From 3f38db6a3a56643aab63097a6c288ca0f3e6f954 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 17 May 2024 15:56:03 -0700 Subject: [PATCH 1/9] add more oidc configuration settings Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 30 +++++++++++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 20 +++++++++++++ ...ateway.envoyproxy.io_securitypolicies.yaml | 28 +++++++++++++++++ site/content/en/latest/api/extension_types.md | 4 +++ 4 files changed, 82 insertions(+) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index ecce7957627..e9133dc49a5 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -6,6 +6,7 @@ package v1alpha1 import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gwapiv1b1 "sigs.k8s.io/gateway-api/apis/v1beta1" ) @@ -50,6 +51,35 @@ type OIDC struct { // The path to log a user out, clearing their credential cookies. // If not specified, uses a default logout path "/logout" LogoutPath *string `json:"logoutPath,omitempty"` + + // ForwardBearerToken indicates whether the Envoy should forward the access + // token as a bearer token in the "Authorization" header to the backend. + // If not specified, defaults to false. + // +optional + ForwardBearerToken *bool `json:"forwardBearerToken,omitempty"` + + // The default lifetime of the ID token and access token. + // Please note that Envoy will always use the expiry time from the response + // of the authorization server if it is provided. This field is only used when + // the expiry time is not provided by the authorization. + // If not specified, defaults to 0. In this case, the expiry must be set by + // the authorization server or the OAuth flow will fail. + // +optional + DefaultTokenExpireTime *metav1.Duration `json:"defaultTokenExpireTime,omitempty"` + + // RefreshToken indicates whether the Envoy should use the refresh token to + // get the id token and access token when they expire. + // If not specified, defaults to false. + // +optional + RefreshToken *bool `json:"refreshToken,omitempty"` + + // The default lifetime of the refresh token. + // This field is only used when the exp (expiration time) claim is omitted in + // the refresh token or the refresh token is not JWT. + // If not specified, defaults to 604800s (one week). + // Note: this field is only used when RefreshToken is set to true. + // +optional + DefaultRefreshTokenExpireTime *metav1.Duration `json:"defaultRefreshTokenExpireTime,omitempty"` } // OIDCProvider defines the OIDC Provider configuration. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index fd607c16af7..142ee274de9 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3156,6 +3156,26 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(string) **out = **in } + if in.ForwardBearerToken != nil { + in, out := &in.ForwardBearerToken, &out.ForwardBearerToken + *out = new(bool) + **out = **in + } + if in.DefaultTokenExpireTime != nil { + in, out := &in.DefaultTokenExpireTime, &out.DefaultTokenExpireTime + *out = new(v1.Duration) + **out = **in + } + if in.RefreshToken != nil { + in, out := &in.RefreshToken, &out.RefreshToken + *out = new(bool) + **out = **in + } + if in.DefaultRefreshTokenExpireTime != nil { + in, out := &in.DefaultRefreshTokenExpireTime, &out.DefaultRefreshTokenExpireTime + *out = new(v1.Duration) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDC. diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 919d272cf89..7e510b107a1 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -671,6 +671,28 @@ spec: required: - name type: object + defaultRefreshTokenExpireTime: + description: |- + The default lifetime of the refresh token. + This field is only used when the exp (expiration time) claim is omitted in + the refresh token or the refresh token is not JWT. + If not specified, defaults to 604800s (one week). + Note: this field is only used when RefreshToken is set to true. + type: string + defaultTokenExpireTime: + description: |- + The default lifetime of the ID token and access token. + Please note that Envoy will always use the expiry time from the response + of the authorization server if it is provided. This field is only used when + the expiry time is not provided by the authorization. + If not specified, defaults to 0. In this case, the expiry must be set by + the authorization server or the OAuth flow will fail. + type: string + forwardBearerToken: + description: |- + ForwardBearerToken indicates whether the Envoy should forward the access + token as a bearer token in the "Authorization" header to the backend. + type: boolean logoutPath: description: |- The path to log a user out, clearing their credential cookies. @@ -706,6 +728,12 @@ spec: [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" type: string + refreshToken: + description: |- + RefreshToken indicates whether the Envoy should use the refresh token to + get the id token and access token when they expire. + If not specified, defaults to false. + type: boolean resources: description: |- The OIDC resources to be used in the diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 6ac4fe6b123..5e60adc7d12 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2264,6 +2264,10 @@ _Appears in:_ | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | | `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" | +| `forwardBearerToken` | _boolean_ | true | ForwardBearerToken indicates whether the Envoy should forward the access
token as a bearer token in the "Authorization" header to the backend. | +| `defaultTokenExpireTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | The default lifetime of the ID token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the expiry must be set by
the authorization server or the OAuth flow will fail. | +| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should use the refresh token to
get the id token and access token when they expire.
If not specified, defaults to false. | +| `defaultRefreshTokenExpireTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | The default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only used when RefreshToken is set to true. | #### OIDCProvider From 611ccacfa4ccbfef1f49bf2902c8d24972ab5e50 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 17 May 2024 16:05:48 -0700 Subject: [PATCH 2/9] add more comments Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 10 ++++++++-- .../gateway.envoyproxy.io_securitypolicies.yaml | 7 +++++-- site/content/en/latest/api/extension_types.md | 4 ---- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index e9133dc49a5..79a9aa9e1f8 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -56,6 +56,7 @@ type OIDC struct { // token as a bearer token in the "Authorization" header to the backend. // If not specified, defaults to false. // +optional + // +notImplementedHide ForwardBearerToken *bool `json:"forwardBearerToken,omitempty"` // The default lifetime of the ID token and access token. @@ -65,12 +66,16 @@ type OIDC struct { // If not specified, defaults to 0. In this case, the expiry must be set by // the authorization server or the OAuth flow will fail. // +optional + // +notImplementedHide DefaultTokenExpireTime *metav1.Duration `json:"defaultTokenExpireTime,omitempty"` - // RefreshToken indicates whether the Envoy should use the refresh token to - // get the id token and access token when they expire. + // RefreshToken indicates whether the Envoy should automatically refresh the + // id token and access token when they expire. + // When set to true, the Envoy will use the refresh token to get a new id token + // and access token when they expire. // If not specified, defaults to false. // +optional + // +notImplementedHide RefreshToken *bool `json:"refreshToken,omitempty"` // The default lifetime of the refresh token. @@ -79,6 +84,7 @@ type OIDC struct { // If not specified, defaults to 604800s (one week). // Note: this field is only used when RefreshToken is set to true. // +optional + // +notImplementedHide DefaultRefreshTokenExpireTime *metav1.Duration `json:"defaultRefreshTokenExpireTime,omitempty"` } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 7e510b107a1..3e7817ce6be 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -692,6 +692,7 @@ spec: description: |- ForwardBearerToken indicates whether the Envoy should forward the access token as a bearer token in the "Authorization" header to the backend. + If not specified, defaults to false. type: boolean logoutPath: description: |- @@ -730,8 +731,10 @@ spec: type: string refreshToken: description: |- - RefreshToken indicates whether the Envoy should use the refresh token to - get the id token and access token when they expire. + RefreshToken indicates whether the Envoy should automatically refresh the + id token and access token when they expire. + When set to true, the Envoy will use the refresh token to get a new id token + and access token when they expire. If not specified, defaults to false. type: boolean resources: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 5e60adc7d12..6ac4fe6b123 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2264,10 +2264,6 @@ _Appears in:_ | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | | `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" | -| `forwardBearerToken` | _boolean_ | true | ForwardBearerToken indicates whether the Envoy should forward the access
token as a bearer token in the "Authorization" header to the backend. | -| `defaultTokenExpireTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | true | The default lifetime of the ID token and access token.
Please note that Envoy will always use the expiry time from the response
of the authorization server if it is provided. This field is only used when
the expiry time is not provided by the authorization.
If not specified, defaults to 0. In this case, the expiry must be set by
the authorization server or the OAuth flow will fail. | -| `refreshToken` | _boolean_ | false | RefreshToken indicates whether the Envoy should use the refresh token to
get the id token and access token when they expire.
If not specified, defaults to false. | -| `defaultRefreshTokenExpireTime` | _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | false | The default lifetime of the refresh token.
This field is only used when the exp (expiration time) claim is omitted in
the refresh token or the refresh token is not JWT.
If not specified, defaults to 604800s (one week).
Note: this field is only used when RefreshToken is set to true. | #### OIDCProvider From c97cafd8a3eb6a58424c15deedef2ba88fb3d807 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Fri, 17 May 2024 16:14:01 -0700 Subject: [PATCH 3/9] add more comments Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 11 +++++++++-- .../gateway.envoyproxy.io_securitypolicies.yaml | 15 +++++++++++++-- site/content/en/latest/api/extension_types.md | 2 +- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 79a9aa9e1f8..851572fde4e 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -49,11 +49,13 @@ type OIDC struct { RedirectURL *string `json:"redirectURL,omitempty"` // The path to log a user out, clearing their credential cookies. + // // If not specified, uses a default logout path "/logout" LogoutPath *string `json:"logoutPath,omitempty"` // ForwardBearerToken indicates whether the Envoy should forward the access // token as a bearer token in the "Authorization" header to the backend. + // // If not specified, defaults to false. // +optional // +notImplementedHide @@ -63,8 +65,11 @@ type OIDC struct { // Please note that Envoy will always use the expiry time from the response // of the authorization server if it is provided. This field is only used when // the expiry time is not provided by the authorization. - // If not specified, defaults to 0. In this case, the expiry must be set by - // the authorization server or the OAuth flow will fail. + // + // If not specified, defaults to 0. In this case, the "expires_in" field in + // the authorization response must be set by the authorization server, or the + // OAuth flow will fail. + // // +optional // +notImplementedHide DefaultTokenExpireTime *metav1.Duration `json:"defaultTokenExpireTime,omitempty"` @@ -73,6 +78,7 @@ type OIDC struct { // id token and access token when they expire. // When set to true, the Envoy will use the refresh token to get a new id token // and access token when they expire. + // // If not specified, defaults to false. // +optional // +notImplementedHide @@ -81,6 +87,7 @@ type OIDC struct { // The default lifetime of the refresh token. // This field is only used when the exp (expiration time) claim is omitted in // the refresh token or the refresh token is not JWT. + // // If not specified, defaults to 604800s (one week). // Note: this field is only used when RefreshToken is set to true. // +optional diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 3e7817ce6be..0601305d9c9 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -676,6 +676,8 @@ spec: The default lifetime of the refresh token. This field is only used when the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. + + If not specified, defaults to 604800s (one week). Note: this field is only used when RefreshToken is set to true. type: string @@ -685,18 +687,25 @@ spec: Please note that Envoy will always use the expiry time from the response of the authorization server if it is provided. This field is only used when the expiry time is not provided by the authorization. - If not specified, defaults to 0. In this case, the expiry must be set by - the authorization server or the OAuth flow will fail. + + + If not specified, defaults to 0. In this case, the "expires_in" field in + the authorization response must be set by the authorization server, or the + OAuth flow will fail. type: string forwardBearerToken: description: |- ForwardBearerToken indicates whether the Envoy should forward the access token as a bearer token in the "Authorization" header to the backend. + + If not specified, defaults to false. type: boolean logoutPath: description: |- The path to log a user out, clearing their credential cookies. + + If not specified, uses a default logout path "/logout" type: string provider: @@ -735,6 +744,8 @@ spec: id token and access token when they expire. When set to true, the Envoy will use the refresh token to get a new id token and access token when they expire. + + If not specified, defaults to false. type: boolean resources: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 6ac4fe6b123..687b7a48268 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -2263,7 +2263,7 @@ _Appears in:_ | `scopes` | _string array_ | false | The OIDC scopes to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
The "openid" scope is always added to the list of scopes if not already
specified. | | `resources` | _string array_ | false | The OIDC resources to be used in the
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). | | `redirectURL` | _string_ | true | The redirect URL to be used in the OIDC
[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" | -| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.
If not specified, uses a default logout path "/logout" | +| `logoutPath` | _string_ | true | The path to log a user out, clearing their credential cookies.

If not specified, uses a default logout path "/logout" | #### OIDCProvider From 51418bb82a15c08ae5ea1bf496be75ee9626930a Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Tue, 21 May 2024 15:57:45 -0700 Subject: [PATCH 4/9] address comments Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 851572fde4e..0c940c64e2f 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -53,13 +53,13 @@ type OIDC struct { // If not specified, uses a default logout path "/logout" LogoutPath *string `json:"logoutPath,omitempty"` - // ForwardBearerToken indicates whether the Envoy should forward the access - // token as a bearer token in the "Authorization" header to the backend. + // ForwardAccessTokenAsBearerToken indicates whether the Envoy should forward + // the access token as a bearer token in the "Authorization" header to the backend. // // If not specified, defaults to false. // +optional // +notImplementedHide - ForwardBearerToken *bool `json:"forwardBearerToken,omitempty"` + ForwardAccessTokenAsBearerToken *bool `json:"forwardAccessTokenAsBearerToken,omitempty"` // The default lifetime of the ID token and access token. // Please note that Envoy will always use the expiry time from the response From 56f58508ef41862cdcf08284e959388aa0a44a25 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Tue, 21 May 2024 16:05:34 -0700 Subject: [PATCH 5/9] minor wording Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 2 +- api/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../generated/gateway.envoyproxy.io_securitypolicies.yaml | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 0c940c64e2f..18e710254bd 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -89,7 +89,7 @@ type OIDC struct { // the refresh token or the refresh token is not JWT. // // If not specified, defaults to 604800s (one week). - // Note: this field is only used when RefreshToken is set to true. + // Note: this field is only applicable when the "refreshToken" field is set to true. // +optional // +notImplementedHide DefaultRefreshTokenExpireTime *metav1.Duration `json:"defaultRefreshTokenExpireTime,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 142ee274de9..1e8cb12fd41 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3156,8 +3156,8 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(string) **out = **in } - if in.ForwardBearerToken != nil { - in, out := &in.ForwardBearerToken, &out.ForwardBearerToken + if in.ForwardAccessTokenAsBearerToken != nil { + in, out := &in.ForwardAccessTokenAsBearerToken, &out.ForwardAccessTokenAsBearerToken *out = new(bool) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 0601305d9c9..4e19cf183cc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -679,7 +679,7 @@ spec: If not specified, defaults to 604800s (one week). - Note: this field is only used when RefreshToken is set to true. + Note: this field is only applicable when the "refreshToken" field is set to true. type: string defaultTokenExpireTime: description: |- @@ -693,10 +693,10 @@ spec: the authorization response must be set by the authorization server, or the OAuth flow will fail. type: string - forwardBearerToken: + forwardAccessTokenAsBearerToken: description: |- - ForwardBearerToken indicates whether the Envoy should forward the access - token as a bearer token in the "Authorization" header to the backend. + ForwardAccessTokenAsBearerToken indicates whether the Envoy should forward + the access token as a bearer token in the "Authorization" header to the backend. If not specified, defaults to false. From 553ce147699d80e896d344fd443734782054e6ee Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Thu, 23 May 2024 17:05:12 -0700 Subject: [PATCH 6/9] change naming Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 7 +++---- api/v1alpha1/zz_generated.deepcopy.go | 4 ++-- .../gateway.envoyproxy.io_securitypolicies.yaml | 14 ++++++-------- 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 18e710254bd..f2481cb382f 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -53,13 +53,12 @@ type OIDC struct { // If not specified, uses a default logout path "/logout" LogoutPath *string `json:"logoutPath,omitempty"` - // ForwardAccessTokenAsBearerToken indicates whether the Envoy should forward - // the access token as a bearer token in the "Authorization" header to the backend. - // + // ForwardAccessToken indicates whether the Envoy should forward the access token + // via the Authorization header Bearer scheme to the upstream. // If not specified, defaults to false. // +optional // +notImplementedHide - ForwardAccessTokenAsBearerToken *bool `json:"forwardAccessTokenAsBearerToken,omitempty"` + ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"` // The default lifetime of the ID token and access token. // Please note that Envoy will always use the expiry time from the response diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 1e8cb12fd41..40f3c944f43 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3156,8 +3156,8 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(string) **out = **in } - if in.ForwardAccessTokenAsBearerToken != nil { - in, out := &in.ForwardAccessTokenAsBearerToken, &out.ForwardAccessTokenAsBearerToken + if in.ForwardAccessToken != nil { + in, out := &in.ForwardAccessToken, &out.ForwardAccessToken *out = new(bool) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 4e19cf183cc..e2b05cd09fc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -616,6 +616,12 @@ spec: description: OIDC defines the configuration for the OpenID Connect (OIDC) authentication. properties: + ForwardAccessToken: + description: |- + ForwardAccessToken indicates whether the Envoy should forward the access token + via the Authorization header Bearer scheme to the upstream. + If not specified, defaults to false. + type: boolean clientID: description: |- The client ID to be used in the OIDC @@ -693,14 +699,6 @@ spec: the authorization response must be set by the authorization server, or the OAuth flow will fail. type: string - forwardAccessTokenAsBearerToken: - description: |- - ForwardAccessTokenAsBearerToken indicates whether the Envoy should forward - the access token as a bearer token in the "Authorization" header to the backend. - - - If not specified, defaults to false. - type: boolean logoutPath: description: |- The path to log a user out, clearing their credential cookies. From 2e295643d6fb9a147a2fc7e62f184763a9e6255e Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Thu, 23 May 2024 17:59:29 -0700 Subject: [PATCH 7/9] change naming Signed-off-by: huabing zhao --- api/v1alpha1/oidc_types.go | 8 ++++---- api/v1alpha1/zz_generated.deepcopy.go | 8 ++++---- .../generated/gateway.envoyproxy.io_securitypolicies.yaml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index f2481cb382f..dbf11fcdc7c 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -60,7 +60,7 @@ type OIDC struct { // +notImplementedHide ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"` - // The default lifetime of the ID token and access token. + // DefaultTokenExpireIn is the default lifetime of the id token and access token. // Please note that Envoy will always use the expiry time from the response // of the authorization server if it is provided. This field is only used when // the expiry time is not provided by the authorization. @@ -71,7 +71,7 @@ type OIDC struct { // // +optional // +notImplementedHide - DefaultTokenExpireTime *metav1.Duration `json:"defaultTokenExpireTime,omitempty"` + DefaultTokenExpireIn *metav1.Duration `json:"defaultTokenExpireIn,omitempty"` // RefreshToken indicates whether the Envoy should automatically refresh the // id token and access token when they expire. @@ -83,7 +83,7 @@ type OIDC struct { // +notImplementedHide RefreshToken *bool `json:"refreshToken,omitempty"` - // The default lifetime of the refresh token. + // DefaultRefreshTokenExpireIn is the default lifetime of the refresh token. // This field is only used when the exp (expiration time) claim is omitted in // the refresh token or the refresh token is not JWT. // @@ -91,7 +91,7 @@ type OIDC struct { // Note: this field is only applicable when the "refreshToken" field is set to true. // +optional // +notImplementedHide - DefaultRefreshTokenExpireTime *metav1.Duration `json:"defaultRefreshTokenExpireTime,omitempty"` + DefaultRefreshTokenExpireIn *metav1.Duration `json:"defaultRefreshTokenExpireIn,omitempty"` } // OIDCProvider defines the OIDC Provider configuration. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 40f3c944f43..4a9274039ad 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3161,8 +3161,8 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(bool) **out = **in } - if in.DefaultTokenExpireTime != nil { - in, out := &in.DefaultTokenExpireTime, &out.DefaultTokenExpireTime + if in.DefaultTokenExpireIn != nil { + in, out := &in.DefaultTokenExpireIn, &out.DefaultTokenExpireIn *out = new(v1.Duration) **out = **in } @@ -3171,8 +3171,8 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(bool) **out = **in } - if in.DefaultRefreshTokenExpireTime != nil { - in, out := &in.DefaultRefreshTokenExpireTime, &out.DefaultRefreshTokenExpireTime + if in.DefaultRefreshTokenExpireIn != nil { + in, out := &in.DefaultRefreshTokenExpireIn, &out.DefaultRefreshTokenExpireIn *out = new(v1.Duration) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index e2b05cd09fc..93bb957ed92 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -677,9 +677,9 @@ spec: required: - name type: object - defaultRefreshTokenExpireTime: + defaultRefreshTokenExpireIn: description: |- - The default lifetime of the refresh token. + DefaultRefreshTokenExpireIn is the default lifetime of the refresh token. This field is only used when the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. @@ -687,9 +687,9 @@ spec: If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. type: string - defaultTokenExpireTime: + defaultTokenExpireIn: description: |- - The default lifetime of the ID token and access token. + DefaultTokenExpireIn is the default lifetime of the id token and access token. Please note that Envoy will always use the expiry time from the response of the authorization server if it is provided. This field is only used when the expiry time is not provided by the authorization. From b35139cfb61d7faa8944421db7944f0defad065b Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Thu, 23 May 2024 18:10:01 -0700 Subject: [PATCH 8/9] fix gen check Signed-off-by: huabing zhao --- .../testdata/envoyproxy-tls-settings-invalid-ns.out.yaml | 2 +- .../testdata/envoyproxy-tls-settings-invalid.out.yaml | 2 +- site/content/en/latest/api/extension_types.md | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml index 511baffda31..f064b31719c 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid-ns.out.yaml @@ -22,7 +22,7 @@ backendTLSPolicies: - lastTransitionTime: null message: 'Client authentication TLS secret is not located in the same namespace as Envoyproxy. Secret namespace: envoy-gateway-user-ns does not match Envoyproxy - namespace: envoy-gateway-system' + namespace: envoy-gateway-system.' reason: Invalid status: "False" type: Accepted diff --git a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml index 91fc165ec18..170436cb784 100644 --- a/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml +++ b/internal/gatewayapi/testdata/envoyproxy-tls-settings-invalid.out.yaml @@ -21,7 +21,7 @@ backendTLSPolicies: conditions: - lastTransitionTime: null message: 'Failed to locate TLS secret for client auth: client-auth-not-found - in namespace: envoy-gateway-system' + in namespace: envoy-gateway-system.' reason: Invalid status: "False" type: Accepted diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 58874145f3b..39bad608c24 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1065,8 +1065,8 @@ _Appears in:_ | `host` | _string_ | true | Host define the sink service hostname. | | `protocol` | _string_ | true | Protocol define the sink service protocol. | | `port` | _integer_ | false | Port defines the port the sink service is exposed on. | -| `exportInterval` | _[Duration](#duration)_ | true | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. | -| `exportTimeout` | _[Duration](#duration)_ | true | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. | +| `exportInterval` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportInterval configures the intervening time between exports for a
Sink. This option overrides any value set for the
OTEL_METRIC_EXPORT_INTERVAL environment variable.
If ExportInterval is less than or equal to zero, 60 seconds
is used as the default. | +| `exportTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | true | ExportTimeout configures the time a Sink waits for an export to
complete before canceling it. This option overrides any value set for the
OTEL_METRIC_EXPORT_TIMEOUT environment variable.
If ExportTimeout is less than or equal to zero, 30 seconds
is used as the default. | #### EnvoyGatewayPrometheusProvider From d47af020991f193e4b1872f56edfb63420c582c7 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Thu, 30 May 2024 11:24:31 -0700 Subject: [PATCH 9/9] change naming Signed-off-by: Huabing Zhao --- api/v1alpha1/oidc_types.go | 8 ++++---- api/v1alpha1/zz_generated.deepcopy.go | 8 ++++---- .../generated/gateway.envoyproxy.io_securitypolicies.yaml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go index 632a2f74602..9aa03837157 100644 --- a/api/v1alpha1/oidc_types.go +++ b/api/v1alpha1/oidc_types.go @@ -66,7 +66,7 @@ type OIDC struct { // +notImplementedHide ForwardAccessToken *bool `json:"ForwardAccessToken,omitempty"` - // DefaultTokenExpireIn is the default lifetime of the id token and access token. + // DefaultTokenTTL is the default lifetime of the id token and access token. // Please note that Envoy will always use the expiry time from the response // of the authorization server if it is provided. This field is only used when // the expiry time is not provided by the authorization. @@ -77,7 +77,7 @@ type OIDC struct { // // +optional // +notImplementedHide - DefaultTokenExpireIn *metav1.Duration `json:"defaultTokenExpireIn,omitempty"` + DefaultTokenTTL *metav1.Duration `json:"defaultTokenTTL,omitempty"` // RefreshToken indicates whether the Envoy should automatically refresh the // id token and access token when they expire. @@ -89,7 +89,7 @@ type OIDC struct { // +notImplementedHide RefreshToken *bool `json:"refreshToken,omitempty"` - // DefaultRefreshTokenExpireIn is the default lifetime of the refresh token. + // DefaultRefreshTokenTTL is the default lifetime of the refresh token. // This field is only used when the exp (expiration time) claim is omitted in // the refresh token or the refresh token is not JWT. // @@ -97,7 +97,7 @@ type OIDC struct { // Note: this field is only applicable when the "refreshToken" field is set to true. // +optional // +notImplementedHide - DefaultRefreshTokenExpireIn *metav1.Duration `json:"defaultRefreshTokenExpireIn,omitempty"` + DefaultRefreshTokenTTL *metav1.Duration `json:"defaultRefreshTokenTTL,omitempty"` } // OIDCProvider defines the OIDC Provider configuration. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 27e880c08a5..31a5f378cb3 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3260,8 +3260,8 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(bool) **out = **in } - if in.DefaultTokenExpireIn != nil { - in, out := &in.DefaultTokenExpireIn, &out.DefaultTokenExpireIn + if in.DefaultTokenTTL != nil { + in, out := &in.DefaultTokenTTL, &out.DefaultTokenTTL *out = new(v1.Duration) **out = **in } @@ -3270,8 +3270,8 @@ func (in *OIDC) DeepCopyInto(out *OIDC) { *out = new(bool) **out = **in } - if in.DefaultRefreshTokenExpireIn != nil { - in, out := &in.DefaultRefreshTokenExpireIn, &out.DefaultRefreshTokenExpireIn + if in.DefaultRefreshTokenTTL != nil { + in, out := &in.DefaultRefreshTokenTTL, &out.DefaultRefreshTokenTTL *out = new(v1.Duration) **out = **in } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 9eda140bc51..145b84b3e18 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -891,9 +891,9 @@ spec: If not specified, defaults to "IdToken-(randomly generated uid)" type: string type: object - defaultRefreshTokenExpireIn: + defaultRefreshTokenTTL: description: |- - DefaultRefreshTokenExpireIn is the default lifetime of the refresh token. + DefaultRefreshTokenTTL is the default lifetime of the refresh token. This field is only used when the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. @@ -901,9 +901,9 @@ spec: If not specified, defaults to 604800s (one week). Note: this field is only applicable when the "refreshToken" field is set to true. type: string - defaultTokenExpireIn: + defaultTokenTTL: description: |- - DefaultTokenExpireIn is the default lifetime of the id token and access token. + DefaultTokenTTL is the default lifetime of the id token and access token. Please note that Envoy will always use the expiry time from the response of the authorization server if it is provided. This field is only used when the expiry time is not provided by the authorization.