add oidc to securitypolicy api

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Nov 7, 2023 · 0164e76 · 0164e76
1 parent 46bb51a
commit 0164e76
Show file tree

Hide file tree

Showing 24 changed files with 1,783 additions and 59 deletions.
diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go
@@ -10,9 +10,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
 )
 
+const GroupName = "gateway.envoyproxy.io"
+
 var (
+
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "gateway.envoyproxy.io", Version: "v1alpha1"}
+	GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -0,0 +1,64 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+const OIDCClientSecretKey = "client_secret"
+
+// OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
+type OIDC struct {
+	// The OIDC Provider configuration.
+	Provider OIDCProvider `json:"provider"`
+
+	// The client ID assigned to this policy to be used in the OIDC
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	//
+	// +kubebuilder:validation:MinLength=1
+	ClientID string `json:"clientID"`
+
+	// The Kubernetes secret which contains the OIDC client secret assigned to
+	// the filter to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	//
+	// This is an Opaque secret. The client secret should be stored in the key
+	// "client_secret".
+	// +kubebuilder:validation:Required
+	ClientSecret gwapiv1b1.SecretObjectReference `json:"clientSecret"`
+
+	// The OIDC scopes to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	// The "openid" scope is always added to the list of scopes if not already
+	// specified.
+	// +optional
+	Scopes []string `json:"scopes,omitempty"`
+}
+
+// OIDCProvider defines the OIDC Provider configuration.
+type OIDCProvider struct {
+	// The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+	// Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
+	// be https, a host component, and optionally, port and path components and
+	// no query or fragment components.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+
+	// TODO zhaohuabing validate the issuer
+
+	// The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+	// If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+	//
+	// +optional
+	AuthorizationEndpoint string `json:"authorizationEndpoint,omitempty"`
+
+	// The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+	// If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+	//
+	// +optional
+	TokenEndpoint string `json:"tokenEndpoint,omitempty"`
+}
diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
@@ -56,6 +56,11 @@ type SecurityPolicySpec struct {
 	//
 	// +optional
 	JWT *JWT `json:"jwt,omitempty"`
+
+	// OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
+	//
+	// +optional
+	OIDC *OIDC `json:"oidc,omitempty"`
 }
 
 // SecurityPolicyStatus defines the state of SecurityPolicy

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -186,6 +186,93 @@ spec:
                 required:
                 - providers
                 type: object
+              oidc:
+                description: OIDC defines the configuration for the OpenID Connect
+                  (OIDC) authentication.
+                properties:
+                  clientID:
+                    description: The client ID assigned to this policy to be used
+                      in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                    minLength: 1
+                    type: string
+                  clientSecret:
+                    description: "The Kubernetes secret which contains the OIDC client
+                      secret assigned to the filter to be used in the [Authentication
+                      Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                      \n This is an Opaque secret. The client secret should be stored
+                      in the key \"client_secret\"."
+                    properties:
+                      group:
+                        default: ""
+                        description: Group is the group of the referent. For example,
+                          "gateway.networking.k8s.io". When unspecified or empty string,
+                          core API group is inferred.
+                        maxLength: 253
+                        pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                      kind:
+                        default: Secret
+                        description: Kind is kind of the referent. For example "Secret".
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                        type: string
+                      name:
+                        description: Name is the name of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: "Namespace is the namespace of the referenced
+                          object. When unspecified, the local namespace is inferred.
+                          \n Note that when a namespace different than the local namespace
+                          is specified, a ReferenceGrant object is required in the
+                          referent namespace to allow that namespace's owner to accept
+                          the reference. See the ReferenceGrant documentation for
+                          details. \n Support: Core"
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  provider:
+                    description: The OIDC Provider configuration.
+                    properties:
+                      authorizationEndpoint:
+                        description: The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+                          If not provided, EG will try to discover it from the provider's
+                          [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+                        type: string
+                      issuer:
+                        description: The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+                          Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component
+                          that MUST be https, a host component, and optionally, port
+                          and path components and no query or fragment components.
+                        minLength: 1
+                        type: string
+                      tokenEndpoint:
+                        description: The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+                          If not provided, EG will try to discover it from the provider's
+                          [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+                        type: string
+                    required:
+                    - issuer
+                    type: object
+                  scopes:
+                    description: The OIDC scopes to be used in the [Authentication
+                      Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                      The "openid" scope is always added to the list of scopes if
+                      not already specified.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - clientID
+                - clientSecret
+                - provider
+                type: object
               targetRef:
                 description: TargetRef is the name of the Gateway resource this policy
                   is being attached to. This Policy and the TargetRef MUST be in the