Skip to content
This repository was archived by the owner on Apr 22, 2024. It is now read-only.

Commit 0123440

Browse files
zhaohuabingzhaohuabing
committed
load client secret from k8s Secret when reading config
Signed-off-by: huabing zhao <[email protected]>
1 parent c924e2c commit 0123440

11 files changed

+742
-115
lines changed

config/gen/go/v1/oidc/config.pb.go

+214-87
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/gen/go/v1/oidc/config.pb.validate.go

+185-11
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/v1/oidc/config.proto

+24-4
Original file line numberDiff line numberDiff line change
@@ -130,10 +130,30 @@ message OIDCConfig {
130130
// Required.
131131
string client_id = 5 [(validate.rules).string.min_len = 1];
132132

133-
// The OIDC client secret assigned to the filter to be used in the
134-
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
135-
// Required.
136-
string client_secret = 6 [(validate.rules).string.min_len = 1];
133+
// This message defines a reference to a Kubernetes Secret resource.
134+
message SecretReference {
135+
// The namespace of the referenced Secret, if not set, default to "default" namespace.
136+
string namespace = 1;
137+
138+
// The name of the referenced Secret.
139+
string name = 2 [(validate.rules).string.min_len = 1];
140+
}
141+
142+
oneof client_secret_config {
143+
option(validate.required) = true;
144+
// The OIDC client secret assigned to the filter to be used in the
145+
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
146+
// This field keeps the client secret in plain text. Recommend to use `client_secret_ref` instead
147+
// when running in a Kubernetes cluster.
148+
string client_secret = 6;
149+
150+
// The Kubernetes secret that contains the OIDC client secret assigned to the filter to be used in the
151+
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
152+
//
153+
// This is an Opaque secret. The client secret should be stored in the key "client-secret".
154+
// This filed is only valid when running in a Kubernetes cluster.
155+
SecretReference client_secret_ref = 20;
156+
}
137157

138158
// Additional scopes passed to the OIDC Provider in the
139159
// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

go.mod

+4-2
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ require (
2020
k8s.io/api v0.29.2
2121
k8s.io/apimachinery v0.29.2
2222
k8s.io/client-go v0.29.2
23+
sigs.k8s.io/controller-runtime v0.17.2
2324
)
2425

2526
require (
@@ -32,7 +33,8 @@ require (
3233
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
3334
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
3435
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
35-
github.com/go-logr/logr v1.3.0 // indirect
36+
github.com/evanphx/json-patch/v5 v5.8.0 // indirect
37+
github.com/go-logr/logr v1.4.1 // indirect
3638
github.com/go-openapi/jsonpointer v0.19.6 // indirect
3739
github.com/go-openapi/jsonreference v0.20.2 // indirect
3840
github.com/go-openapi/swag v0.22.3 // indirect
@@ -74,5 +76,5 @@ require (
7476
k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
7577
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
7678
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
77-
sigs.k8s.io/yaml v1.3.0 // indirect
79+
sigs.k8s.io/yaml v1.4.0 // indirect
7880
)

go.sum

+22-7
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,13 @@ github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU
3535
github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
3636
github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
3737
github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
38-
github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
38+
github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro=
39+
github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
3940
github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
41+
github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
42+
github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
43+
github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
44+
github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
4045
github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
4146
github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
4247
github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
@@ -106,10 +111,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
106111
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
107112
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
108113
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
109-
github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
110-
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
111-
github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
112-
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
114+
github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY=
115+
github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw=
116+
github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
117+
github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
113118
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
114119
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
115120
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -141,13 +146,19 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
141146
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
142147
github.com/yuin/gopher-lua v1.1.0 h1:BojcDhfyDWgU2f2TOzYK/g5p2gxMrku8oupLDqlnSqE=
143148
github.com/yuin/gopher-lua v1.1.0/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
149+
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
150+
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
151+
go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
152+
go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
144153
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
145154
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
146155
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
147156
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
148157
golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
149158
golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
150159
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
160+
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
161+
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
151162
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
152163
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
153164
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -234,6 +245,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
234245
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
235246
k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
236247
k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
248+
k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
249+
k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
237250
k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
238251
k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
239252
k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
@@ -244,9 +257,11 @@ k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/A
244257
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
245258
k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
246259
k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
260+
sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0=
261+
sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s=
247262
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
248263
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
249264
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
250265
sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
251-
sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
252-
sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
266+
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
267+
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

internal/authz/oidc_test.go

+8-4
Original file line numberDiff line numberDiff line change
@@ -141,8 +141,10 @@ var (
141141
AuthorizationUri: "http://idp-test-server/auth",
142142
CallbackUri: "https://localhost:443/callback",
143143
ClientId: "test-client-id",
144-
ClientSecret: "test-client-secret",
145-
Scopes: []string{"openid", "email"},
144+
ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecret{
145+
ClientSecret: "test-client-secret",
146+
},
147+
Scopes: []string{"openid", "email"},
146148
Logout: &oidcv1.LogoutConfig{
147149
Path: "/logout",
148150
RedirectUri: "http://idp-test-server/logout?with-params",
@@ -161,8 +163,10 @@ var (
161163
ConfigurationUri: "http://idp-test-server/.well-known/openid-configuration",
162164
CallbackUri: "https://localhost:443/callback",
163165
ClientId: "test-client-id",
164-
ClientSecret: "test-client-secret",
165-
Scopes: []string{"openid", "email"},
166+
ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecret{
167+
ClientSecret: "test-client-secret",
168+
},
169+
Scopes: []string{"openid", "email"},
166170
}
167171

168172
wellKnownURIs = `

0 commit comments

Comments
 (0)