Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: OIDC Gateway API #2122

Merged
merged 9 commits into from
Nov 13, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion api/v1alpha1/groupversion_info.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,12 @@ import (
"sigs.k8s.io/controller-runtime/pkg/scheme"
)

const GroupName = "gateway.envoyproxy.io"

var (

// GroupVersion is group version used to register these objects
GroupVersion = schema.GroupVersion{Group: "gateway.envoyproxy.io", Version: "v1alpha1"}
GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

// SchemeBuilder is used to add go types to the GroupVersionKind scheme
SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
Expand Down
74 changes: 74 additions & 0 deletions api/v1alpha1/oidc_types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
// Copyright Envoy Gateway Authors
// SPDX-License-Identifier: Apache-2.0
// The full text of the Apache license is available in the LICENSE file at
// the root of the repo.

package v1alpha1

import (
gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1"
)

const OIDCClientSecretKey = "client-secret"

// OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
type OIDC struct {
// The OIDC Provider configuration.
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
Provider OIDCProvider `json:"provider"`

// The client ID to be used in the OIDC
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
//
// +kubebuilder:validation:MinLength=1
ClientID string `json:"clientID"`

// The Kubernetes secret which contains the OIDC client secret to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
//
// This is an Opaque secret. The client secret should be stored in the key
// "client-secret".
// +kubebuilder:validation:Required
ClientSecret gwapiv1b1.SecretObjectReference `json:"clientSecret"`

// The OIDC scopes to be used in the
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// The "openid" scope is always added to the list of scopes if not already
// specified.
// +optional
Scopes []string `json:"scopes,omitempty"`
}

// OIDCProvider defines the OIDC Provider configuration.
// To make the EG OIDC config easy to use, some of the low-level ouath2 filter
// configuration knobs are hidden from the user, and default values will be provided
// when translating to XDS. For example:
//
// * redirect_uri: uses a default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
//
// * signout_path: uses a default signout path "/signout"
//
// * redirect_path_matcher: uses a default redirect path matcher "/oauth2/callback"
//
// If we get requests to expose these knobs, we can always do so later.
type OIDCProvider struct {
// The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
// Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
// be https, a host component, and optionally, port and path components and
// no query or fragment components.
// +kubebuilder:validation:MinLength=1
Issuer string `json:"issuer"`

// TODO zhaohuabing validate the issuer

// The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
// If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
//
// +optional
zhaohuabing marked this conversation as resolved.
Show resolved Hide resolved
AuthorizationEndpoint *string `json:"authorizationEndpoint,omitempty"`

// The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
// If not provided, EG will try to discover it from the provider's [Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
//
// +optional
TokenEndpoint *string `json:"tokenEndpoint,omitempty"`
}
5 changes: 5 additions & 0 deletions api/v1alpha1/securitypolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,11 @@ type SecurityPolicySpec struct {
//
// +optional
JWT *JWT `json:"jwt,omitempty"`

// OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
//
// +optional
OIDC *OIDC `json:"oidc,omitempty"`
}

// SecurityPolicyStatus defines the state of SecurityPolicy
Expand Down
52 changes: 52 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,92 @@ spec:
required:
- providers
type: object
oidc:
description: OIDC defines the configuration for the OpenID Connect
(OIDC) authentication.
properties:
clientID:
description: The client ID to be used in the OIDC [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
minLength: 1
type: string
clientSecret:
description: "The Kubernetes secret which contains the OIDC client
secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
\n This is an Opaque secret. The client secret should be stored
in the key \"client-secret\"."
properties:
group:
default: ""
description: Group is the group of the referent. For example,
"gateway.networking.k8s.io". When unspecified or empty string,
core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
default: Secret
description: Kind is kind of the referent. For example "Secret".
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: "Namespace is the namespace of the referenced
object. When unspecified, the local namespace is inferred.
\n Note that when a namespace different than the local namespace
is specified, a ReferenceGrant object is required in the
referent namespace to allow that namespace's owner to accept
the reference. See the ReferenceGrant documentation for
details. \n Support: Core"
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
provider:
description: The OIDC Provider configuration.
properties:
authorizationEndpoint:
description: The OIDC Provider's [authorization endpoint](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint).
If not provided, EG will try to discover it from the provider's
[Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
type: string
issuer:
description: The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component
that MUST be https, a host component, and optionally, port
and path components and no query or fragment components.
minLength: 1
type: string
tokenEndpoint:
description: The OIDC Provider's [token endpoint](https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint).
If not provided, EG will try to discover it from the provider's
[Well-Known Configuration Endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse).
type: string
required:
- issuer
type: object
scopes:
description: The OIDC scopes to be used in the [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if
not already specified.
items:
type: string
type: array
required:
- clientID
- clientSecret
- provider
type: object
targetRef:
description: TargetRef is the name of the Gateway resource this policy
is being attached to. This Policy and the TargetRef MUST be in the
Expand Down
Loading