feat: OIDC Gateway API #2122

zhaohuabing · 2023-10-30T09:46:47Z

What this PR does:

add OIDC authentication to the SecurityPolicy API
translate OIDC API to IR

xds translation will be in a follow-up PR.

OIDC will be done per-route. The final xds output will look like this example yaml file: https://github.com/zhaohuabing/playground/blob/main/envoy/per-route-oauth2-oidc/envoy.yaml

Related: #881

codecov · 2023-10-30T09:52:04Z

Codecov Report

Merging #2122 (b23cf97) into main (f2e12a5) will increase coverage by 0.05%.
The diff coverage is 60.46%.

@@            Coverage Diff             @@
##             main    #2122      +/-   ##
==========================================
+ Coverage   64.22%   64.27%   +0.05%     
==========================================
  Files         107      107              
  Lines       14665    14922     +257     
==========================================
+ Hits         9418     9591     +173     
- Misses       4677     4758      +81     
- Partials      570      573       +3

Files	Coverage Δ
internal/gatewayapi/translator.go	`98.51% <100.00%> (+0.01%)`	⬆️
internal/status/securitypolicy.go	`0.00% <0.00%> (ø)`
internal/ir/xds.go	`73.90% <50.00%> (-0.48%)`	⬇️
internal/status/conditions.go	`95.83% <77.77%> (-4.17%)`	⬇️
internal/gatewayapi/securitypolicy.go	`82.54% <87.17%> (+3.94%)`	⬆️
internal/gatewayapi/validate.go	`86.76% <52.17%> (-2.89%)`	⬇️
internal/ir/zz_generated.deepcopy.go	`11.83% <0.00%> (-0.31%)`	⬇️
internal/provider/kubernetes/controller.go	`50.74% <6.38%> (-0.48%)`	⬇️

... and 1 file with indirect coverage changes

api/v1alpha1/oidc_types.go

zhaohuabing · 2023-11-07T11:02:31Z

internal/provider/kubernetes/controller.go

+						"name", refGrant.Name)
+				}
+			}
+			resourceMap.allAssociatedNamespaces[secretNamespace] = struct{}{} // TODO Zhaohuabing do we need this line?


Do we need to check if this namespace exists?

api/v1alpha1/oidc_types.go

arkodg · 2023-11-10T20:38:58Z

hey @zhaohuabing this looks good, haven't looked at the implementation yet, added some minor comments reg API

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

internal/gatewayapi/securitypolicy.go

internal/ir/xds.go

internal/gatewayapi/validate.go

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

zhaohuabing · 2023-11-11T09:54:04Z

/retest

internal/gatewayapi/securitypolicy.go

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

api/v1alpha1/oidc_types.go

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

arkodg

LGTM thanks !

zirain · 2023-11-13T23:48:59Z

User documentation would be even better.

zhaohuabing · 2023-11-14T00:08:24Z

User docs will be in a follow-up PR.

zhaohuabing requested a review from a team as a code owner October 30, 2023 09:46

zhaohuabing marked this pull request as draft October 30, 2023 09:46

zhaohuabing changed the title ~~feat: add oidc to securitypolicy api~~ feat: add OIDC to SecurityPolicy api Oct 30, 2023

zhaohuabing force-pushed the oidc-api branch 4 times, most recently from 47b72d1 to ad198e2 Compare November 3, 2023 09:18

zhaohuabing changed the title ~~feat: add OIDC to SecurityPolicy api~~ feat: OIDC Gateway API Nov 3, 2023

zhaohuabing force-pushed the oidc-api branch from ad198e2 to 57095a8 Compare November 3, 2023 09:20

zhaohuabing marked this pull request as ready for review November 3, 2023 09:20

zhaohuabing force-pushed the oidc-api branch from 57095a8 to fb4e76d Compare November 3, 2023 09:27

zhaohuabing marked this pull request as draft November 3, 2023 13:37

zhaohuabing force-pushed the oidc-api branch 4 times, most recently from d6974fa to ef5a0a2 Compare November 7, 2023 10:41

zhaohuabing marked this pull request as ready for review November 7, 2023 10:42

zhaohuabing requested review from arkodg, AliceProxy, zirain and Xunzhuo November 7, 2023 10:42

zhaohuabing commented Nov 7, 2023

View reviewed changes

api/v1alpha1/oidc_types.go Show resolved Hide resolved

zhaohuabing commented Nov 7, 2023

View reviewed changes

zhaohuabing force-pushed the oidc-api branch 2 times, most recently from d7511f8 to 0164e76 Compare November 7, 2023 11:11