Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. #4857

Merged
merged 22 commits into from
Jan 7, 2025
Merged

fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. #4857

merged 22 commits into from
Jan 7, 2025

Conversation

zhaohuabing
Copy link
Member

Fixes #4838

Release Notes: Yes

@zhaohuabing zhaohuabing requested a review from a team as a code owner December 6, 2024 14:11
@zhaohuabing zhaohuabing marked this pull request as draft December 6, 2024 14:11
@zhaohuabing
delete file
1e5bdcd 
Signed-off-by: Huabing Zhao <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 10, 2024
View reviewed changes
test/e2e/tests/oidc_testclient.go Dismissed Show dismissed Hide dismissed
@zhaohuabing
fix lint
e3c0ae9 
Signed-off-by: Huabing Zhao <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Dec 10, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 40.00000% with 51 lines in your changes missing coverage. Please review.

Project coverage is 66.72%. Comparing base (2a5ecaf) to head (f4fbc4a).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
internal/ir/xds.go 0.00% 37 Missing ⚠️
internal/gatewayapi/securitypolicy.go 70.83% 10 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4857      +/-   ##
==========================================
- Coverage   66.77%   66.72%   -0.05%     
==========================================
  Files         209      209              
  Lines       32100    32162      +62     
==========================================
+ Hits        21434    21460      +26     
- Misses       9379     9416      +37     
+ Partials     1287     1286       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing marked this pull request as ready for review December 10, 2024 08:16
@zhaohuabing
update release note
a13a3c3 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing changed the title fix: use tls config from BTP to fetch oidc provider endpoints fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. Dec 10, 2024
@zhaohuabing
update release note
f82c92b 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing marked this pull request as draft December 10, 2024 09:51
@zhaohuabing
fix test
756ea75 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix test
102c441 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix test
f20b102 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing marked this pull request as ready for review December 10, 2024 11:22
@zhaohuabing
fix test
6aac528 
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing
fix test
bf40e40 
Signed-off-by: Huabing Zhao <[email protected]>
zhaohuabing
zhaohuabing commented Dec 10, 2024
View reviewed changes
test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
issuer: "http://keycloak.gateway-conformance-infra/realms/master"
authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth"
tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token"
issuer: "https://keycloak.gateway-conformance-infra/realms/master" # Test fetching auth endpoint from the issuer url
Copy link
Member Author

@zhaohuabing zhaohuabing Dec 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing tokenEndpoint and authorizationEndpoint so they will be fetched by the Gateway API translator. This is used to verify that EG uses the CA from BackendTLSPolicy when connecting to the OIDC provider's well-known endpoint.

zhaohuabing
zhaohuabing commented Dec 10, 2024
View reviewed changes
test/e2e/testdata/oidc-keycloak.yaml
image: busybox:stable
command: ["sh", "-c", "until nc -v -z -w3 keycloak 80; do sleep 2; done"]
image: curlimages/curl:latest
command: ["sh", "-c", "until curl -s -o /dev/null -w '%{http_code}' http://keycloak:80; do sleep 2; done"]
Copy link
Member Author

@zhaohuabing zhaohuabing Dec 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using curl instead of nc to verify that keycload is ready. This change fixed some flaky OIDC tests.

arkodg
arkodg reviewed Dec 10, 2024
View reviewed changes
test/e2e/tests/oidc-backendcluster.go
@@ -23,7 +23,7 @@ func init() {
var OIDCBackendClusterTest = suite.ConformanceTest{
ShortName: "OIDC with BackendCluster",
Description: "Test OIDC authentication",
Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"},
Manifests: []string{"testdata/oidc-keycloak.yaml"},
Copy link
Contributor

@arkodg arkodg Dec 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml being updated but not in use

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's used here:

Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
		t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) {
			testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml")

The creation of SecurityPolicy is now started after keycloak pod is ready, so EG can fetch the auth and token points from the keycloak's well-known endpoint.

@zhaohuabing zhaohuabing requested a review from arkodg December 11, 2024 00:49
arkodg
arkodg previously approved these changes Jan 6, 2025
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks

@arkodg arkodg requested review from a team January 6, 2025 22:03
zirain
zirain previously approved these changes Jan 7, 2025
View reviewed changes
@zhaohuabing zhaohuabing dismissed stale reviews from zirain and arkodg via f4fbc4a January 7, 2025 02:13
@zhaohuabing zhaohuabing requested a review from arkodg January 7, 2025 02:15
shawnh2
shawnh2 approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@shawnh2 shawnh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@zirain zirain merged commit 3a39c35 into envoyproxy:main Jan 7, 2025
21 of 22 checks passed
@arkodg arkodg mentioned this pull request Jan 10, 2025
Open
@zhaohuabing zhaohuabing deleted the fix-oidc-issuer-tls branch January 13, 2025 01:28
zhaohuabing added a commit to zhaohuabing/gateway that referenced this pull request Jan 13, 2025
@zhaohuabing
fix: use tls config from BTP when connecting to the OIDC provider's w…
7c84916 
…ell-known endpoint. (envoyproxy#4857)

* add e2e test for OIDC provider with TLS

Signed-off-by: Huabing Zhao <[email protected]>

* delete file

Signed-off-by: Huabing Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing Zhao <[email protected]>

* use TLS config from BTLPolicy to fetch auth endpoint

Signed-off-by: Huabing Zhao <[email protected]>

* refactor

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 3a39c35)
Signed-off-by: Huabing Zhao <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shawnh2 shawnh2 shawnh2 approved these changes

@arkodg arkodg arkodg approved these changes

@zirain zirain zirain approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Envoy Gateway OIDC: Error with Self-Signed Certificate
4 participants
@zhaohuabing @zirain @arkodg @shawnh2