diff --git a/.github/renovate.json b/.github/renovate.json
new file mode 100644
index 0000000..cb78dad
--- /dev/null
+++ b/.github/renovate.json
@@ -0,0 +1,16 @@
+{
+ "enabled": true,
+ "timezone": "America/Vancouver",
+ "dependencyDashboard": true,
+ "dependencyDashboardTitle": "Renovate Dashboard",
+ "commitMessageSuffix": "",
+ "commitBody": "",
+ "semanticCommits": "enabled",
+ "suppressNotifications": ["prIgnoreNotification"],
+ "rebaseWhen": "conflicted",
+ "assignees": ["@ivanjosipovic"],
+ "extends": [
+ "config:base"
+ ]
+}
+
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
new file mode 100644
index 0000000..d5d7a8a
--- /dev/null
+++ b/.github/workflows/cicd.yml
@@ -0,0 +1,91 @@
+name: CICD
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - 'main'
+ - 'alpha'
+ - 'beta'
+ - 'dev'
+ pull_request:
+ types: [opened, reopened, synchronize]
+
+env:
+ semantic_version: 19
+
+jobs:
+ create-release:
+ name: Create Release
+ runs-on: ubuntu-latest
+ outputs:
+ new_release_published: ${{ steps.semantic.outputs.new_release_published }}
+ new_release_version: ${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) || '0.0.1' }}
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Configure Git
+ run: |
+ git config user.name "$GITHUB_ACTOR"
+ git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
+
+ - name: Semantic Release
+ uses: cycjimmy/semantic-release-action@v2
+ id: semantic
+ with:
+ semantic_version: ${{ env.semantic_version }}
+ dry_run: true
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Setup .NET Core
+ uses: actions/setup-dotnet@v2
+ with:
+ global-json-file: global.json
+
+ - name: .NET Build
+ run: dotnet build -c Release
+
+ - name: .NET Test
+ run: dotnet test -c Release --collect:"XPlat Code Coverage"
+
+ - name: Coverage
+ uses: codecov/codecov-action@v3
+ with:
+ file: coverage.cobertura.xml
+
+ - name: Build Image
+ run: dotnet publish -c Release --os linux --arch x64 -p:PublishProfile=DefaultContainer -p:Version=${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) || '0.0.1' }}
+
+ - name: Docker Push
+ if: steps.semantic.outputs.new_release_published == 'true'
+ run: |
+ echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${GITHUB_ACTOR} --password-stdin
+ docker tag ingress-nginx-validate-jwt:${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) }} ghcr.io/${GITHUB_REPOSITORY,,}/ingress-nginx-validate-jwt:${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) }}
+ docker push ghcr.io/${GITHUB_REPOSITORY,,}/ingress-nginx-validate-jwt:${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) }}
+
+ - name: Semantic Release
+ if: steps.semantic.outputs.new_release_published == 'true'
+ uses: cycjimmy/semantic-release-action@v2
+ with:
+ semantic_version: ${{ env.semantic_version }}
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Install Helm
+ if: steps.semantic.outputs.new_release_published == 'true'
+ uses: azure/setup-helm@v3
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Update Helm Versionin
+ if: steps.semantic.outputs.new_release_published == 'true'
+ shell: bash
+ run: |
+ sed -i 's/0.0.1/${{ (steps.semantic.outputs.new_release_published && steps.semantic.outputs.new_release_version) || '0.0.1' }}/' ./charts/ingress-nginx-validate-jwt/Chart.yaml
+
+ - name: Run chart-releaser
+ if: steps.semantic.outputs.new_release_published == 'true'
+ uses: helm/chart-releaser-action@v1
+ env:
+ CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
\ No newline at end of file
diff --git a/.releaserc.json b/.releaserc.json
new file mode 100644
index 0000000..6cab66f
--- /dev/null
+++ b/.releaserc.json
@@ -0,0 +1,23 @@
+{
+ "branches": [
+ "main",
+ {
+ "name": "beta",
+ "prerelease": true
+ },
+ {
+ "name": "alpha",
+ "prerelease": true
+ }
+ ],
+ "plugins": [
+ "@semantic-release/commit-analyzer",
+ "@semantic-release/release-notes-generator",
+ [
+ "@semantic-release/github",
+ {
+ "assets": []
+ }
+ ]
+ ]
+}
\ No newline at end of file
diff --git a/README.md b/README.md
index 30e209b..01f988d 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,69 @@
# ingress-nginx-validate-jwt
-ingress-nginx-validate-jwt
+
+[](https://codecov.io/gh/IvanJosipovic/ingress-nginx-validate-jwt)
+
+## What is this?
+
+This project is an API server which is used along with the [nginx.ingress.kubernetes.io/auth-url](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#external-authentication) annotation for ingress-nginx and enables per Ingress customizable JWT validation.
+
+## Install
+
+```bash
+helm repo add ingress-nginx-validate-jwt https://ivanjosipovic.github.io/ingress-nginx-validate-jwt
+
+helm repo update
+
+helm install ingress-nginx-validate-jwt \
+ingress-nginx-validate-jwt/ingress-nginx-validate-jwt \
+--create-namespace \
+--namespace ingress-nginx-validate-jwt \
+--set openIdProviderConfigurationUrl="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"
+```
+
+### Options
+
+- openIdProviderConfigurationUrl
+ - OpenID Provider Configuration Url for your Identity Provider
+- logLevel
+ - Logging Level (Trace, Debug, Information, Warning, Error, Critical, and None)
+- [Helm Values](charts/ingress-nginx-validate-jwt/values.yaml)
+
+## Configure Ingress
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/auth-url: http://ingress-nginx-validate-jwt.ingress-nginx-validate-jwt.svc.cluster.local/auth?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333
+spec:
+```
+
+## Parameters
+
+The /auth endpoint supports configurable parameters in the format of {claim}={value}. In the case the same claim is called more than once, the traffic will have to match only one.
+
+For example, using the following query string
+/auth?
+tid=11111111-1111-1111-1111-111111111111
+&aud=22222222-2222-2222-2222-222222222222
+&aud=33333333-3333-3333-3333-333333333333
+
+Along with validating the JWT token, the token must have a claim tid=11111111-1111-1111-1111-111111111111 and one of aud=22222222-2222-2222-2222-222222222222
+ or aud=33333333-3333-3333-3333-333333333333
+
+## Design
+
+
+
+## Metrics
+
+Metrics are exposed on :80/metrics
+
+| Metric Name | Description |
+|---|---|
+| ingress_nginx_validate_jwt_authorized | Number of Authorized operations ongoing |
+| ingress_nginx_validate_jwt_unauthorized | Number of Unauthorized operations ongoing |
+| ingress_nginx_validate_jwt_duration_seconds | Histogram of JWT validation durations |
diff --git a/charts/ingress-nginx-validate-jwt/.helmignore b/charts/ingress-nginx-validate-jwt/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/ingress-nginx-validate-jwt/Chart.yaml b/charts/ingress-nginx-validate-jwt/Chart.yaml
new file mode 100644
index 0000000..a31cd35
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: ingress-nginx-validate-jwt
+description: Enables ingress-nginx to validate JWT tokens
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.0.1"
diff --git a/charts/ingress-nginx-validate-jwt/templates/NOTES.txt b/charts/ingress-nginx-validate-jwt/templates/NOTES.txt
new file mode 100644
index 0000000..e9403f9
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+ {{- range .paths }}
+ http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+ {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "ingress-nginx-validate-jwt.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "ingress-nginx-validate-jwt.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "ingress-nginx-validate-jwt.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+ echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "ingress-nginx-validate-jwt.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/_helpers.tpl b/charts/ingress-nginx-validate-jwt/templates/_helpers.tpl
new file mode 100644
index 0000000..4c9aee1
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ingress-nginx-validate-jwt.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ingress-nginx-validate-jwt.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ingress-nginx-validate-jwt.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ingress-nginx-validate-jwt.labels" -}}
+helm.sh/chart: {{ include "ingress-nginx-validate-jwt.chart" . }}
+{{ include "ingress-nginx-validate-jwt.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ingress-nginx-validate-jwt.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ingress-nginx-validate-jwt.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ingress-nginx-validate-jwt.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ingress-nginx-validate-jwt.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/deployment.yaml b/charts/ingress-nginx-validate-jwt/templates/deployment.yaml
new file mode 100644
index 0000000..e894570
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "ingress-nginx-validate-jwt.fullname" . }}
+ labels:
+ {{- include "ingress-nginx-validate-jwt.labels" . | nindent 4 }}
+spec:
+ {{- if not .Values.autoscaling.enabled }}
+ replicas: {{ .Values.replicaCount }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "ingress-nginx-validate-jwt.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "ingress-nginx-validate-jwt.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "ingress-nginx-validate-jwt.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}
+ env:
+ - name: "OpenIdProviderConfigurationUrl"
+ value: "{{ .Values.openIdProviderConfigurationUrl }}"
+ - name: "Logging__LogLevel__Default"
+ value: "{{ .Values.logLevel }}"
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /health
+ port: http
+ readinessProbe:
+ httpGet:
+ path: /health
+ port: http
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/hpa.yaml b/charts/ingress-nginx-validate-jwt/templates/hpa.yaml
new file mode 100644
index 0000000..c048f2c
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/hpa.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+ name: {{ include "ingress-nginx-validate-jwt.fullname" . }}
+ labels:
+ {{- include "ingress-nginx-validate-jwt.labels" . | nindent 4 }}
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: {{ include "ingress-nginx-validate-jwt.fullname" . }}
+ minReplicas: {{ .Values.autoscaling.minReplicas }}
+ maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+ metrics:
+ {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: cpu
+ targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+ {{- end }}
+ {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ - type: Resource
+ resource:
+ name: memory
+ targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+ {{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/ingress.yaml b/charts/ingress-nginx-validate-jwt/templates/ingress.yaml
new file mode 100644
index 0000000..4df034b
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ingress-nginx-validate-jwt.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+ {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+ {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+ {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+ name: {{ $fullName }}
+ labels:
+ {{- include "ingress-nginx-validate-jwt.labels" . | nindent 4 }}
+ {{- with .Values.ingress.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+ ingressClassName: {{ .Values.ingress.className }}
+ {{- end }}
+ {{- if .Values.ingress.tls }}
+ tls:
+ {{- range .Values.ingress.tls }}
+ - hosts:
+ {{- range .hosts }}
+ - {{ . | quote }}
+ {{- end }}
+ secretName: {{ .secretName }}
+ {{- end }}
+ {{- end }}
+ rules:
+ {{- range .Values.ingress.hosts }}
+ - host: {{ .host | quote }}
+ http:
+ paths:
+ {{- range .paths }}
+ - path: {{ .path }}
+ {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+ pathType: {{ .pathType }}
+ {{- end }}
+ backend:
+ {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+ service:
+ name: {{ $fullName }}
+ port:
+ number: {{ $svcPort }}
+ {{- else }}
+ serviceName: {{ $fullName }}
+ servicePort: {{ $svcPort }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/service.yaml b/charts/ingress-nginx-validate-jwt/templates/service.yaml
new file mode 100644
index 0000000..71c824c
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "ingress-nginx-validate-jwt.fullname" . }}
+ labels:
+ {{- include "ingress-nginx-validate-jwt.labels" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.port }}
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ {{- include "ingress-nginx-validate-jwt.selectorLabels" . | nindent 4 }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/serviceaccount.yaml b/charts/ingress-nginx-validate-jwt/templates/serviceaccount.yaml
new file mode 100644
index 0000000..43b19f8
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "ingress-nginx-validate-jwt.serviceAccountName" . }}
+ labels:
+ {{- include "ingress-nginx-validate-jwt.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/ingress-nginx-validate-jwt/templates/tests/test-connection.yaml b/charts/ingress-nginx-validate-jwt/templates/tests/test-connection.yaml
new file mode 100644
index 0000000..54510ab
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "ingress-nginx-validate-jwt.fullname" . }}-test-connection"
+ labels:
+ {{- include "ingress-nginx-validate-jwt.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": test
+spec:
+ containers:
+ - name: wget
+ image: busybox
+ command: ['wget']
+ args: ['{{ include "ingress-nginx-validate-jwt.fullname" . }}:{{ .Values.service.port }}']
+ restartPolicy: Never
diff --git a/charts/ingress-nginx-validate-jwt/values.yaml b/charts/ingress-nginx-validate-jwt/values.yaml
new file mode 100644
index 0000000..1a0d610
--- /dev/null
+++ b/charts/ingress-nginx-validate-jwt/values.yaml
@@ -0,0 +1,91 @@
+# Default values for ingress-nginx-validate-jwt.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+ repository: ghcr.io/ivanjosipovic/ingress-nginx-validate-jwt/ingress-nginx-validate-jwt
+ pullPolicy: IfNotPresent
+ # Overrides the image tag whose default is the chart appVersion.
+ tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+# OpenID Provider Configuration Url for your Identity Provider
+openIdProviderConfigurationUrl: "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration"
+
+# Log Level
+logLevel: Information
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name: ""
+
+podAnnotations:
+ prometheus.io/scrape: 'true'
+ prometheus.io/port: '80'
+ prometheus.io/path: '/metrics'
+
+podSecurityContext: {}
+ # fsGroup: 2000
+
+securityContext: {}
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 1000
+
+service:
+ type: ClusterIP
+ port: 80
+
+ingress:
+ enabled: false
+ className: ""
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - host: chart-example.local
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+ # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
diff --git a/docs/validate-jwt.drawio b/docs/validate-jwt.drawio
new file mode 100644
index 0000000..6ccb091
--- /dev/null
+++ b/docs/validate-jwt.drawio
@@ -0,0 +1 @@
+7Vpdd5s2GP41vrQPCOPgy9hJ1qztmjU563q1I4OM1ciIChE7+fV7JYT5EM681g45PfFFgh4JSTzvt2Dgzdfb3wROVx95RNgAOdF24F0MEJoGLvxVwGMB+FMDxIJGBVQDbukTMaBj0JxGJGsMlJwzSdMmGPIkIaFsYFgIvmkOW3LWXDXFMbGA2xAzG/1CI7kq0MB3KvwdofGqXNl1TM8al4MNkK1wxDc1yLsceHPBuSyu1ts5YYq7kpfivqs9vbuNCZLIQ27wrmLx9D74+lcgFnfe54/ZBv85NLM8YJabBzablY8lA4LnSUTUJM7Am21WVJLbFIeqdwMiB2wl1wxaLlya6YiQZLt3n+7u6UFrCF8TKR5hiLlhbPgyCoM8095U9HsTg61q1KMSxEbk8W7qihW4MMT8D5KQRdL7fEFEQiRoZpsunKWFHi7pVrFWZyflNJF6d/5s4F8AghmNEwBCIIcIAOhaK+RsyRNprMFFFX5B1zE8A6ML+IufckHUs4HyS0wTImA7V9Xe/rkl4oGGJBtlD/FxhOO3hDO2hTP2R55ni2d8MulMLBmQCGzYNLmQKx7zBLPLCp01lboa84Hz1AjrG5Hy0YgA55I3RankM+eMC72i5+gf4JnEQp4rx6OkynCW0bCErygrb8+k4PekNkGAFt5koiaGQTU88kkQjXfCU0/2vOiACJ6LkDzDmJEObCkm8plxk25VEIRhSR+a+zi+WM9+BbFenk9mWqw9iM8N+pSfZznNJKbJdkiTWJDM9pvZPZHhykiuJpEIZ6tm9Mma0adlMCg48y9RlyyW+me54Zkzchx/gObOaOKpf8ozo7nucDWMWui0E9VTtEdO90x8pu+G/o5J3BaGgtZYHTkgnUgVC+ttrBKv0f3O7Y8oxAP1mOJaX1ykXMUh5fcpJDbnJuRIZRIzhheE3fCMSsobgagc/qE1YMGl5Ouu0KWnmuHwPtZmWDIfkSXOmTxO/LGyA2QHIL8jORgHp3JT/utyU/v8z4EO7Ihuanygm/L69FJjy0udhxLIs7yTsbZ8zYoBBxhIt8HVpMhzySBrm+9KF+cQKyoGcBERUXYmPCFHsq9WgteVfHeY18lS74klH7ikEZZk+G0j34LILxdEThAjvGnPMWJqKTFMM9rAncP7hG8SaPGUJDQaAtVLGucCa556CCxAsXj8W92v1c4AXzUA+mfaF1uzQtF6rLduiKBAmxKmBo8YUYKfq1uMegzBIv0zr6EiwzKNODjqmOlvlBeoDeHLZUakpTG7Xfy4EgWWEl1HwCCVsJ2JDgwLCFuTWF3dCP5AIT7YGsQYTTNSs/yQ8Tx6kXMd3/WbZhnYZumiDrsMThVcXPtgx32GstNTtIuthiLXtynqYgidjCG7irMPCPtkyCtPf3pjyM4gvX4ZCl4bQ3YON+6VoZ2TKWvIoG+GbN/++5c7AMCPS6gMIKAj5/zm2mLtLd19S3dBnc9GHppWv6Bp/31nv8iOIR1nJi9p/2evzP6RHUM63mn0GEN6z0OQ7SGdXhny3P+uMV+WIbvIBOd/DsgnKCSdW3XOl6fKPSKHcawiyieoOeHfNYx1WoWnsxTgr6APSgxdYThVSVEVGzXyJ99z9R5bH0wOM11dqrVdP91qwsv+skJxi35z2Oas8b16leq8u7u7gX+fyfecZFLTCWwipwiHdxCbkiNtABX9f6h3EupBy7cSzpKLDRZR1l5VdRT8quMnzdJRNuIV/c1jrV1TbUOaDeBESS1kmK6zIy0+3seCfqMcSr38iuy4sBKSo+zCL/r3LAE1eZbyBAz7OKtNms+8ex8F1p9lmvBqQeC+0tKWuwHnIZt+pZk9mUPZeqploDILYGQp9yYZXT6sebzzEyfF+94f1L868I/kKVsnyl1fDHR9zuH+wAcD0Ky+pykOXqqPkrzLfwE=
\ No newline at end of file
diff --git a/docs/validate-jwt.png b/docs/validate-jwt.png
new file mode 100644
index 0000000..52f3ac0
Binary files /dev/null and b/docs/validate-jwt.png differ
diff --git a/global.json b/global.json
new file mode 100644
index 0000000..7ad3bdf
--- /dev/null
+++ b/global.json
@@ -0,0 +1,7 @@
+{
+ "sdk": {
+ "version": "7.0.100-rc.1.22431.12",
+ "rollForward": "disable",
+ "allowPrerelease": true
+ }
+}
diff --git a/ingress-nginx-validate-jwt-tests/UnitTest1.cs b/ingress-nginx-validate-jwt-tests/UnitTest1.cs
new file mode 100644
index 0000000..473962e
--- /dev/null
+++ b/ingress-nginx-validate-jwt-tests/UnitTest1.cs
@@ -0,0 +1,183 @@
+using FluentAssertions;
+using ingress_nginx_validate_jwt;
+using ingress_nginx_validate_jwt.Controllers;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Logging;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Microsoft.IdentityModel.Tokens;
+using Moq;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Security.Cryptography;
+
+namespace ingress_nginx_validate_jwt_tests
+{
+ public class UnitTest1
+ {
+ // https://stebet.net/mocking-jwt-tokens-in-asp-net-core-integration-tests/
+ public static class MockJwtTokens
+ {
+ public static string Issuer { get; } = Guid.NewGuid().ToString();
+ public static SecurityKey SecurityKey { get; }
+ public static SigningCredentials SigningCredentials { get; }
+
+ private static readonly JwtSecurityTokenHandler s_tokenHandler = new JwtSecurityTokenHandler();
+ private static readonly RandomNumberGenerator s_rng = RandomNumberGenerator.Create();
+ private static readonly byte[] s_key = new byte[32];
+
+ static MockJwtTokens()
+ {
+ s_rng.GetBytes(s_key);
+ SecurityKey = new SymmetricSecurityKey(s_key) { KeyId = Guid.NewGuid().ToString() };
+ SigningCredentials = new SigningCredentials(SecurityKey, SecurityAlgorithms.HmacSha256);
+ }
+
+ public static string GenerateJwtToken(IEnumerable claims)
+ {
+ return "Bearer " + s_tokenHandler.WriteToken(new JwtSecurityToken(Issuer, null, claims, null, DateTime.UtcNow.AddMinutes(20), SigningCredentials));
+ }
+ }
+
+ public static IEnumerable GetTests()
+ {
+ return new List
+ {
+ new object[]
+ {
+ "",
+ new List
+ {
+ },
+ typeof(OkResult)
+ },
+ new object[]
+ {
+ "",
+ new List
+ {
+ },
+ typeof(UnauthorizedResult),
+ true
+ },
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111",
+ new List
+ {
+ new Claim("tid", "11111111-1111-1111-1111-111111111111")
+ },
+ typeof(OkResult)
+ },
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222",
+ new List
+ {
+ new Claim("tid", "11111111-1111-1111-1111-111111111111"),
+ new Claim("aud", "22222222-2222-2222-2222-222222222222"),
+ },
+ typeof(OkResult)
+ },
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333",
+ new List
+ {
+ new Claim("tid", "11111111-1111-1111-1111-111111111111"),
+ new Claim("aud", "33333333-3333-3333-3333-333333333333")
+ },
+ typeof(OkResult)
+ },
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333",
+ new List
+ {
+ new Claim("tid", "11111111-1111-1111-1111-111111111111"),
+ new Claim("aud", "22222222-2222-2222-2222-222222222222"),
+ new Claim("aud", "33333333-3333-3333-3333-333333333333")
+ },
+ typeof(OkResult)
+ },
+
+
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111",
+ new List
+ {
+ },
+ typeof(UnauthorizedResult)
+ },
+
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111",
+ new List
+ {
+ new Claim("tid", "22222222-2222-2222-2222-222222222222")
+ },
+ typeof(UnauthorizedResult)
+ },
+
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333",
+ new List
+ {
+ },
+ typeof(UnauthorizedResult)
+ },
+
+ new object[]
+ {
+ "?tid=11111111-1111-1111-1111-111111111111&aud=22222222-2222-2222-2222-222222222222&aud=33333333-3333-3333-3333-333333333333",
+ new List
+ {
+ new Claim("tid", "")
+ },
+ typeof(UnauthorizedResult)
+ },
+ };
+ }
+
+ [Theory]
+ [MemberData(nameof(GetTests))]
+ public async Task Test1(string query, List claims, Type type, bool nullAuth = false)
+ {
+ IdentityModelEventSource.ShowPII = true;
+
+ var settingsService = new Mock();
+ var config = new OpenIdConnectConfiguration()
+ {
+ Issuer = MockJwtTokens.Issuer
+ };
+ config.SigningKeys.Add(MockJwtTokens.SecurityKey);
+
+ settingsService.Setup(x => x.GetConfiguration(new CancellationToken())).Returns(Task.FromResult(config));
+
+ var httpContext = new DefaultHttpContext();
+ if (!nullAuth)
+ {
+ httpContext.Request.Headers.Authorization = MockJwtTokens.GenerateJwtToken(claims);
+ }
+ httpContext.Request.QueryString = new QueryString(query);
+
+ var controllerContext = new ControllerContext()
+ {
+ HttpContext = httpContext,
+ };
+
+ var controller = new AuthController(new Mock>().Object, settingsService.Object, new JwtSecurityTokenHandler())
+ {
+ ControllerContext = controllerContext,
+ };
+
+ var result = await controller.Get(new CancellationToken());
+
+ result.Should().BeOfType(type);
+ }
+ }
+}
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt-tests/Usings.cs b/ingress-nginx-validate-jwt-tests/Usings.cs
new file mode 100644
index 0000000..8c927eb
--- /dev/null
+++ b/ingress-nginx-validate-jwt-tests/Usings.cs
@@ -0,0 +1 @@
+global using Xunit;
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt-tests/ingress-nginx-validate-jwt-tests.csproj b/ingress-nginx-validate-jwt-tests/ingress-nginx-validate-jwt-tests.csproj
new file mode 100644
index 0000000..dfaba6d
--- /dev/null
+++ b/ingress-nginx-validate-jwt-tests/ingress-nginx-validate-jwt-tests.csproj
@@ -0,0 +1,31 @@
+
+
+
+ net7.0
+ ingress_nginx_validate_jwt_tests
+ enable
+ enable
+
+ false
+
+
+
+
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+ all
+
+
+
+
+
+
+ runtime; build; native; contentfiles; analyzers; buildtransitive
+ all
+
+
+
+
+
+
+
+
diff --git a/ingress-nginx-validate-jwt.sln b/ingress-nginx-validate-jwt.sln
new file mode 100644
index 0000000..41963ed
--- /dev/null
+++ b/ingress-nginx-validate-jwt.sln
@@ -0,0 +1,38 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.4.32916.344
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ingress-nginx-validate-jwt", "ingress-nginx-validate-jwt\ingress-nginx-validate-jwt.csproj", "{F699F52C-DBCD-4BFD-807A-0D74DB3D7253}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "ingress-nginx-validate-jwt-tests", "ingress-nginx-validate-jwt-tests\ingress-nginx-validate-jwt-tests.csproj", "{587A7638-97C0-4DDC-9297-745ED5816CA4}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{B7D3A0E7-2264-4E9A-90FC-23B8F0CDE196}"
+ ProjectSection(SolutionItems) = preProject
+ .github\workflows\cicd.yml = .github\workflows\cicd.yml
+ README.md = README.md
+ .github\renovate.json = .github\renovate.json
+ EndProjectSection
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|Any CPU = Debug|Any CPU
+ Release|Any CPU = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {F699F52C-DBCD-4BFD-807A-0D74DB3D7253}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {F699F52C-DBCD-4BFD-807A-0D74DB3D7253}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {F699F52C-DBCD-4BFD-807A-0D74DB3D7253}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {F699F52C-DBCD-4BFD-807A-0D74DB3D7253}.Release|Any CPU.Build.0 = Release|Any CPU
+ {587A7638-97C0-4DDC-9297-745ED5816CA4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {587A7638-97C0-4DDC-9297-745ED5816CA4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {587A7638-97C0-4DDC-9297-745ED5816CA4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {587A7638-97C0-4DDC-9297-745ED5816CA4}.Release|Any CPU.Build.0 = Release|Any CPU
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {63820EBD-4F2D-40A4-81B1-CB53D93782C2}
+ EndGlobalSection
+EndGlobal
diff --git a/ingress-nginx-validate-jwt/Controllers/AuthController.cs b/ingress-nginx-validate-jwt/Controllers/AuthController.cs
new file mode 100644
index 0000000..673f436
--- /dev/null
+++ b/ingress-nginx-validate-jwt/Controllers/AuthController.cs
@@ -0,0 +1,88 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.IdentityModel.Tokens;
+using Prometheus;
+using System.IdentityModel.Tokens.Jwt;
+
+namespace ingress_nginx_validate_jwt.Controllers;
+
+[ApiController]
+[Route("[controller]")]
+public class AuthController : ControllerBase
+{
+ private readonly ILogger _logger;
+
+ private ISettingsService _settingsService;
+
+ private JwtSecurityTokenHandler _jwtSecurityTokenHandler;
+
+ private static readonly Gauge Authorized = Metrics.CreateGauge("ingress_nginx_validate_jwt_authorized", "Number of Authorized operations ongoing.");
+
+ private static readonly Gauge Unauthorized = Metrics.CreateGauge("ingress_nginx_validate_jwt_unauthorized", "Number of Unauthorized operations ongoing.");
+
+ private static readonly Histogram ValidationDuration = Metrics.CreateHistogram("ingress_nginx_validate_jwt_duration_seconds", "Histogram of JWT validation durations.");
+
+ public AuthController(ILogger logger, ISettingsService settingsService, JwtSecurityTokenHandler jwtSecurityTokenHandler)
+ {
+ _logger = logger;
+ _settingsService = settingsService;
+ _jwtSecurityTokenHandler = jwtSecurityTokenHandler;
+ }
+
+ [HttpGet]
+ public async Task Get(CancellationToken cancellationToken)
+ {
+ using (ValidationDuration.NewTimer())
+ {
+ try
+ {
+ var token = Request.Headers.Authorization.FirstOrDefault();
+
+ if (string.IsNullOrEmpty(token))
+ {
+ Unauthorized.Inc();
+ return Unauthorized();
+ }
+
+ // Remove "Bearer "
+ if (token.StartsWith("Bearer "))
+ {
+ token = token.Substring(7);
+ }
+
+ var settings = await _settingsService.GetConfiguration(cancellationToken);
+
+ var parameters = new TokenValidationParameters
+ {
+ ValidateIssuerSigningKey = true,
+ IssuerSigningKeys = settings.SigningKeys,
+ ValidateIssuer = false,
+ ValidateAudience = false,
+ ClockSkew = TimeSpan.FromSeconds(0)
+ };
+
+ _jwtSecurityTokenHandler.ValidateToken(token, parameters, out SecurityToken validatedToken);
+
+ var jwtToken = (JwtSecurityToken)validatedToken;
+
+ foreach (var item in Request.Query)
+ {
+ var claim = jwtToken.Claims.First(x => x.Type == item.Key).Value;
+
+ if (!item.Value.Contains(claim))
+ {
+ Unauthorized.Inc();
+ return Unauthorized();
+ }
+ }
+
+ Authorized.Inc();
+ return Ok();
+ }
+ catch
+ {
+ Unauthorized.Inc();
+ return Unauthorized();
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt/Controllers/HealthController.cs b/ingress-nginx-validate-jwt/Controllers/HealthController.cs
new file mode 100644
index 0000000..a9302cb
--- /dev/null
+++ b/ingress-nginx-validate-jwt/Controllers/HealthController.cs
@@ -0,0 +1,26 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace ingress_nginx_validate_jwt.Controllers;
+
+[ApiController]
+[Route("[controller]")]
+public class HealthController : ControllerBase
+{
+ private readonly ILogger _logger;
+
+ private ISettingsService _settingsService;
+
+ public HealthController(ILogger logger, ISettingsService settingsService)
+ {
+ _logger = logger;
+ _settingsService = settingsService;
+ }
+
+ [HttpGet]
+ public async Task Get(CancellationToken cancellationToken)
+ {
+ await _settingsService.GetConfiguration(cancellationToken);
+
+ return Ok();
+ }
+}
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt/HostedService.cs b/ingress-nginx-validate-jwt/HostedService.cs
new file mode 100644
index 0000000..921bad3
--- /dev/null
+++ b/ingress-nginx-validate-jwt/HostedService.cs
@@ -0,0 +1,28 @@
+using System.Diagnostics;
+
+namespace ingress_nginx_validate_jwt;
+
+public class HostedService : IHostedService
+{
+ private ILogger _logger;
+
+ private ISettingsService _settingsService;
+
+ public HostedService(ILogger logger, ISettingsService settingsService)
+ {
+ _logger = logger;
+ _settingsService = settingsService;
+ }
+
+ public async Task StartAsync(CancellationToken cancellationToken)
+ {
+ _logger.LogInformation("Version: {version}", FileVersionInfo.GetVersionInfo(GetType().Assembly.Location).ProductVersion);
+ _logger.LogInformation("Preloading Configuration");
+ await _settingsService.GetConfiguration(cancellationToken);
+ }
+
+ public Task StopAsync(CancellationToken cancellationToken)
+ {
+ return Task.CompletedTask;
+ }
+}
diff --git a/ingress-nginx-validate-jwt/ISettingsService.cs b/ingress-nginx-validate-jwt/ISettingsService.cs
new file mode 100644
index 0000000..0e562e0
--- /dev/null
+++ b/ingress-nginx-validate-jwt/ISettingsService.cs
@@ -0,0 +1,9 @@
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+
+namespace ingress_nginx_validate_jwt
+{
+ public interface ISettingsService
+ {
+ Task GetConfiguration(CancellationToken cancellationToken = default);
+ }
+}
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt/Program.cs b/ingress-nginx-validate-jwt/Program.cs
new file mode 100644
index 0000000..eb9dca7
--- /dev/null
+++ b/ingress-nginx-validate-jwt/Program.cs
@@ -0,0 +1,36 @@
+using Prometheus;
+using System.Diagnostics.CodeAnalysis;
+using System.IdentityModel.Tokens.Jwt;
+
+namespace ingress_nginx_validate_jwt;
+
+[ExcludeFromCodeCoverage]
+public class Program
+{
+ public static void Main(string[] args)
+ {
+ var builder = WebApplication.CreateBuilder(args);
+
+ // Add services to the container.
+
+ builder.Services.AddControllers();
+
+ builder.Services.AddSingleton();
+
+ builder.Services.AddTransient();
+
+ builder.Services.AddHostedService();
+
+ var app = builder.Build();
+
+ // Configure the HTTP request pipeline.
+
+ app.UseForwardedHeaders();
+
+ app.MapControllers();
+
+ app.UseMetricServer();
+
+ app.Run();
+ }
+}
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt/Properties/launchSettings.json b/ingress-nginx-validate-jwt/Properties/launchSettings.json
new file mode 100644
index 0000000..1736aad
--- /dev/null
+++ b/ingress-nginx-validate-jwt/Properties/launchSettings.json
@@ -0,0 +1,14 @@
+{
+ "profiles": {
+ "ingress_nginx_validate_jwt": {
+ "commandName": "Project",
+ "launchBrowser": false,
+ "environmentVariables": {
+ "ASPNETCORE_ENVIRONMENT": "Development"
+ },
+ "dotnetRunMessages": true,
+ "applicationUrl": "https://localhost:7297;http://localhost:5049"
+ }
+ },
+ "$schema": "https://json.schemastore.org/launchsettings.json"
+}
\ No newline at end of file
diff --git a/ingress-nginx-validate-jwt/SettingsService.cs b/ingress-nginx-validate-jwt/SettingsService.cs
new file mode 100644
index 0000000..bee5b50
--- /dev/null
+++ b/ingress-nginx-validate-jwt/SettingsService.cs
@@ -0,0 +1,41 @@
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+
+namespace ingress_nginx_validate_jwt;
+
+public class SettingsService : ISettingsService
+{
+ private ILogger _logger;
+
+ private IConfiguration _configuration;
+
+ private OpenIdConnectConfiguration? openIdConnectConfiguration;
+
+ public SettingsService(ILogger logger, IConfiguration configuration)
+ {
+ _logger = logger;
+ _configuration = configuration;
+ }
+
+ public async Task GetConfiguration(CancellationToken cancellationToken = new CancellationToken())
+ {
+ if (openIdConnectConfiguration == null)
+ {
+ string? configEndpoint = _configuration["OpenIdProviderConfigurationUrl"];
+
+ if (string.IsNullOrEmpty(configEndpoint))
+ {
+ var exp = new Exception("Unable to load OpenIdConfiguration");
+
+ _logger.LogError(exp, "Unable to load OpenIdConfiguration");
+
+ throw exp;
+ }
+
+ _logger.LogInformation("Loading OpenIdConfiguration from : {config}", configEndpoint);
+
+ openIdConnectConfiguration = await OpenIdConnectConfigurationRetriever.GetAsync(configEndpoint, cancellationToken);
+ }
+
+ return openIdConnectConfiguration;
+ }
+}
diff --git a/ingress-nginx-validate-jwt/appsettings.Development.json b/ingress-nginx-validate-jwt/appsettings.Development.json
new file mode 100644
index 0000000..facfd1b
--- /dev/null
+++ b/ingress-nginx-validate-jwt/appsettings.Development.json
@@ -0,0 +1,11 @@
+{
+ "OpenIdProviderConfigurationUrl": "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration",
+ "Logging": {
+ "LogLevel": {
+ "Default": "Information",
+ "Microsoft.AspNetCore": "Warning",
+ "Microsoft.Hosting.Lifetime": "Critical"
+ }
+ },
+ "AllowedHosts": "*"
+}
diff --git a/ingress-nginx-validate-jwt/appsettings.json b/ingress-nginx-validate-jwt/appsettings.json
new file mode 100644
index 0000000..7ed907f
--- /dev/null
+++ b/ingress-nginx-validate-jwt/appsettings.json
@@ -0,0 +1,10 @@
+{
+ "Logging": {
+ "LogLevel": {
+ "Default": "Information",
+ "Microsoft.AspNetCore": "Warning",
+ "Microsoft.Hosting.Lifetime": "Critical"
+ }
+ },
+ "AllowedHosts": "*"
+}
diff --git a/ingress-nginx-validate-jwt/ingress-nginx-validate-jwt.csproj b/ingress-nginx-validate-jwt/ingress-nginx-validate-jwt.csproj
new file mode 100644
index 0000000..8777f0b
--- /dev/null
+++ b/ingress-nginx-validate-jwt/ingress-nginx-validate-jwt.csproj
@@ -0,0 +1,28 @@
+
+
+
+ net7.0
+ enable
+ enable
+ ingress_nginx_validate_jwt
+ 1c55899c-42df-4a18-815d-93afa873bb49
+ Linux
+ true
+
+
+
+
+
+
+ Never
+
+
+
+
+
+
+
+
+
+
+