search

kubeshop / kusk-gateway

Kusk-gateway is an OpenAPI-driven API Gateway for Kubernetes
https://kubeshop.github.io/kusk-gateway/
MIT License
260 stars 21 forks source link

Read `client_id` and `client_secret` from secrets instead of in the OpenAPI definition #829

Closed aabedraba closed 1 year ago

aabedraba commented 1 year ago

Our users don't want to add sensitive information to their OpenAPI definition as they want to track the definition on a version control system.

They asked to be able to reference a Kubernetes Secret for this.

Could we extend the fields that we have now to support it?

Currently we support putting it directly on the OpenAPI definition like this: 

x-kusk:
  auth:
    scheme: oauth2
    oauth2:
      token_endpoint: https://aabedraba.eu.auth0.com/oauth/token
      authorization_endpoint: https://aabedraba.eu.auth0.com/authorize
      credentials:
        client_id: "123"
        client_secret: "1234"
      redirect_uri: /oauth2/callback
      redirect_path_matcher: /oauth2/callback
      signout_path: /oauth2/signout
      forward_bearer_token: true
      auth_scopes:
        - openid

We want to make it something like this (to discuss how to name it and the fields it needs): 

x-kusk:
  auth:
    scheme: oauth2
    oauth2:
      token_endpoint: https://aabedraba.eu.auth0.com/oauth/token
      authorization_endpoint: https://aabedraba.eu.auth0.com/authorize
      credentials:
        client_id:
          secretName: auth-clientId
          secretNamespace: default
        client_secret:
          secretName: auth-clientSecret
          secretNamespace: default
      redirect_uri: /oauth2/callback
      redirect_path_matcher: /oauth2/callback
      signout_path: /oauth2/signout
      forward_bearer_token: true
      auth_scopes:
        - openid
aabedraba commented 1 year ago

Need to update the docs to let users know that the secret needs to be created before attempting to apply the API.

aabedraba commented 1 year ago

Waiting on Envoy PR to be merged. In case next week it's not merged, we implement this without using SDS.

mbana commented 1 year ago

https://docs.solo.io/gloo-mesh-enterprise/1.2.x/guides/gateway/auth/extauth/oauth/

Slightly adjusted from above:

    credentials:
        client_id: "client_id"
        client_secret_ref:
          name: my-oauth-secret-for-some-api
          namespace: oauth-secrets

or

    credentials:
        client_id: "client_id"
        client_secret: "inline_client_secret"

adding the first won't break anything basically.