feat: OIDC Gateway API (#2122)

* add oidc to securitypolicy api Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix test Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * forbid cross-namespace ref to secret for now Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * address comments Signed-off-by: huabing zhao <zhaohuabing@gmail.com> * fix lint Signed-off-by: huabing zhao <zhaohuabing@gmail.com> --------- Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
envoyproxy · Nov 13, 2023 · 397911d · 397911d
1 parent 0cf4f28
commit 397911d
Show file tree

Hide file tree

Showing 26 changed files with 2,195 additions and 63 deletions.
diff --git a/api/v1alpha1/groupversion_info.go b/api/v1alpha1/groupversion_info.go
@@ -10,9 +10,12 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/scheme"
 )
 
+const GroupName = "gateway.envoyproxy.io"
+
 var (
+
 	// GroupVersion is group version used to register these objects
-	GroupVersion = schema.GroupVersion{Group: "gateway.envoyproxy.io", Version: "v1alpha1"}
+	GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -0,0 +1,74 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+import (
+	gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
+)
+
+const OIDCClientSecretKey = "client-secret"
+
+// OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
+type OIDC struct {
+	// The OIDC Provider configuration.
+	Provider OIDCProvider `json:"provider"`
+
+	// The client ID to be used in the OIDC
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	//
+	// +kubebuilder:validation:MinLength=1
+	ClientID string `json:"clientID"`
+
+	// The Kubernetes secret which contains the OIDC client secret to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	//
+	// This is an Opaque secret. The client secret should be stored in the key
+	// "client-secret".
+	// +kubebuilder:validation:Required
+	ClientSecret gwapiv1b1.SecretObjectReference `json:"clientSecret"`
+
+	// The OIDC scopes to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	// The "openid" scope is always added to the list of scopes if not already
+	// specified.
+	// +optional
+	Scopes []string `json:"scopes,omitempty"`
+}
+
+// OIDCProvider defines the OIDC Provider configuration.
+// To make the EG OIDC config easy to use, some of the low-level ouath2 filter
+// configuration knobs are hidden from the user, and default values will be provided
+// when translating to XDS. For example:
+//
+// * redirect_uri: uses a default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
+//
+// * signout_path: uses a default signout path "/signout"
+//
+// * redirect_path_matcher: uses a default redirect path matcher "/oauth2/callback"
+//
+// If we get requests to expose these knobs, we can always do so later.
+type OIDCProvider struct {
+	// The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+	// Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
+	// be https, a host component, and optionally, port and path components and
+	// no query or fragment components.
+	// +kubebuilder:validation:MinLength=1
+	Issuer string `json:"issuer"`
+
+	// TODO zhaohuabing validate the issuer
+
+	// The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+	// If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+	//
+	// +optional
+	AuthorizationEndpoint *string `json:"authorizationEndpoint,omitempty"`
+
+	// The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+	// If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+	//
+	// +optional
+	TokenEndpoint *string `json:"tokenEndpoint,omitempty"`
+}
diff --git a/api/v1alpha1/securitypolicy_types.go b/api/v1alpha1/securitypolicy_types.go
@@ -56,6 +56,11 @@ type SecurityPolicySpec struct {
 	//
 	// +optional
 	JWT *JWT `json:"jwt,omitempty"`
+
+	// OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
+	//
+	// +optional
+	OIDC *OIDC `json:"oidc,omitempty"`
 }
 
 // SecurityPolicyStatus defines the state of SecurityPolicy

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -186,6 +186,92 @@ spec:
                 required:
                 - providers
                 type: object
+              oidc:
+                description: OIDC defines the configuration for the OpenID Connect
+                  (OIDC) authentication.
+                properties:
+                  clientID:
+                    description: The client ID to be used in the OIDC [Authentication
+                      Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                    minLength: 1
+                    type: string
+                  clientSecret:
+                    description: "The Kubernetes secret which contains the OIDC client
+                      secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                      \n This is an Opaque secret. The client secret should be stored
+                      in the key \"client-secret\"."
+                    properties:
+                      group:
+                        default: ""
+                        description: Group is the group of the referent. For example,
+                          "gateway.networking.k8s.io". When unspecified or empty string,
+                          core API group is inferred.
+                        maxLength: 253
+                        pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                      kind:
+                        default: Secret
+                        description: Kind is kind of the referent. For example "Secret".
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+                        type: string
+                      name:
+                        description: Name is the name of the referent.
+                        maxLength: 253
+                        minLength: 1
+                        type: string
+                      namespace:
+                        description: "Namespace is the namespace of the referenced
+                          object. When unspecified, the local namespace is inferred.
+                          \n Note that when a namespace different than the local namespace
+                          is specified, a ReferenceGrant object is required in the
+                          referent namespace to allow that namespace's owner to accept
+                          the reference. See the ReferenceGrant documentation for
+                          details. \n Support: Core"
+                        maxLength: 63
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                        type: string
+                    required:
+                    - name
+                    type: object
+                  provider:
+                    description: The OIDC Provider configuration.
+                    properties:
+                      authorizationEndpoint:
+                        description: The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
+                          If not provided, EG will try to discover it from the provider's
+                          [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+                        type: string
+                      issuer:
+                        description: The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
+                          Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component
+                          that MUST be https, a host component, and optionally, port
+                          and path components and no query or fragment components.
+                        minLength: 1
+                        type: string
+                      tokenEndpoint:
+                        description: The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
+                          If not provided, EG will try to discover it from the provider's
+                          [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
+                        type: string
+                    required:
+                    - issuer
+                    type: object
+                  scopes:
+                    description: The OIDC scopes to be used in the [Authentication
+                      Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                      The "openid" scope is always added to the list of scopes if
+                      not already specified.
+                    items:
+                      type: string
+                    type: array
+                required:
+                - clientID
+                - clientSecret
+                - provider
+                type: object
               targetRef:
                 description: TargetRef is the name of the Gateway resource this policy
                   is being attached to. This Policy and the TargetRef MUST be in the