Created
February 11, 2026 20:29
-
-
Save rvennam/f4ef6aa1d6c780733acd25c6c2387b75 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ===================================================== | |
| # Auth0 JWKS Proxy Test Configuration | |
| # ===================================================== | |
| # Test the proxy workaround concept with Auth0 | |
| # Auth0 Domain: dev-qlf8ntg1.us.auth0.com | |
| # ===================================================== | |
| --- | |
| # 1. Proxy ConfigMap - Simple nginx that forwards to Auth0 | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: auth0-jwks-proxy-config | |
| namespace: enterprise-agentgateway | |
| data: | |
| nginx.conf: | | |
| events { worker_connections 1024; } | |
| http { | |
| server { | |
| listen 8080; | |
| server_name _; | |
| # Health check | |
| location /healthz { | |
| access_log off; | |
| return 200 "healthy\n"; | |
| add_header Content-Type text/plain; | |
| } | |
| # Proxy to Auth0 | |
| location / { | |
| # Forward to Auth0 (using HTTP upstream connection) | |
| proxy_pass https://dev-qlf8ntg1.us.auth0.com; | |
| # Standard proxy headers | |
| proxy_set_header Host dev-qlf8ntg1.us.auth0.com; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| # SSL settings | |
| proxy_ssl_verify off; | |
| proxy_ssl_server_name on; | |
| proxy_ssl_protocols TLSv1.2 TLSv1.3; | |
| # Timeouts | |
| proxy_connect_timeout 10s; | |
| proxy_read_timeout 30s; | |
| # Error handling | |
| proxy_intercept_errors off; | |
| } | |
| } | |
| # Access log format | |
| access_log /dev/stdout; | |
| error_log /dev/stderr info; | |
| } | |
| --- | |
| # 2. Proxy Deployment | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: auth0-jwks-proxy | |
| namespace: enterprise-agentgateway | |
| labels: | |
| app: auth0-jwks-proxy | |
| test: proxy-workaround | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: auth0-jwks-proxy | |
| template: | |
| metadata: | |
| labels: | |
| app: auth0-jwks-proxy | |
| spec: | |
| containers: | |
| - name: nginx | |
| image: nginx:1.25-alpine | |
| ports: | |
| - containerPort: 8080 | |
| name: http | |
| volumeMounts: | |
| - name: config | |
| mountPath: /etc/nginx/nginx.conf | |
| subPath: nginx.conf | |
| livenessProbe: | |
| httpGet: | |
| path: /healthz | |
| port: 8080 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 10 | |
| readinessProbe: | |
| httpGet: | |
| path: /healthz | |
| port: 8080 | |
| initialDelaySeconds: 3 | |
| periodSeconds: 5 | |
| resources: | |
| requests: | |
| cpu: 50m | |
| memory: 32Mi | |
| limits: | |
| cpu: 100m | |
| memory: 64Mi | |
| volumes: | |
| - name: config | |
| configMap: | |
| name: auth0-jwks-proxy-config | |
| --- | |
| # 3. Proxy Service | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: auth0-jwks-proxy-svc | |
| namespace: enterprise-agentgateway | |
| labels: | |
| app: auth0-jwks-proxy | |
| test: proxy-workaround | |
| spec: | |
| selector: | |
| app: auth0-jwks-proxy | |
| ports: | |
| - name: http | |
| port: 8080 | |
| targetPort: 8080 | |
| protocol: TCP | |
| type: ClusterIP | |
| --- | |
| # 4. AgentgatewayBackend pointing to proxy service (NOT directly to Auth0) | |
| apiVersion: agentgateway.dev/v1alpha1 | |
| kind: AgentgatewayBackend | |
| metadata: | |
| name: auth0-jwks-via-proxy | |
| namespace: enterprise-agentgateway | |
| labels: | |
| auth-provider: auth0 | |
| test: proxy-workaround | |
| spec: | |
| static: | |
| # IMPORTANT: Points to LOCAL proxy service, not Auth0 | |
| host: auth0-jwks-proxy-svc.enterprise-agentgateway.svc.cluster.local | |
| port: 8080 | |
| --- | |
| # 5. JWT Authentication Policy | |
| # Using REAL Auth0 issuer but PROXY backend for JWKS | |
| apiVersion: enterpriseagentgateway.solo.io/v1alpha1 | |
| kind: EnterpriseAgentgatewayPolicy | |
| metadata: | |
| name: auth0-jwt-auth-proxy-test | |
| namespace: enterprise-agentgateway | |
| labels: | |
| auth: auth0-jwt | |
| test: proxy-workaround | |
| spec: | |
| targetRefs: | |
| - group: gateway.networking.k8s.io | |
| kind: Gateway | |
| name: agentgateway | |
| traffic: | |
| jwtAuthentication: | |
| mode: Strict | |
| providers: | |
| # REAL Auth0 issuer (matches 'iss' claim in JWT) | |
| - issuer: https://dev-qlf8ntg1.us.auth0.com/ | |
| jwks: | |
| remote: | |
| backendRef: | |
| # Points to PROXY backend (not directly to Auth0) | |
| name: auth0-jwks-via-proxy | |
| namespace: enterprise-agentgateway | |
| kind: AgentgatewayBackend | |
| group: agentgateway.dev | |
| # Auth0 JWKS path | |
| jwksPath: /.well-known/jwks.json | |
| cacheDuration: 5m | |
| authorization: | |
| policy: | |
| matchExpressions: | |
| # Validate audience matches your API | |
| - '(jwt.aud == "https://api.rvennam.com/")' | |
| --- | |
| # ===================================================== | |
| # TEST INSTRUCTIONS: | |
| # ===================================================== | |
| # | |
| # 1. Deploy the proxy test: | |
| # kubectl apply -f auth0-proxy-test.yaml | |
| # | |
| # 2. Wait for proxy to be ready: | |
| # kubectl wait --for=condition=available --timeout=60s \ | |
| # deployment/auth0-jwks-proxy -n enterprise-agentgateway | |
| # | |
| # 3. Check proxy logs: | |
| # kubectl logs -n enterprise-agentgateway -l app=auth0-jwks-proxy | |
| # | |
| # 4. Test proxy locally: | |
| # kubectl port-forward -n enterprise-agentgateway svc/auth0-jwks-proxy-svc 18080:8080 | |
| # curl http://localhost:18080/.well-known/jwks.json | jq . | |
| # | |
| # 5. Get Auth0 token and test: | |
| # source .env | |
| # export AUTH0_ACCESS_TOKEN=$(curl -s -X POST "https://${AUTH0_DOMAIN}/oauth/token" \ | |
| # -H "Content-Type: application/json" \ | |
| # -d "{ | |
| # \"client_id\": \"${AUTH0_CLIENT_ID}\", | |
| # \"client_secret\": \"${AUTH0_CLIENT_SECRET}\", | |
| # \"audience\": \"${AUTH0_AUDIENCE}\", | |
| # \"grant_type\": \"client_credentials\" | |
| # }" | jq -r '.access_token') | |
| # | |
| # echo "Token: ${AUTH0_ACCESS_TOKEN:0:50}..." | |
| # | |
| # 6. Test against gateway: | |
| # curl -v -H "Authorization: Bearer ${AUTH0_ACCESS_TOKEN}" \ | |
| # http://${GATEWAY_IP}:${GATEWAY_PORT}/bedrock/sonnet \ | |
| # -H "Content-Type: application/json" \ | |
| # -d '{ | |
| # "model": "claude-sonnet-4.5", | |
| # "messages": [{"role": "user", "content": "Say hello in one word"}], | |
| # "max_tokens": 10 | |
| # }' | |
| # | |
| # 7. Check control plane logs for JWKS fetch: | |
| # kubectl logs -n enterprise-agentgateway deployment/agentgateway-control-plane | grep -i jwks | |
| # | |
| # ===================================================== | |
| # WHAT THIS TESTS: | |
| # ===================================================== | |
| # - Proxy pod can reach Auth0 | |
| # - AgentgatewayBackend can point to K8s Service | |
| # - Control plane fetches JWKS through proxy | |
| # - JWT validation works with real issuer + proxy backend | |
| # - No TLS issues with HTTP proxy service | |
| # ===================================================== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment