Closed mbana closed 1 year ago
Support reading client_secret for OAuth2 from a Kuberenets Secret. E.g.,
client_secret
credentials: client_id: "client_id" client_secret_ref: name: "some-secret-object-containing-client-id" namespace: "some-namespace"
We still support the old way of defining client_secret, i.e.,
credentials: client_id: "client_id" client_secret: "inline_client_secret"
You cannot specify both client_secret_ref and client_secret. An error is generated if both are specified.
client_secret_ref
Resolves kubeshop/kusk-gateway/issues/829.
See: https://github.com/kubeshop/kusk-gateway/issues/829.
Signed-off-by: Mohamed Bana mohamed@bana.io
Test
cd examples/auth/oauth2/client-secret-ref make
Observe Envoy logs for something like this:
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.867781,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: getting secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}"} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8678958,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: retrieved secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}","secret":"<*>&Secret{ObjectMeta:{auth-oauth2-oauth0-client-secret-ref-api oauth2-secrets 2986fe55-480b-4e76-93b1-ddd3c5ffbfb3 724 0 2022-10-06 17:37:28 +0000 UTC <nil> <nil> map[] map[kubectl.kubernetes.io/last-applied-configuration:{\"apiVersion\":\"v1\",\"data\":{\"client_secret\":\"WjZNWDdOcmVKdW1XTG1mNnVuc1E1dWlFVXJUQnhmTnRxRzlWeTVLamt0bnZmai1fZlJDQk85RVUxbUwxWXpBSgo=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"},\"type\":\"Opaque\"}\n] [] [] [{kubectl-client-side-apply Update v1 2022-10-06 17:37:28 +0000 UTC FieldsV1 {\"f:data\":{\".\":{},\"f:client_secret\":{}},\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}}},\"f:type\":{}} }]},Data:map[string][]byte{client_secret: [90 54 77 88 55 78 114 101 74 117 109 87 76 109 102 54 117 110 115 81 53 117 105 69 85 114 84 66 120 102 78 116 113 71 57 86 121 53 75 106 107 116 110 118 102 106 45 95 102 82 67 66 79 57 69 85 49 109 76 49 89 122 65 74 10],},Type:Opaque,StringData:map[string]string{},Immutable:nil,}"} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8679295,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: set client_secret","client_secret":"Z6MX7NreJumWLmf6unsQ5uiEUrTBxfNtqG9Vy5Kjktnvfj-_fRCBO9EU1mL1YzAJ\n"} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8679845,"logger":"auth.ParseAuthOptions","caller":"auth/parser.go:107","msg":"added filter","HTTPConnectionManager.HttpFilters":6} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8680425,"logger":"internal/controllers/parser.go:UpdateConfigFromAPIOpts","caller":"controllers/parser.go:155","msg":"parsing `auth` options","finalOpts.Auth":"&options.AuthOptions{Scheme:\"oauth2\", PathPrefix:(*string)(nil), AuthUpstream:(*options.AuthUpstream)(nil), OAuth2:(*options.OAuth2)(0xc001538000)}"} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.868066,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: getting secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}"} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8681378,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: retrieved secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}","secret":"<*>&Secret{ObjectMeta:{auth-oauth2-oauth0-client-secret-ref-api oauth2-secrets 2986fe55-480b-4e76-93b1-ddd3c5ffbfb3 724 0 2022-10-06 17:37:28 +0000 UTC <nil> <nil> map[] map[kubectl.kubernetes.io/last-applied-configuration:{\"apiVersion\":\"v1\",\"data\":{\"client_secret\":\"WjZNWDdOcmVKdW1XTG1mNnVuc1E1dWlFVXJUQnhmTnRxRzlWeTVLamt0bnZmai1fZlJDQk85RVUxbUwxWXpBSgo=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"},\"type\":\"Opaque\"}\n] [] [] [{kubectl-client-side-apply Update v1 2022-10-06 17:37:28 +0000 UTC FieldsV1 {\"f:data\":{\".\":{},\"f:client_secret\":{}},\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}}},\"f:type\":{}} }]},Data:map[string][]byte{client_secret: [90 54 77 88 55 78 114 101 74 117 109 87 76 109 102 54 117 110 115 81 53 117 105 69 85 114 84 66 120 102 78 116 113 71 57 86 121 53 75 106 107 116 110 118 102 106 45 95 102 82 67 66 79 57 69 85 49 109 76 49 89 122 65 74 10],},Type:Opaque,StringData:map[string]string{},Immutable:nil,}"} kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8681672,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: set client_secret","client_secret":"Z6MX7NreJumWLmf6unsQ5uiEUrTBxfNtqG9Vy5Kjktnvfj-_fRCBO9EU1mL1YzAJ\n"}
Support reading
client_secret
for OAuth2 from a Kuberenets Secret. E.g.,We still support the old way of defining
client_secret
, i.e.,You cannot specify both
client_secret_ref
andclient_secret
. An error is generated if both are specified.Resolves kubeshop/kusk-gateway/issues/829.
See: https://github.com/kubeshop/kusk-gateway/issues/829.
Signed-off-by: Mohamed Bana mohamed@bana.io
Test
Observe Envoy logs for something like this: