Code review changes

shaun-nx · shaun-nx · commit 7c7dc79b89d0 · 2025-11-25T17:01:09.000Z
diff --git a/docs/proposals/authentication-filter.md b/docs/proposals/authentication-filter.md
@@ -94,7 +94,7 @@ type AuthenticationFilter struct {
 
 // +kubebuilder:object:root=true
 
-// AuthenticationFilterList contains a list of AuthenticationFilter.
+// AuthenticationFilterList contains a list of AuthenticationFilter resources.
 type AuthenticationFilterList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
@@ -240,16 +240,11 @@ type FileKeySource struct {
 
 // LocalObjectReferenceWithKey specifies a local Kubernetes object
 // with a required `key` field to extract data.
-// +kubebuilder:validation:XValidation:message="name must be set",rule="self.name != ''"
 type LocalObjectReferenceWithKey struct {
     // Inline the core LocalObjectReference so `name` sits at the same JSON level
     // (optional, but avoids nesting)
     v1.LocalObjectReference `json:",inline"`
 
-    // Key must be provided and non-empty.
-    // This makes the field required in the OpenAPI schema.
-    // +kubebuilder:validation:MinLength=1
-    // +kubebuilder:validation:XValidation:rule="self != ''",message="key must be non-empty"
     Key string `json:"key"`
 }
 
@@ -475,6 +470,8 @@ http {
         location /v2 {
             # Injected by BasicAuthFilter "basic-auth"
             auth_basic "Restricted";
+
+            # Path is generated by NGF using the name and key from the secret
             auth_basic_user_file /etc/nginx/secrets/basic-auth-users/htpasswd;
 
             # Optional: customize failure per filter onFailure
@@ -636,7 +633,8 @@ http {
             auth_jwt "Restricted";
 
             # File-based JWKS
-            auth_jwt_key_file /etc/nginx/keys/jwks.json;
+            # Path is generated by NGF using the name and key from the secret
+            auth_jwt_key_file /etc/nginx/keys/jwt-keys-secure/jwks.json;
 
             # Optional: key cache duration
             auth_jwt_key_cache 10m;
@@ -852,7 +850,7 @@ spec:
 
 #### Attaching a JWT AuthenticationFilter to a route when using NGINX OSS
 
-If a user attempts to attach a JWT tpye AuthenticationFilter while using NGINX OSS, the rule referncing the filter will be `Rejected`.
+If a user attempts to attach a JWT type AuthenticationFilter while using NGINX OSS, the rule referencing the filter will be `Rejected`.
 
 This can use the status `RouteConditionPartiallyInvalid` defined in the Gateway API here: https://github.com/nginx/nginx-gateway-fabric/blob/main/internal/controller/state/conditions/conditions.go#L402
 
@@ -994,6 +992,7 @@ spec:
 ```
 
 AuthenticationFilter referencing the cross-namespace Secret
+
 ```yaml
 apiVersion: gateway.nginx.org/v1alpha1
 kind: AuthenticationFilter
