xDS: enable JWT based auth by default (#12471) (#12535)

Signed-off-by: Shashank Ram <[email protected]>

Author: shashankram

Makefile

@@ -42,7 +42,7 @@ SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 # ATTENTION: when updating to a new major version of Envoy, check if
 # universal header validation has been enabled and if so, we expect
 # failures in `test/e2e/header_validation_test.go`.
-export ENVOY_IMAGE ?= quay.io/solo-io/envoy-gloo:1.34.6-patch1
+export ENVOY_IMAGE ?= quay.io/solo-io/envoy-gloo:1.34.6-patch3
 export LDFLAGS := -X 'github.com/kgateway-dev/kgateway/v2/internal/version.Version=$(VERSION)'
 export GCFLAGS ?=
 

api/v1alpha1/shared_types.go

@@ -5,6 +5,9 @@ import (
 	gwv1 "sigs.k8s.io/gateway-api/apis/v1"
 )
 
+// Control-plane RBAC rules not specific to policies:
+// +kubebuilder:rbac:groups=authentication.k8s.io,resources=tokenreviews,verbs=create
+
 // Select the object to attach the policy to.
 // The object must be in the same namespace as the policy.
 // You can target only one object at a time.

go.mod

@@ -1,6 +1,6 @@
 module github.com/kgateway-dev/kgateway/v2
 
-go 1.24.1
+go 1.24.6
 
 require (
 	github.com/avast/retry-go v2.4.3+incompatible
@@ -24,7 +24,7 @@ require (
 	github.com/onsi/gomega v1.37.0
 	github.com/pkg/errors v0.9.1
 	github.com/rotisserie/eris v0.5.4
-	github.com/solo-io/envoy-gloo/go v0.0.0-20250102165327-33a74fcf9966
+	github.com/solo-io/envoy-gloo/go v0.0.0-20251006222822-c8b69090de33
 	github.com/solo-io/go-list-licenses v0.1.4
 	github.com/solo-io/go-utils v0.27.3
 	github.com/spf13/afero v1.12.0

go.sum

@@ -1603,8 +1603,8 @@ github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3
 github.com/smartystreets/goconvey v1.8.1 h1:qGjIddxOk4grTu9JPOU31tVfq3cNdBlNa5sSznIX1xY=
 github.com/smartystreets/goconvey v1.8.1/go.mod h1:+/u4qLyY6x1jReYOp7GOM2FSt8aP9CzCZL03bI28W60=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
-github.com/solo-io/envoy-gloo/go v0.0.0-20250102165327-33a74fcf9966 h1:MavIqMAvo9dxhcuN0/m7Ok830e7htfhR+JWRDqs3qj4=
-github.com/solo-io/envoy-gloo/go v0.0.0-20250102165327-33a74fcf9966/go.mod h1:27GcajR+wxZ34COPvLp1+4hxGN66/GSx7SSjVn8LySY=
+github.com/solo-io/envoy-gloo/go v0.0.0-20251006222822-c8b69090de33 h1:UtMr4NEcBhau9fn6I4GWuFF5gDc8+XCZWiUfb4UAKd4=
+github.com/solo-io/envoy-gloo/go v0.0.0-20251006222822-c8b69090de33/go.mod h1:N0bmBwDmmHxKxdosUjjH83+wg5EVJiL2M0X5OqT/ZRk=
 github.com/solo-io/go-list-licenses v0.1.4 h1:u4xh1OUORT4iSWuAp3Q4NsfHcDaeUV8QRDH8ACQqbxw=
 github.com/solo-io/go-list-licenses v0.1.4/go.mod h1:x6LSp/NrYgVXwNum7ZOiaAYTpg6B3F6TrWYfcdHVroA=
 github.com/solo-io/go-utils v0.20.2/go.mod h1:6e8K1spnMWwlnJRSNp/J84GEyJbrcK4Gm7i+ehzCi8c=

install/helm/kgateway/templates/role.yaml

@@ -60,6 +60,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 - apiGroups:
   - discovery.k8s.io
   resources:

internal/kgateway/extensions2/settings/settings.go

@@ -41,6 +41,10 @@ type Settings struct {
 	DefaultImageTag string `split_words:"true" default:""`
 	// DefaultImagePullPolicy is the default image pull policy to use for the kgateway image.
 	DefaultImagePullPolicy string `split_words:"true" default:"IfNotPresent"`
+
+	// XdsAuth enables or disables xDS authentication between the data-plane and control-plane.
+	// By default, this is enabled.
+	XdsAuth bool `split_words:"true" default:"true"`
 }
 
 // BuildSettings returns a zero-valued Settings obj if error is encountered when parsing env

internal/kgateway/extensions2/settings/settings_test.go

@@ -42,6 +42,7 @@ func TestSettings(t *testing.T) {
 				DefaultImageRegistry:   "cr.kgateway.dev",
 				DefaultImageTag:        "",
 				DefaultImagePullPolicy: "IfNotPresent",
+				XdsAuth:                true,
 			},
 		},
 		{
@@ -60,6 +61,7 @@ func TestSettings(t *testing.T) {
 				"KGW_DEFAULT_IMAGE_REGISTRY":    "my-registry",
 				"KGW_DEFAULT_IMAGE_TAG":         "my-tag",
 				"KGW_DEFAULT_IMAGE_PULL_POLICY": "Always",
+				"KGW_XDS_AUTH":                  "false",
 			},
 			expectedSettings: &settings.Settings{
 				DnsLookupFamily:        "V4_ONLY",
@@ -74,6 +76,7 @@ func TestSettings(t *testing.T) {
 				DefaultImageRegistry:   "my-registry",
 				DefaultImageTag:        "my-tag",
 				DefaultImagePullPolicy: "Always",
+				XdsAuth:                false,
 			},
 		},
 		{
@@ -106,6 +109,7 @@ func TestSettings(t *testing.T) {
 				DefaultImageRegistry:   "cr.kgateway.dev",
 				DefaultImageTag:        "",
 				DefaultImagePullPolicy: "IfNotPresent",
+				XdsAuth:                true,
 			},
 		},
 	}

internal/kgateway/helm/kgateway/templates/gateway/proxy-deployment.yaml

@@ -68,6 +68,12 @@ spec:
         volumeMounts:
         - mountPath: /etc/envoy
           name: envoy-config
+        - name: xds-token
+          mountPath: /var/run/secrets/tokens
+          readOnly: true
+        {{- with $gateway.extraVolumeMounts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
         env:
         - name: POD_NAME
           valueFrom:
@@ -313,6 +319,13 @@ spec:
       terminationGracePeriodSeconds: {{ $gateway.terminationGracePeriodSeconds }}
       {{- end }}
       volumes:
+      - name: xds-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: kgateway
+              expirationSeconds: 43200
+              path: xds-token
       - configMap:
           name: {{ include "kgateway.gateway.fullname" . }}
         name: envoy-config
@@ -540,6 +553,27 @@ data:
               "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
               explicit_http_config:
                 http2_protocol_options: {}
+              http_filters:
+              - name: transform
+                typed_config:
+                  "@type": type.googleapis.com/envoy.api.v2.filter.http.FilterTransformations
+                  transformations:
+                  - match:
+                      prefix: "/"
+                    route_transformations:
+                      request_transformation:
+                        transformation_template:
+                          headers:
+                            authorization: {"text": 'Bearer {{ "{{ \"{{ trim(data_source(\\\"token\\\")) -}}\" }}" }}'}
+                          passthrough: {}
+                          data_sources:
+                            token:
+                              filename: "/var/run/secrets/tokens/xds-token"
+                              watched_directory:
+                                path: "/var/run/secrets/tokens"
+              - name: envoy.filters.http.upstream_codec
+                typed_config:
+                  "@type": type.googleapis.com/envoy.extensions.filters.http.upstream_codec.v3.UpstreamCodec
           upstream_connection_options:
             tcp_keepalive:
               keepalive_time: 10