Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[pull] main from envoyproxy:main #38

Merged
merged 72 commits into from
Jan 13, 2024
Merged
Changes from 1 commit
Commits
Show all changes
72 commits
Select commit Hold shift + click to select a range
e603502
chore: Update k8s.io (#2324)
zirain Dec 19, 2023
b9e75af
revert docs-preview action (#2321)
zirain Dec 19, 2023
769849e
fix: add route descriptor prefix for ratelimit xds translator (#2234)
shawnh2 Dec 19, 2023
64d7152
API: Support Circuit Breakers in BackendTrafficPolicy (#2284)
guydc Dec 19, 2023
d13c329
Update artifact deps (#2323)
zirain Dec 20, 2023
da40ccb
Downstream QUIC/HTTP3 Support (#2111)
tanujd11 Dec 20, 2023
9541739
Run CI on k8s v1.29.0 (#2332)
arkodg Dec 21, 2023
0a936c0
chore: add issue comment action (#2285)
zirain Dec 21, 2023
c2f88f0
API: Support FaultInjection in BackendTrafficPolicy (#2304)
Dec 21, 2023
844157a
fix(ci): whitenoise lint failed when pull request (#1904)
zaunist Dec 21, 2023
d7d411c
fix v0.6.0 release schedule info (#2331)
arkodg Dec 21, 2023
056357f
ci: update cherry-pick v0.6.0 (#2334)
Xunzhuo Dec 21, 2023
da0d0dc
feat: local rate limit (#2258)
zhaohuabing Dec 21, 2023
a4f0396
feat: support mergeGateways in EnvoyPatchPolicy (#2320)
cnvergence Dec 21, 2023
b6f4306
feat(translator): Implement BTP CircuitBreaker API (#2330)
guydc Dec 21, 2023
c4311ff
fix: allow envoyHpa maxReplicas to be equal to minReplicas (#2329)
shahar-h Dec 22, 2023
5d691f2
fix cors doc (#2341)
zhaohuabing Dec 22, 2023
c692458
chore: relax https for jwks (#2328)
zhaohuabing Dec 23, 2023
a06377d
feat: add ImagePullSecrets to PodSpec (#2337)
shahar-h Dec 23, 2023
a99d239
build(deps): bump github.com/go-logr/logr from 1.3.0 to 1.4.1 (#2351)
dependabot[bot] Dec 25, 2023
f996c78
build(deps): bump google.golang.org/grpc from 1.60.0 to 1.60.1 (#2352)
dependabot[bot] Dec 25, 2023
278b7fc
build(deps): bump envoyproxy/toolshed from actions-v0.2.17 to 0.2.20 …
dependabot[bot] Dec 25, 2023
5ef3430
build(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#…
dependabot[bot] Dec 25, 2023
7b72266
build(deps): bump actions/deploy-pages from 3.0.1 to 4.0.2 (#2355)
dependabot[bot] Dec 25, 2023
586d73a
build(deps): bump actions/upload-pages-artifact from 2.0.0 to 3.0.0 (…
dependabot[bot] Dec 25, 2023
130b4d7
ci: fix retest command (#2349)
zirain Dec 26, 2023
243c42c
ci: update retest command app-owner (#2363)
zirain Dec 26, 2023
bda0055
api: Support suppressing the 'x-envoy-' headers added by the HTTP rou…
liorokman Dec 26, 2023
80ebd53
local rate limit user doc (#2360)
zhaohuabing Dec 26, 2023
3e220ef
api: Add TLS configuration attributes in ClientTrafficPolicy (#2287)
liorokman Dec 27, 2023
1a77c4f
feat: Suppress envoy headers (#2364)
liorokman Dec 27, 2023
5dc881d
build(deps): bump github.com/norwoodj/helm-docs from 1.11.3 to 1.12.0…
dependabot[bot] Dec 27, 2023
5833fe4
validate regex before sending to Envoy (#2344)
zhaohuabing Dec 27, 2023
690e469
refactor: update watch ns api & add tests (#2367)
qicz Dec 27, 2023
787f48e
feat(helm): support pulling envoyGateway image from a private registr…
shahar-h Dec 27, 2023
6a686fe
feat(helm): support affinity configuration for EnvoyGateway pod (#2359)
shahar-h Dec 28, 2023
ae350be
feat: add NodeSelector to PodSpec (#2361)
shahar-h Dec 28, 2023
38a3399
fix: perfix match (#2369)
zhaohuabing Dec 28, 2023
987ce64
fix(helm): fix incorrect imagePullSecrets indentation (#2371)
shahar-h Dec 29, 2023
a723843
feat: add TopologySpreadConstraints to PodSpec (#2362)
shahar-h Dec 29, 2023
9be3a97
chore: Enable OpenSSF Scorecard (#2379)
mmorel-35 Dec 29, 2023
167fcf1
build(deps): bump github.com/prometheus/client_golang from 1.17.0 to …
dependabot[bot] Jan 2, 2024
6268983
build(deps): bump actions/upload-artifact from 3.1.0 to 4.0.0 (#2385)
dependabot[bot] Jan 2, 2024
b935d77
use go standard errors (#2382)
mmorel-35 Jan 2, 2024
b285e77
bugfix: support eds cache (#2388)
Jan 2, 2024
90f1905
Setup Codeql workflow (#2381)
mmorel-35 Jan 3, 2024
8c2112f
build(deps): bump actions/setup-go from 3.5.0 to 5.0.0 in /tools/gith…
dependabot[bot] Jan 3, 2024
49e7aec
move "/" to route prefix (#2394)
zhaohuabing Jan 3, 2024
8236683
docs:circuit breaker (#2396)
guydc Jan 4, 2024
e21df24
feat(translator): Implement fault injection API (#2365)
Jan 4, 2024
0f430a9
use wildcard to match alloworigins (#2389)
zhaohuabing Jan 4, 2024
9bbf170
update go-control-plane (#2393)
zirain Jan 4, 2024
8a52bbf
fix: Incorrect conversion between integer types (#2397)
arkodg Jan 4, 2024
d748ccb
chore: Add top level permissions for GHA workflows (#2398)
arkodg Jan 4, 2024
789017d
chore: pin Docker images versions (#2403)
mmorel-35 Jan 4, 2024
8760e31
bug: use contents:write permission for release actions (#2404)
arkodg Jan 5, 2024
4daa348
fix: implement comparable interface for ir.Infra to avoid multiple re…
cnvergence Jan 5, 2024
caf2ddb
rollback retest action (#2400)
zirain Jan 5, 2024
3812cb5
feat(tools): Add a tool to generate release notes docs from yaml file…
lemonlinger Jan 5, 2024
9eb3555
api: Add disableMergeSlash and escapedSlashesAction to ClientTrafficP…
liorokman Jan 6, 2024
fb67037
feat: support Health Check in BackendTrafficPolicy (#2244)
lemonlinger Jan 6, 2024
eb26959
fix: support EndpointSlice with empty conditions `{}` (#2408)
eternalphane Jan 6, 2024
859a76b
ossf: fix token permissions (#2410)
mmorel-35 Jan 6, 2024
af0d693
docs: fault injection (#2406)
tmsnan Jan 6, 2024
d57b3fd
chore: address github action lint comments (#2414)
shawnh2 Jan 7, 2024
fa2cacf
Add huabing to maintainers list (#2420)
arkodg Jan 9, 2024
17c57fc
feat: Implement setting common TLS parameters in ClientTrafficPolicy …
liorokman Jan 9, 2024
316a0a2
fix: Add a CEL validation unit test to verify that no ciphers can be …
liorokman Jan 9, 2024
e1f745f
feat: Implement disableMergeSlashes and escapedSlashesAction (#2413)
liorokman Jan 10, 2024
c9d5e33
docs: fix TLSSettings format (#2428)
ardikabs Jan 10, 2024
1e57665
Feat: Support configuring externalTrafficPolicy on the envoy service …
timricese Jan 12, 2024
896d6a6
add redirectURL and signoutPath to OIDC (#2409)
zhaohuabing Jan 12, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
add redirectURL and signoutPath to OIDC (envoyproxy#2409)
* add redirectURL and signoutPath to OIDC

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* address comments

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* change signoutpath to logoutpath

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* fix check

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

* modify oidc docs

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Co-authored-by: zirain <zirain2009@gmail.com>
  • Loading branch information
zhaohuabing and zirain authored Jan 12, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 896d6a690a3659ddf17e8fc5ca56093a28369dcf
20 changes: 9 additions & 11 deletions api/v1alpha1/oidc_types.go
Original file line number Diff line number Diff line change
@@ -36,20 +36,18 @@ type OIDC struct {
// specified.
// +optional
Scopes []string `json:"scopes,omitempty"`

// The redirect URL to be used in the OIDC
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
// If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
RedirectURL *string `json:"redirectURL,omitempty"`

// The path to log a user out, clearing their credential cookies.
// If not specified, uses a default logout path "/logout"
LogoutPath *string `json:"logoutPath,omitempty"`
}

// OIDCProvider defines the OIDC Provider configuration.
// To make the EG OIDC config easy to use, some of the low-level ouath2 filter
// configuration knobs are hidden from the user, and default values will be provided
// when translating to XDS. For example:
//
// * redirect_uri: uses a default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
//
// * signout_path: uses a default signout path "/signout"
//
// * redirect_path_matcher: uses a default redirect path matcher "/oauth2/callback"
//
// If we get requests to expose these knobs, we can always do so later.
type OIDCProvider struct {
// The OIDC Provider's [issuer identifier](https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery).
// Issuer MUST be a URI RFC 3986 [RFC3986] with a scheme component that MUST
10 changes: 10 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -300,6 +300,10 @@ spec:
required:
- name
type: object
logoutPath:
description: The path to log a user out, clearing their credential
cookies. If not specified, uses a default logout path "/logout"
type: string
provider:
description: The OIDC Provider configuration.
properties:
@@ -323,6 +327,11 @@ spec:
required:
- issuer
type: object
redirectURL:
description: The redirect URL to be used in the OIDC [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
type: string
scopes:
description: The OIDC scopes to be used in the [Authentication
Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
47 changes: 46 additions & 1 deletion internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
@@ -29,6 +29,12 @@ import (
"github.com/envoyproxy/gateway/internal/status"
)

const (
defaultRedirectURL = "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
defaultRedirectPath = "/oauth2/callback"
defaultLogoutPath = "/logout"
)

func (t *Translator) ProcessSecurityPolicies(securityPolicies []*egv1a1.SecurityPolicy,
gateways []*GatewayContext,
routes []RouteContext,
@@ -447,19 +453,58 @@ func (t *Translator) buildOIDC(
return nil, err
}

if err := validateTokenEndpoint(provider.TokenEndpoint); err != nil {
if err = validateTokenEndpoint(provider.TokenEndpoint); err != nil {
return nil, err
}
scopes := appendOpenidScopeIfNotExist(oidc.Scopes)

var (
redirectURL = defaultRedirectURL
redirectPath = defaultRedirectPath
logoutPath = defaultLogoutPath
)

if oidc.RedirectURL != nil {
path, err := extractRedirectPath(*oidc.RedirectURL)
if err != nil {
return nil, err
}
redirectURL = *oidc.RedirectURL
redirectPath = path
logoutPath = *oidc.LogoutPath
}

return &ir.OIDC{
Provider: *provider,
ClientID: oidc.ClientID,
ClientSecret: clientSecretBytes,
Scopes: scopes,
RedirectURL: redirectURL,
RedirectPath: redirectPath,
LogoutPath: logoutPath,
}, nil
}

func extractRedirectPath(redirectURL string) (string, error) {
schemeDelimiter := strings.Index(redirectURL, "://")
if schemeDelimiter <= 0 {
return "", fmt.Errorf("invalid redirect URL %s", redirectURL)
}
scheme := redirectURL[:schemeDelimiter]
if scheme != "http" && scheme != "https" && scheme != "%REQ(x-forwarded-proto)%" {
return "", fmt.Errorf("invalid redirect URL %s", redirectURL)
}
hostDelimiter := strings.Index(redirectURL[schemeDelimiter+3:], "/")
if hostDelimiter <= 0 {
return "", fmt.Errorf("invalid redirect URL %s", redirectURL)
}
path := redirectURL[schemeDelimiter+3+hostDelimiter:]
if path == "/" {
return "", fmt.Errorf("invalid redirect URL %s", redirectURL)
}
return path, nil
}

// appendOpenidScopeIfNotExist appends the openid scope to the provided scopes
// if it is not already present.
// `openid` is a required scope for OIDC.
58 changes: 58 additions & 0 deletions internal/gatewayapi/securitypolicy_test.go
Original file line number Diff line number Diff line change
@@ -74,3 +74,61 @@ func Test_wildcard2regex(t *testing.T) {
})
}
}

func Test_extractRedirectPath(t *testing.T) {
tests := []struct {
name string
redirectURL string
want string
wantErr bool
}{
{
name: "header value syntax",
redirectURL: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/petstore/oauth2/callback",
want: "/petstore/oauth2/callback",
wantErr: false,
},
{
name: "without header value syntax",
redirectURL: "https://www.example.com/petstore/oauth2/callback",
want: "/petstore/oauth2/callback",
wantErr: false,
},
{
name: "with port",
redirectURL: "https://www.example.com:9080/petstore/oauth2/callback",
want: "/petstore/oauth2/callback",
wantErr: false,
},
{
name: "without path",
redirectURL: "https://www.example.com/",
want: "",
wantErr: true,
},
{
name: "without path",
redirectURL: "https://www.example.com",
want: "",
wantErr: true,
},
{
name: "without scheme",
redirectURL: "://www.example.com",
want: "",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := extractRedirectPath(tt.redirectURL)
if (err != nil) != tt.wantErr {
t.Errorf("extractRedirectPath() error = %v, wantErr %v", err, tt.wantErr)
return
}
if err == nil {
assert.Equalf(t, tt.want, got, "extractRedirectPath(%v)", tt.redirectURL)
}
})
}
}
42 changes: 6 additions & 36 deletions internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml
Original file line number Diff line number Diff line change
@@ -43,7 +43,7 @@ httpRoutes:
name: httproute-1
spec:
hostnames:
- gateway.envoyproxy.io
- www.example.com
parentRefs:
- namespace: envoy-gateway
name: gateway-1
@@ -62,7 +62,7 @@ httpRoutes:
name: httproute-2
spec:
hostnames:
- gateway.envoyproxy.io
- www.example.com
parentRefs:
- namespace: envoy-gateway
name: gateway-1
@@ -74,21 +74,6 @@ httpRoutes:
backendRefs:
- name: service-1
port: 8080
grpcRoutes:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GRPCRoute
metadata:
namespace: default
name: grpcroute-1
spec:
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: http
rules:
- backendRefs:
- name: service-1
port: 8080
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
@@ -107,6 +92,8 @@ securityPolicies:
clientID: "client1.apps.googleusercontent.com"
clientSecret:
name: "client1-secret"
redirectURL: "https://www.example.com/bar/oauth2/callback"
logoutPath: "/bar/logout"
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
@@ -127,22 +114,5 @@ securityPolicies:
clientSecret:
name: "client2-secret"
scopes: ["openid", "email", "profile"]
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: policy-cross-namespace-secretRef # This policy should attach grpcroute-1
spec:
targetRef:
group: gateway.networking.k8s.io
kind: GRPCRoute
name: grpcroute-1
oidc:
provider:
issuer: "https://oauth.bar.com"
authorizationEndpoint: "https://oauth.bar.com/oauth2/v2/auth"
tokenEndpoint: "https://oauth.bar.com/token"
clientID: "client3.bar.foo.com"
clientSecret:
namespace: default
name: "client3-secret"
redirectURL: "https://www.example.com/foo/oauth2/callback"
logoutPath: "/foo/logout"
Loading