectRoot, realSecretDirectory, secret.FileName))
+		if err != nil {
+			return fmt.Errorf("failed to remove file: %s %w", secret.FileName, err)
+		}
+	}
+
+	for _, symlink := range secret.Symlinks {
+		log.Debugf(logger, "Removing symlink %s", symlink)
+		if _, err := os.Lstat(filepath.Join(projectRoot, symlink)); !os.IsNotExist(err) {
+			err = os.Remove(filepath.Join(projectRoot, symlink))
+			if err != nil {
+				return fmt.Errorf("failed to remove symlink: %s %w", symlink, err)
+			}
+		}
+	}
+	return nil
+}

hack/tls-cert-gen/jwks-gen.go

@@ -28,6 +28,7 @@ type secretsTypes struct {
 	Certs     []yamlSecret     `json:"certs,omitempty"`
 	Mtls      []mtlsBundle     `json:"mtls,omitempty"`
 	Htpasswds []htpasswdSecret `json:"htpasswds,omitempty"`
+	Jwks      []jwkSecret      `json:"jwks,omitempty"`
 }
 
 var secretsTypesData secretsTypes
@@ -67,10 +68,46 @@ func main() {
 		log.Fatalf(logger, "generateMTLSBundles: %v", err)
 	}
 
-	_, err = generateHtpasswdFiles(logger, secretsTypesData.Htpasswds, filenames, cleanPtr)
+	filenames, err = generateHtpasswdFiles(logger, secretsTypesData.Htpasswds, filenames, cleanPtr)
 	if err != nil {
 		log.Fatalf(logger, "generateHtpasswdFiles: %v", err)
 	}
+
+	_, err = generateJwksFiles(logger, secretsTypesData.Jwks, filenames, cleanPtr)
+	if err != nil {
+		log.Fatalf(logger, "generateJwksFiles: %v", err)
+	}
+}
+
+func generateJwksFiles(logger *slog.Logger, secrets []jwkSecret, filenames map[string]struct{}, cleanPtr *bool) (map[string]struct{}, error) {
+	for _, secret := range secrets {
+		if _, ok := filenames[secret.FileName]; ok {
+			return nil, fmt.Errorf("secret contains duplicated files: %v", secret.FileName)
+		}
+
+		filenames[secret.FileName] = struct{}{}
+
+		for _, symlink := range secret.Symlinks {
+			if _, ok := filenames[symlink]; ok {
+				return nil, fmt.Errorf("secret contains duplicated symlink for file %s: %s", secret.FileName, symlink)
+			}
+
+			filenames[symlink] = struct{}{}
+		}
+
+		if *cleanPtr {
+			err := removeJwksFiles(logger, secret)
+			if err != nil {
+				return nil, fmt.Errorf("failed to remove secret files: %s %w", secret.FileName, err)
+			}
+			continue
+		}
+		err := generateJwksFile(secret, projectRoot)
+		if err != nil {
+			return nil, fmt.Errorf("failed to print JWKS file: %s %w", secret.FileName, err)
+		}
+	}
+	return filenames, nil
 }
 
 func generateHtpasswdFiles(logger *slog.Logger, secrets []htpasswdSecret, filenames map[string]struct{}, cleanPtr *bool) (map[string]struct{}, error) {