search

kubeshop / kusk-gateway

Kusk-gateway is an OpenAPI-driven API Gateway for Kubernetes
https://kubeshop.github.io/kusk-gateway/
MIT License
260 stars 21 forks source link

OAuth2: read `client_secret` from Kuberenets Secret #840

Closed mbana closed 1 year ago

mbana commented 1 year ago

Support reading client_secret for OAuth2 from a Kuberenets Secret. E.g.,

    credentials:
        client_id: "client_id"
        client_secret_ref:
          name: "some-secret-object-containing-client-id"
          namespace: "some-namespace"

We still support the old way of defining client_secret, i.e.,

    credentials:
        client_id: "client_id"
        client_secret: "inline_client_secret"

You cannot specify both client_secret_ref and client_secret. An error is generated if both are specified.

Resolves kubeshop/kusk-gateway/issues/829.

See: https://github.com/kubeshop/kusk-gateway/issues/829.

Signed-off-by: Mohamed Bana mohamed@bana.io

Test

cd examples/auth/oauth2/client-secret-ref
make

Observe Envoy logs for something like this:

kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.867781,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: getting secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}"}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8678958,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: retrieved secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}","secret":"<*>&Secret{ObjectMeta:{auth-oauth2-oauth0-client-secret-ref-api  oauth2-secrets  2986fe55-480b-4e76-93b1-ddd3c5ffbfb3 724 0 2022-10-06 17:37:28 +0000 UTC <nil> <nil> map[] map[kubectl.kubernetes.io/last-applied-configuration:{\"apiVersion\":\"v1\",\"data\":{\"client_secret\":\"WjZNWDdOcmVKdW1XTG1mNnVuc1E1dWlFVXJUQnhmTnRxRzlWeTVLamt0bnZmai1fZlJDQk85RVUxbUwxWXpBSgo=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"},\"type\":\"Opaque\"}\n] [] [] [{kubectl-client-side-apply Update v1 2022-10-06 17:37:28 +0000 UTC FieldsV1 {\"f:data\":{\".\":{},\"f:client_secret\":{}},\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}}},\"f:type\":{}} }]},Data:map[string][]byte{client_secret: [90 54 77 88 55 78 114 101 74 117 109 87 76 109 102 54 117 110 115 81 53 117 105 69 85 114 84 66 120 102 78 116 113 71 57 86 121 53 75 106 107 116 110 118 102 106 45 95 102 82 67 66 79 57 69 85 49 109 76 49 89 122 65 74 10],},Type:Opaque,StringData:map[string]string{},Immutable:nil,}"}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8679295,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: set client_secret","client_secret":"Z6MX7NreJumWLmf6unsQ5uiEUrTBxfNtqG9Vy5Kjktnvfj-_fRCBO9EU1mL1YzAJ\n"}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8679845,"logger":"auth.ParseAuthOptions","caller":"auth/parser.go:107","msg":"added filter","HTTPConnectionManager.HttpFilters":6}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8680425,"logger":"internal/controllers/parser.go:UpdateConfigFromAPIOpts","caller":"controllers/parser.go:155","msg":"parsing `auth` options","finalOpts.Auth":"&options.AuthOptions{Scheme:\"oauth2\", PathPrefix:(*string)(nil), AuthUpstream:(*options.AuthUpstream)(nil), OAuth2:(*options.OAuth2)(0xc001538000)}"}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.868066,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: getting secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}"}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8681378,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: retrieved secret","client_secret_ref":"{\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"}","secret":"<*>&Secret{ObjectMeta:{auth-oauth2-oauth0-client-secret-ref-api  oauth2-secrets  2986fe55-480b-4e76-93b1-ddd3c5ffbfb3 724 0 2022-10-06 17:37:28 +0000 UTC <nil> <nil> map[] map[kubectl.kubernetes.io/last-applied-configuration:{\"apiVersion\":\"v1\",\"data\":{\"client_secret\":\"WjZNWDdOcmVKdW1XTG1mNnVuc1E1dWlFVXJUQnhmTnRxRzlWeTVLamt0bnZmai1fZlJDQk85RVUxbUwxWXpBSgo=\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{},\"name\":\"auth-oauth2-oauth0-client-secret-ref-api\",\"namespace\":\"oauth2-secrets\"},\"type\":\"Opaque\"}\n] [] [] [{kubectl-client-side-apply Update v1 2022-10-06 17:37:28 +0000 UTC FieldsV1 {\"f:data\":{\".\":{},\"f:client_secret\":{}},\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{}}},\"f:type\":{}} }]},Data:map[string][]byte{client_secret: [90 54 77 88 55 78 114 101 74 117 109 87 76 109 102 54 117 110 115 81 53 117 105 69 85 114 84 66 120 102 78 116 113 71 57 86 121 53 75 106 107 116 110 118 102 106 45 95 102 82 67 66 79 57 69 85 49 109 76 49 89 122 65 74 10],},Type:Opaque,StringData:map[string]string{},Immutable:nil,}"}
kusk-system kusk-gateway-manager-554d5fbb7-zddr8 manager {"level":"info","ts":1665077854.8681672,"caller":"logr@v1.2.3/logr.go:261","msg":"auth.NewFilterHTTPOAuth2: set client_secret","client_secret":"Z6MX7NreJumWLmf6unsQ5uiEUrTBxfNtqG9Vy5Kjktnvfj-_fRCBO9EU1mL1YzAJ\n"}
netlify[bot] commented 1 year ago

Deploy Preview for kusk-docs-preview canceled.

Name Link
Latest commit edf7dcd780ddc40dc3224ff8512850014b7dc3fb
Latest deploy log https://app.netlify.com/sites/kusk-docs-preview/deploys/633fe565a9e35a000a89d277