update jwks cluster creation to gracefully handle ipv6

hashicorp · Sep 10, 2024 · a03603a · a03603a
1 parent 3e6f1c1
commit a03603a
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go
@@ -214,9 +214,12 @@ func makeJWTProviderCluster(p *structs.JWTProviderConfigEntry) (*envoy_cluster_v
 		return nil, err
 	}
 
+	discoveryType := makeJWKSDiscoveryClusterType(p.JSONWebKeySet.Remote)
+	lookupFamily := makeJWKSClusterDNSLookupFamilyType(discoveryType)
 	cluster := &envoy_cluster_v3.Cluster{
 		Name:                 makeJWKSClusterName(p.Name),
-		ClusterDiscoveryType: makeJWKSDiscoveryClusterType(p.JSONWebKeySet.Remote),
+		ClusterDiscoveryType: discoveryType,
+		DnsLookupFamily:      lookupFamily,
 		LoadAssignment: &envoy_endpoint_v3.ClusterLoadAssignment{
 			ClusterName: makeJWKSClusterName(p.Name),
 			Endpoints: []*envoy_endpoint_v3.LocalityLbEndpoints{
@@ -278,6 +281,23 @@ func makeJWKSDiscoveryClusterType(r *structs.RemoteJWKS) *envoy_cluster_v3.Clust
 	return ct
 }
 
+func makeJWKSClusterDNSLookupFamilyType(r *envoy_cluster_v3.Cluster_Type) envoy_cluster_v3.Cluster_DnsLookupFamily {
+	// When using LOGICAL_DNS we want to use the Cluster_ALL lookup family which will fetch all the ip addresses for a given hostname and then
+	// try to connect to each one and will create the cluster based on the first one that passes.
+	// When using STRICT_DNS we want to use the CLUSTER_V4_PREFERRED lookup family which will prefer
+	// creating clusters using ipv4 addresses if those are available.
+	// Otherwise we fallback to Cluser_AUTO which will use the default behavior, and will be ignored as per the documentation.
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-enum-config-cluster-v3-cluster-dnslookupfamily
+	switch r.Type {
+	case envoy_cluster_v3.Cluster_LOGICAL_DNS:
+		return envoy_cluster_v3.Cluster_ALL
+	case envoy_cluster_v3.Cluster_STRICT_DNS:
+		return envoy_cluster_v3.Cluster_V4_PREFERRED
+	default:
+		return envoy_cluster_v3.Cluster_AUTO
+	}
+}
+
 func makeJWTCertValidationContext(p *structs.JWKSCluster) *envoy_tls_v3.CertificateValidationContext {
 	vc := &envoy_tls_v3.CertificateValidationContext{}
 	if p == nil || p.TLSCertificates == nil {