-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. #4857
base: main
Are you sure you want to change the base?
Conversation
ef1e9fe
to
d9dc4eb
Compare
Signed-off-by: Huabing Zhao <[email protected]>
d9dc4eb
to
a5092a4
Compare
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4857 +/- ##
==========================================
- Coverage 66.29% 66.22% -0.08%
==========================================
Files 209 209
Lines 32035 32097 +62
==========================================
+ Hits 21239 21255 +16
- Misses 9536 9580 +44
- Partials 1260 1262 +2 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
2195b65
to
26ee93a
Compare
Signed-off-by: Huabing Zhao <[email protected]>
b62874d
to
45aca68
Compare
Signed-off-by: Huabing Zhao <[email protected]>
45aca68
to
f82c92b
Compare
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
issuer: "http://keycloak.gateway-conformance-infra/realms/master" | ||
authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth" | ||
tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token" | ||
issuer: "https://keycloak.gateway-conformance-infra/realms/master" # Test fetching auth endpoint from the issuer url |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing tokenEndpoint
and authorizationEndpoint
so they will be fetched by the Gateway API translator. This is used to verify that EG uses the CA from BackendTLSPolicy
when connecting to the OIDC provider's well-known endpoint.
image: busybox:stable | ||
command: ["sh", "-c", "until nc -v -z -w3 keycloak 80; do sleep 2; done"] | ||
image: curlimages/curl:latest | ||
command: ["sh", "-c", "until curl -s -o /dev/null -w '%{http_code}' http://keycloak:80; do sleep 2; done"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using curl
instead of nc
to verify that keycload is ready. This change fixed some flaky OIDC tests.
@@ -23,7 +23,7 @@ func init() { | |||
var OIDCBackendClusterTest = suite.ConformanceTest{ | |||
ShortName: "OIDC with BackendCluster", | |||
Description: "Test OIDC authentication", | |||
Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"}, | |||
Manifests: []string{"testdata/oidc-keycloak.yaml"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
being updated but not in use
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's used here:
Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) {
testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml")
The creation of SecurityPolicy is now started after keycloak pod is ready, so EG can fetch the auth and token points from the keycloak's well-known endpoint.
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Fixes #4838
Release Notes: Yes