From 97ea4e36d5ca4d66725e121444348b3aa307bf2f Mon Sep 17 00:00:00 2001 From: Fabrice Aneche Date: Wed, 27 Mar 2024 22:52:26 -0400 Subject: [PATCH 1/3] Update ADOPTERS.md for Airspace Link (#3045) Signed-off-by: Fabrice Aneche Co-authored-by: zirain --- ADOPTERS.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ADOPTERS.md b/ADOPTERS.md index 0eb6d18e905a..5914f698e7bd 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -41,3 +41,13 @@ If you would like to be included in this table, please submit a PR to this file * Status: production * (Option) https://tetrate.io/wp-content/uploads/2023/03/tetrate-logo-dark.svg * (Option) Description: + +## Airspace Link +* Organizatioin: Airspace Link +* Website: https://airspacelink.com/ +* Category: End User +* Environments: Azure +* Use Cases: + - Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway. +* Status: production +* Logo: https://airhub.airspacelink.com/images/asl-flat-logo.png From a270dd8a34add83b976d2111d0ce9af279715ca6 Mon Sep 17 00:00:00 2001 From: jaynis Date: Thu, 28 Mar 2024 04:53:32 +0100 Subject: [PATCH 2/3] feat: added option to specify resources on the OIDC security policy (#3030) added option to specify resources on the OIDC filter Signed-off-by: jaynis Co-authored-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 5 +++++ api/v1alpha1/zz_generated.deepcopy.go | 5 +++++ .../generated/gateway.envoyproxy.io_securitypolicies.yaml | 6 ++++++ internal/gatewayapi/securitypolicy.go | 1 + .../gatewayapi/testdata/securitypolicy-with-oidc.in.yaml | 1 + .../gatewayapi/testdata/securitypolicy-with-oidc.out.yaml | 4 ++++ internal/ir/xds.go | 4 ++++ internal/ir/zz_generated.deepcopy.go | 5 +++++ internal/xds/translator/oidc.go | 1 + internal/xds/translator/testdata/in/xds-ir/oidc.yaml | 4 ++++ .../xds/translator/testdata/out/xds-ir/oidc.listeners.yaml | 4 ++++ site/content/en/latest/api/extension_types.md | 1 + 12 files changed, 41 insertions(+) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 391ea71425b0..ecce79576278 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -37,6 +37,11 @@ type OIDC struct { // +optional Scopes []string `json:"scopes,omitempty"` + // The OIDC resources to be used in the + // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + // +optional + Resources []string `json:"resources,omitempty"` + // The redirect URL to be used in the OIDC // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). // If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 41a8e22eb726..435d17c07be0 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2502,6 +2502,11 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } if in.RedirectURL != nil { in, out := &in.RedirectURL, &out.RedirectURL *out = new(string) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 65df396eb7bc..40d0f731550a 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -592,6 +592,12 @@ spec: Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" type: string + resources: + description: The OIDC resources to be used in the [Authentication + Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + items: + type: string + type: array scopes: description: The OIDC scopes to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 0b82fd46926d..67bf2314befe 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -644,6 +644,7 @@ func (t *Translator) buildOIDC( ClientID: oidc.ClientID, ClientSecret: clientSecretBytes, Scopes: scopes, + Resources: oidc.Resources, RedirectURL: redirectURL, RedirectPath: redirectPath, LogoutPath: logoutPath, diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml index 31fb6ee9bb84..9ebcd9246987 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml @@ -123,5 +123,6 @@ securityPolicies: clientSecret: name: "client2-secret" scopes: ["openid", "email", "profile"] + resources: ["api"] redirectURL: "https://www.example.com/foo/oauth2/callback" logoutPath: "/foo/logout" diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index dfd4a9f6073b..b0cff9eac836 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -153,6 +153,8 @@ securityPolicies: issuer: https://oauth.foo.com tokenEndpoint: https://oauth.foo.com/token redirectURL: https://www.example.com/foo/oauth2/callback + resources: + - api scopes: - openid - email @@ -263,6 +265,8 @@ xdsIR: tokenEndpoint: https://oauth.foo.com/token redirectPath: /foo/oauth2/callback redirectURL: https://www.example.com/foo/oauth2/callback + resources: + - api scopes: - openid - email diff --git a/internal/ir/xds.go b/internal/ir/xds.go index ae89ed94cd9c..86664e595678 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -544,6 +544,10 @@ type OIDC struct { // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"` + // The OIDC resources to be used in the + // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). + Resources []string `json:"resources,omitempty" yaml:"resources,omitempty"` + // The redirect URL to be used in the OIDC // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). RedirectURL string `json:"redirectURL,omitempty"` diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index e1290759206a..b1035316c367 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -1388,6 +1388,11 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDC. diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index 503d59e5f89c..1910da4fb699 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -170,6 +170,7 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) { // every OIDC provider supports basic auth AuthType: oauth2v3.OAuth2Config_BASIC_AUTH, AuthScopes: oidc.Scopes, + Resources: oidc.Resources, }, } return oauth2, nil diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml index fabdbfc9195f..e2ef1ca7a0f5 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc.yaml @@ -30,6 +30,8 @@ http: - openid - email - profile + resources: + - api redirectURL: "https://www.example.com/foo/oauth2/callback" redirectPath: "/foo/oauth2/callback" logoutPath: "/foo/logout" @@ -56,6 +58,8 @@ http: - openid - email - profile + resources: + - api redirectURL: "https://www.example.com/bar/oauth2/callback" redirectPath: "/bar/oauth2/callback" logoutPath: "/bar/logout" diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index 1d7cf7ba34bf..95e075f047ef 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -48,6 +48,8 @@ path: exact: /foo/oauth2/callback redirectUri: https://www.example.com/foo/oauth2/callback + resources: + - api signoutPath: path: exact: /foo/logout @@ -89,6 +91,8 @@ path: exact: /bar/oauth2/callback redirectUri: https://www.example.com/bar/oauth2/callback + resources: + - api signoutPath: path: exact: /bar/logout diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 9ff59b95a791..7e9839e70da3 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1704,6 +1704,7 @@ _Appears in:_ | `clientID` | _string_ | true | The client ID to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ | true | The Kubernetes secret which contains the OIDC client secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

This is an Opaque secret. The client secret should be stored in the key "client-secret". | | `scopes` | _string array_ | false | The OIDC scopes to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). The "openid" scope is always added to the list of scopes if not already specified. | +| `resources` | _string array_ | false | The OIDC resources to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | | `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies. If not specified, uses a default logout path "/logout" | From 3d519339bc68ab1f8ece22c89aeb757e7fcc58cd Mon Sep 17 00:00:00 2001 From: Jesse Haka Date: Thu, 28 Mar 2024 09:51:31 +0200 Subject: [PATCH 3/3] fix: allow websockets in url rewrite (#3022) allow websockets in url rewrite Signed-off-by: Jesse Haka Co-authored-by: zirain --- internal/xds/translator/route.go | 10 ++++++++++ ...http-route-rewrite-root-path-url-prefix.routes.yaml | 2 ++ .../xds-ir/http-route-rewrite-url-fullpath.routes.yaml | 2 ++ .../out/xds-ir/http-route-rewrite-url-host.routes.yaml | 2 ++ .../xds-ir/http-route-rewrite-url-prefix.routes.yaml | 2 ++ 5 files changed, 18 insertions(+) diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go index 22654bc8c45f..6cb3e7259b7f 100644 --- a/internal/xds/translator/route.go +++ b/internal/xds/translator/route.go @@ -59,6 +59,16 @@ func buildXdsRoute(httpRoute *ir.HTTPRoute) (*routev3.Route, error) { routeAction.RequestMirrorPolicies = buildXdsRequestMirrorPolicies(httpRoute.Mirrors) } + if !httpRoute.IsHTTP2 { + // Allow websocket upgrades for HTTP 1.1 + // Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism + routeAction.UpgradeConfigs = []*routev3.RouteAction_UpgradeConfig{ + { + UpgradeType: "websocket", + }, + } + } + router.Action = &routev3.Route_Route{Route: routeAction} default: var routeAction *routev3.RouteAction diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml index 2bf01099ad2a..d5a0bd989940 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-root-path-url-prefix.routes.yaml @@ -18,3 +18,5 @@ pattern: regex: ^/origin/\/* substitution: / + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml index f1f30bbbffc5..f8b81712daed 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-fullpath.routes.yaml @@ -14,3 +14,5 @@ pattern: regex: /.+ substitution: /rewrite + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml index 7de20ab03052..680a67404ee9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-host.routes.yaml @@ -17,3 +17,5 @@ cluster: rewrite-route-dest hostRewriteLiteral: 3.3.3.3 prefixRewrite: /rewrite + upgradeConfigs: + - upgradeType: websocket diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml index a5f47ebab544..84bc70f04bd2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http-route-rewrite-url-prefix.routes.yaml @@ -15,3 +15,5 @@ route: cluster: rewrite-route-dest prefixRewrite: /rewrite + upgradeConfigs: + - upgradeType: websocket