API: api for setting OIDC token cookie domain (envoyproxy#4093)

* api for oidc token cookie domain Signed-off-by: Huabing Zhao <[email protected]> * minor wording Signed-off-by: Huabing Zhao <[email protected]> * add regex validation Signed-off-by: Huabing Zhao <[email protected]> --------- Signed-off-by: Huabing Zhao <[email protected]>
zhaohuabing · Aug 26, 2024 · 8ae9b09 · 8ae9b09
1 parent 8efec5e
commit 8ae9b09
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/api/v1alpha1/oidc_types.go b/api/v1alpha1/oidc_types.go
@@ -37,6 +37,15 @@ type OIDC struct {
 	// +optional
 	CookieNames *OIDCCookieNames `json:"cookieNames,omitempty"`
 
+	// The optional domain to set the access and ID token cookies on.
+	// If not set, the cookies will default to the host of the request, not including the subdomains.
+	// If set, the cookies will be set on the specified domain and all subdomains.
+	// This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
+	// +optional
+	// +notImplementedHide
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$`
+	CookieDomain *string `json:"cookieDomain,omitempty"`
+
 	// The OIDC scopes to be used in the
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	// The "openid" scope is always added to the list of scopes if not already

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -2049,6 +2049,14 @@ spec:
                     required:
                     - name
                     type: object
+                  cookieDomain:
+                    description: |-
+                      The optional domain to set the access and ID token cookies on.
+                      If not set, the cookies will default to the host of the request, not including the subdomains.
+                      If set, the cookies will be set on the specified domain and all subdomains.
+                      This means that requests to any subdomain will not require reauthentication after users log in to the parent domain.
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+                    type: string
                   cookieNames:
                     description: |-
                       The optional cookie name overrides to be used for Bearer and IdToken cookies in the