Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. #4857

Open
wants to merge 18 commits into
base: main
Choose a base branch
from

Conversation

zhaohuabing
Copy link
Member

Fixes #4838

Release Notes: Yes

@zhaohuabing zhaohuabing requested a review from a team as a code owner December 6, 2024 14:11
@zhaohuabing zhaohuabing marked this pull request as draft December 6, 2024 14:11
Signed-off-by: Huabing Zhao <[email protected]>
test/e2e/tests/oidc_testclient.go Dismissed Show dismissed Hide dismissed
Signed-off-by: Huabing Zhao <[email protected]>
Copy link

codecov bot commented Dec 10, 2024

Codecov Report

Attention: Patch coverage is 40.00000% with 51 lines in your changes missing coverage. Please review.

Project coverage is 66.22%. Comparing base (ca2d80b) to head (88a3e09).

Files with missing lines Patch % Lines
internal/ir/xds.go 0.00% 37 Missing ⚠️
internal/gatewayapi/securitypolicy.go 70.83% 10 Missing and 4 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4857      +/-   ##
==========================================
- Coverage   66.29%   66.22%   -0.08%     
==========================================
  Files         209      209              
  Lines       32035    32097      +62     
==========================================
+ Hits        21239    21255      +16     
- Misses       9536     9580      +44     
- Partials     1260     1262       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing marked this pull request as ready for review December 10, 2024 08:16
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing changed the title fix: use tls config from BTP to fetch oidc provider endpoints fix: use tls config from BTP when connecting to the OIDC provider's well-known endpoint. Dec 10, 2024
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing marked this pull request as draft December 10, 2024 09:51
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
@zhaohuabing zhaohuabing marked this pull request as ready for review December 10, 2024 11:22
Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing Zhao <[email protected]>
issuer: "http://keycloak.gateway-conformance-infra/realms/master"
authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth"
tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token"
issuer: "https://keycloak.gateway-conformance-infra/realms/master" # Test fetching auth endpoint from the issuer url
Copy link
Member Author

@zhaohuabing zhaohuabing Dec 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing tokenEndpoint and authorizationEndpoint so they will be fetched by the Gateway API translator. This is used to verify that EG uses the CA from BackendTLSPolicy when connecting to the OIDC provider's well-known endpoint.

image: busybox:stable
command: ["sh", "-c", "until nc -v -z -w3 keycloak 80; do sleep 2; done"]
image: curlimages/curl:latest
command: ["sh", "-c", "until curl -s -o /dev/null -w '%{http_code}' http://keycloak:80; do sleep 2; done"]
Copy link
Member Author

@zhaohuabing zhaohuabing Dec 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using curl instead of nc to verify that keycload is ready. This change fixed some flaky OIDC tests.

@@ -23,7 +23,7 @@ func init() {
var OIDCBackendClusterTest = suite.ConformanceTest{
ShortName: "OIDC with BackendCluster",
Description: "Test OIDC authentication",
Manifests: []string{"testdata/oidc-keycloak.yaml", "testdata/oidc-securitypolicy-backendcluster.yaml"},
Manifests: []string{"testdata/oidc-keycloak.yaml"},
Copy link
Contributor

@arkodg arkodg Dec 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml being updated but not in use

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's used here:

Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
		t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) {
			testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml")

The creation of SecurityPolicy is now started after keycloak pod is ready, so EG can fetch the auth and token points from the keycloak's well-known endpoint.

@zhaohuabing zhaohuabing requested a review from arkodg December 11, 2024 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Envoy Gateway OIDC: Error with Self-Signed Certificate
2 participants