diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 4e550f43..23fa3017 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -8031,6 +8031,11 @@ spec: description: This field specifies the header name to output a successfully verified JWT payload to the backend. type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string required: - issuer type: object @@ -8150,6 +8155,11 @@ spec: description: This field specifies the header name to output a successfully verified JWT payload to the backend. type: string + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string required: - issuer type: object diff --git a/proto.lock b/proto.lock index 22872718..e7ff1191 100644 --- a/proto.lock +++ b/proto.lock @@ -47546,6 +47546,11 @@ "name": "output_claim_to_headers", "type": "ClaimToHeader", "is_repeated": true + }, + { + "id": 13, + "name": "timeout", + "type": "google.protobuf.Duration" } ] }, @@ -47587,6 +47592,9 @@ } ], "imports": [ + { + "path": "google/protobuf/duration.proto" + }, { "path": "google/api/field_behavior.proto" } @@ -48059,6 +48067,11 @@ "name": "output_claim_to_headers", "type": "ClaimToHeader", "is_repeated": true + }, + { + "id": 13, + "name": "timeout", + "type": "google.protobuf.Duration" } ] }, @@ -48100,6 +48113,9 @@ } ], "imports": [ + { + "path": "google/protobuf/duration.proto" + }, { "path": "google/api/field_behavior.proto" } diff --git a/security/v1/jwt.pb.go b/security/v1/jwt.pb.go index 58809dc5..556e7a6a 100644 --- a/security/v1/jwt.pb.go +++ b/security/v1/jwt.pb.go @@ -28,6 +28,7 @@ package v1 import ( + duration "github.com/golang/protobuf/ptypes/duration" _ "google.golang.org/genproto/googleapis/api/annotations" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" @@ -184,6 +185,9 @@ type JWTRule struct { // ``` // [Experimental] This feature is a experimental feature. OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.] + // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + // will spend waiting for the JWKS to be fetched. Default is 5s. + Timeout *duration.Duration `protobuf:"bytes,13,opt,name=timeout,proto3" json:"timeout,omitempty"` } func (x *JWTRule) Reset() { @@ -288,6 +292,13 @@ func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader { return nil } +func (x *JWTRule) GetTimeout() *duration.Duration { + if x != nil { + return x.Timeout + } + return nil +} + // This message specifies a header location to extract JWT token. type JWTHeader struct { state protoimpl.MessageState @@ -412,9 +423,11 @@ var File_security_v1_jwt_proto protoreflect.FileDescriptor var file_security_v1_jwt_proto_rawDesc = []byte{ 0x0a, 0x15, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x6a, 0x77, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, - 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, + 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, - 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc0, 0x03, 0x0a, 0x07, + 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf5, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, @@ -442,17 +455,21 @@ var file_security_v1_jwt_proto_rawDesc = []byte{ 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, - 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x22, 0x3c, - 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, - 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, - 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, - 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, - 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1a, 0x5a, 0x18, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x33, + 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, + 0x6f, 0x75, 0x74, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, + 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, + 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, + 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, + 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, + 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, + 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, + 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -469,18 +486,20 @@ func file_security_v1_jwt_proto_rawDescGZIP() []byte { var file_security_v1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_security_v1_jwt_proto_goTypes = []interface{}{ - (*JWTRule)(nil), // 0: istio.security.v1.JWTRule - (*JWTHeader)(nil), // 1: istio.security.v1.JWTHeader - (*ClaimToHeader)(nil), // 2: istio.security.v1.ClaimToHeader + (*JWTRule)(nil), // 0: istio.security.v1.JWTRule + (*JWTHeader)(nil), // 1: istio.security.v1.JWTHeader + (*ClaimToHeader)(nil), // 2: istio.security.v1.ClaimToHeader + (*duration.Duration)(nil), // 3: google.protobuf.Duration } var file_security_v1_jwt_proto_depIdxs = []int32{ 1, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader 2, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 3, // 2: istio.security.v1.JWTRule.timeout:type_name -> google.protobuf.Duration + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_security_v1_jwt_proto_init() } diff --git a/security/v1/jwt.proto b/security/v1/jwt.proto index c82d14e8..143b8063 100644 --- a/security/v1/jwt.proto +++ b/security/v1/jwt.proto @@ -13,6 +13,7 @@ // limitations under the License. syntax = "proto3"; +import "google/protobuf/duration.proto"; import "google/api/field_behavior.proto"; // $schema: istio.security.v1.JWTRule @@ -178,8 +179,12 @@ message JWTRule { // [Experimental] This feature is a experimental feature. repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.] + // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + // will spend waiting for the JWKS to be fetched. Default is 5s. + google.protobuf.Duration timeout = 13; + // $hide_from_docs - // Next available field number: 13 + // Next available field number: 14 } // This message specifies a header location to extract JWT token. diff --git a/security/v1beta1/jwt.pb.go b/security/v1beta1/jwt.pb.go index e5f43603..4b65e3d4 100644 --- a/security/v1beta1/jwt.pb.go +++ b/security/v1beta1/jwt.pb.go @@ -27,6 +27,7 @@ package v1beta1 import ( + duration "github.com/golang/protobuf/ptypes/duration" _ "google.golang.org/genproto/googleapis/api/annotations" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" @@ -183,6 +184,9 @@ type JWTRule struct { // ``` // [Experimental] This feature is a experimental feature. OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.] + // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + // will spend waiting for the JWKS to be fetched. Default is 5s. + Timeout *duration.Duration `protobuf:"bytes,13,opt,name=timeout,proto3" json:"timeout,omitempty"` } func (x *JWTRule) Reset() { @@ -287,6 +291,13 @@ func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader { return nil } +func (x *JWTRule) GetTimeout() *duration.Duration { + if x != nil { + return x.Timeout + } + return nil +} + // This message specifies a header location to extract JWT token. type JWTHeader struct { state protoimpl.MessageState @@ -412,9 +423,11 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{ 0x0a, 0x1a, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x6a, 0x77, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, - 0x65, 0x74, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, + 0x65, 0x74, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xca, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xff, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, @@ -443,17 +456,20 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{ 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, - 0x72, 0x73, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, - 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, - 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, - 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, - 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, - 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, - 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, - 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, - 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x72, 0x73, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0d, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, + 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, + 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, + 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, + 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, + 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, + 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, + 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, + 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, + 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -470,18 +486,20 @@ func file_security_v1beta1_jwt_proto_rawDescGZIP() []byte { var file_security_v1beta1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_security_v1beta1_jwt_proto_goTypes = []interface{}{ - (*JWTRule)(nil), // 0: istio.security.v1beta1.JWTRule - (*JWTHeader)(nil), // 1: istio.security.v1beta1.JWTHeader - (*ClaimToHeader)(nil), // 2: istio.security.v1beta1.ClaimToHeader + (*JWTRule)(nil), // 0: istio.security.v1beta1.JWTRule + (*JWTHeader)(nil), // 1: istio.security.v1beta1.JWTHeader + (*ClaimToHeader)(nil), // 2: istio.security.v1beta1.ClaimToHeader + (*duration.Duration)(nil), // 3: google.protobuf.Duration } var file_security_v1beta1_jwt_proto_depIdxs = []int32{ 1, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader 2, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 3, // 2: istio.security.v1beta1.JWTRule.timeout:type_name -> google.protobuf.Duration + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_security_v1beta1_jwt_proto_init() } diff --git a/security/v1beta1/jwt.pb.html b/security/v1beta1/jwt.pb.html index 54ed9e0b..221fb8e4 100644 --- a/security/v1beta1/jwt.pb.html +++ b/security/v1beta1/jwt.pb.html @@ -203,6 +203,18 @@ The header specified in each operation in the list must be unique. Nested claims

[Experimental] This feature is a experimental feature.

+ + +No + + + +timeout +Duration + +

The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, +will spend waiting for the JWKS to be fetched. Default is 5s.

+ No diff --git a/security/v1beta1/jwt.proto b/security/v1beta1/jwt.proto index 9cbad23f..899d5939 100644 --- a/security/v1beta1/jwt.proto +++ b/security/v1beta1/jwt.proto @@ -13,6 +13,7 @@ // limitations under the License. syntax = "proto3"; +import "google/protobuf/duration.proto"; import "google/api/field_behavior.proto"; // $schema: istio.security.v1beta1.JWTRule @@ -177,8 +178,12 @@ message JWTRule { // [Experimental] This feature is a experimental feature. repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.] + // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + // will spend waiting for the JWKS to be fetched. Default is 5s. + google.protobuf.Duration timeout = 13; + // $hide_from_docs - // Next available field number: 13 + // Next available field number: 14 } // This message specifies a header location to extract JWT token.