load client secret from k8s Secret when reading config

Signed-off-by: huabing zhao <[email protected]>

Author: zhaohuabing

config/gen/go/v1/oidc/config.pb.go

@@ -130,10 +130,30 @@ message OIDCConfig {
   // Required.
   string client_id = 5 [(validate.rules).string.min_len = 1];
 
-  // The OIDC client secret assigned to the filter to be used in the
-  // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
-  // Required.
-  string client_secret = 6 [(validate.rules).string.min_len = 1];
+  // This message defines a reference to a Kubernetes Secret resource.
+  message SecretReference {
+    // The namespace of the referenced Secret, if not set, default to "default" namespace.
+    string namespace = 1;
+
+    // The name of the referenced Secret.
+    string name = 2 [(validate.rules).string.min_len = 1];
+  }
+
+  oneof client_secret_config {
+    option(validate.required) = true;
+    // The OIDC client secret assigned to the filter to be used in the
+    // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+    // This field keeps the client secret in plain text. Recommend to use `client_secret_ref` instead
+    // when running in a Kubernetes cluster.
+    string client_secret = 6;
+
+    // The Kubernetes secret that contains the OIDC client secret assigned to the filter to be used in the
+    // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+    //
+    // This is an Opaque secret. The client secret should be stored in the key "client-secret".
+    // This filed is only valid when running in a Kubernetes cluster.
+    SecretReference client_secret_ref = 20;
+  }
 
   // Additional scopes passed to the OIDC Provider in the
   // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

config/gen/go/v1/oidc/config.pb.validate.go

@@ -20,6 +20,7 @@ require (
 	k8s.io/api v0.29.2
 	k8s.io/apimachinery v0.29.2
 	k8s.io/client-go v0.29.2
+	sigs.k8s.io/controller-runtime v0.17.2
 )
 
 require (
@@ -32,7 +33,9 @@ require (
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -74,5 +77,5 @@ require (
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

config/v1/oidc/config.proto

@@ -35,8 +35,13 @@ github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU
 github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro=
+github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
@@ -106,10 +111,10 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
-github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
-github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
-github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
+github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY=
+github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw=
+github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
+github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -141,13 +146,19 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/gopher-lua v1.1.0 h1:BojcDhfyDWgU2f2TOzYK/g5p2gxMrku8oupLDqlnSqE=
 github.com/yuin/gopher-lua v1.1.0/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
+go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
+golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -234,6 +245,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
 k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
+k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
+k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
 k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
 k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
 k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
@@ -244,9 +257,11 @@ k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/A
 k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
 k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/controller-runtime v0.17.2 h1:FwHwD1CTUemg0pW2otk7/U5/i5m2ymzvOXdbeGOUvw0=
+sigs.k8s.io/controller-runtime v0.17.2/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

go.mod

@@ -141,8 +141,10 @@ var (
 		AuthorizationUri: "http://idp-test-server/auth",
 		CallbackUri:      "https://localhost:443/callback",
 		ClientId:         "test-client-id",
-		ClientSecret:     "test-client-secret",
-		Scopes:           []string{"openid", "email"},
+		ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecret{
+			ClientSecret: "test-client-secret",
+		},
+		Scopes: []string{"openid", "email"},
 		Logout: &oidcv1.LogoutConfig{
 			Path:        "/logout",
 			RedirectUri: "http://idp-test-server/logout?with-params",
@@ -161,8 +163,10 @@ var (
 		ConfigurationUri: "http://idp-test-server/.well-known/openid-configuration",
 		CallbackUri:      "https://localhost:443/callback",
 		ClientId:         "test-client-id",
-		ClientSecret:     "test-client-secret",
-		Scopes:           []string{"openid", "email"},
+		ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecret{
+			ClientSecret: "test-client-secret",
+		},
+		Scopes: []string{"openid", "email"},
 	}
 
 	wellKnownURIs = `

go.sum

@@ -15,16 +15,20 @@
 package internal
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"net/url"
 	"os"
-	"strings"
 
 	"github.com/redis/go-redis/v9"
 	"github.com/tetratelabs/run"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	configv1 "github.com/tetrateio/authservice-go/config/gen/go/v1"
 	oidcv1 "github.com/tetrateio/authservice-go/config/gen/go/v1/oidc"
@@ -42,8 +46,9 @@ var (
 	ErrInvalidURL          = errors.New("invalid URL")
 	ErrRequiredURL         = errors.New("required URL")
 	ErrHealthPortInUse     = errors.New("health port is already in use by listen port")
-	ErrMustNotBeRootPath   = errors.New("must not be root path")
-	ErrMustBeDifferentPath = errors.New("must be different path")
+
+	// kubeClient is the in-cluster Kubernetes client used to retrieve the client secret from a Kubernetes secret.
+	kubeClient client.Client
 )
 
 // LocalConfigFile is a run.Config that loads the configuration file.
@@ -117,6 +122,12 @@ func (l *LocalConfigFile) Validate() error {
 		return err
 	}
 
+	// Initialize the client secret from the Kubernetes secret if it is a referenced
+	// Kubernetes secret.
+	if err = initClientSecret(&l.Config); err != nil {
+		return err
+	}
+
 	// Now that all defaults are set and configurations are merged, validate all final settings
 	return l.Config.ValidateAll()
 }
@@ -154,19 +165,6 @@ func mergeAndValidateOIDCConfigs(cfg *configv1.Config) error {
 
 			// Set the defaults
 			applyOIDCDefaults(f.GetOidc())
-
-			// validate the logout path is not the root path
-			if f.GetOidc().GetLogout() != nil {
-				if isRootPath(f.GetOidc().GetLogout().GetPath()) {
-					return fmt.Errorf("%w: invalid logout path", ErrMustNotBeRootPath)
-				}
-			}
-
-			// validate the callback and the logout path are different
-			callbackURI, _ := url.Parse(f.GetOidc().GetCallbackUri())
-			if f.GetOidc().GetLogout() != nil && callbackURI.Path == f.GetOidc().GetLogout().GetPath() {
-				errs = append(errs, fmt.Errorf("%w: callback and logout paths must be different in chain %q", ErrMustBeDifferentPath, fc.Name))
-			}
 		}
 	}
 	// Clear the default config as it has already been merged. This way there is only one
@@ -237,21 +235,11 @@ func validateOIDCConfigURLs(c *oidcv1.OIDCConfig) error {
 	if err := validateURL(c.GetJwksFetcher().GetJwksUri()); err != nil {
 		return fmt.Errorf("%w: invalid JWKS Fetcher URL: %w", ErrInvalidURL, err)
 	}
-
-	// Backwards compatibility with redis tcp:// URIs used in the old authservice
-	if redisURI := c.GetRedisSessionStoreConfig().GetServerUri(); redisURI != "" {
-		c.GetRedisSessionStoreConfig().ServerUri = strings.Replace(redisURI, "tcp://", "redis://", 1)
-	}
-
 	if redisURL := c.GetRedisSessionStoreConfig().GetServerUri(); redisURL != "" {
 		if _, err := redis.ParseURL(redisURL); err != nil {
 			return fmt.Errorf("%w: invalid Redis session store URL: %w", ErrInvalidURL, err)
 		}
 	}
-
-	if hasRootPath(c.GetCallbackUri()) {
-		return fmt.Errorf("%w: invalid callback URL", ErrMustNotBeRootPath)
-	}
 	return nil
 }
 
@@ -263,17 +251,78 @@ func validateURL(u string) error {
 	return err
 }
 
-// hasRootPath returns true if the path of the given URL is "/" or empty.
-// prerequisite: u is a valid URL.
-func hasRootPath(uri string) bool {
-	if uri == "" {
-		return false
+func initClientSecret(cfg *configv1.Config) error {
+	var (
+		err  error
+		errs []error
+	)
+
+	for _, fc := range cfg.Chains {
+		for _, f := range fc.Filters {
+			if f.GetOidc() != nil && f.GetOidc().GetClientSecretRef() != nil {
+				if kubeClient == nil {
+					kubeClient, err = getKubeClient()
+					if err != nil {
+						return fmt.Errorf("error creating kube client: %w", err)
+					}
+				}
+
+				clientSecret, err := getClientSecretFromK8s(f.GetOidc(), kubeClient)
+				if err != nil {
+					errs = append(errs, fmt.Errorf("error getting client secret: %w", err))
+				}
+
+				f.GetOidc().ClientSecretConfig = &oidcv1.OIDCConfig_ClientSecret{
+					ClientSecret: clientSecret,
+				}
+			}
+		}
+	}
+
+	return errors.Join(errs...)
+}
+
+const (
+	defaultNamespace = "default"
+	clientSecretKey  = "client-secret"
+)
+
+// getClientSecretFromK8s retrieves the client secret from the referenced Kubernetes secret.
+func getClientSecretFromK8s(c *oidcv1.OIDCConfig, cl client.Client) (string, error) {
+	if c.GetClientSecretRef() == nil {
+		return "", fmt.Errorf("client secret ref not found")
+	}
+
+	namespace := c.GetClientSecretRef().Namespace
+	if namespace == "" {
+		namespace = defaultNamespace
+	}
+	secretName := types.NamespacedName{
+		Namespace: namespace,
+		Name:      c.GetClientSecretRef().Name,
+	}
+
+	secret := &v1.Secret{}
+	err := cl.Get(context.Background(), secretName, secret)
+	if err != nil {
+		return "", fmt.Errorf("error getting secret: %w", err)
+	}
+	clientSecretBytes, ok := secret.Data[clientSecretKey]
+	if !ok || len(clientSecretBytes) == 0 {
+		return "", fmt.Errorf("client secret not found in secret %s", secretName.String())
 	}
-	parsed, _ := url.Parse(uri)
-	return isRootPath(parsed.Path)
+	return string(clientSecretBytes), nil
 }
 
-// isRootPath returns true if the path is "/" or empty.
-func isRootPath(path string) bool {
-	return path == "/" || path == ""
+func getKubeClient() (client.Client, error) {
+	cfg, err := config.GetConfig()
+	if err != nil {
+		return nil, fmt.Errorf("error getting kube config: %w", err)
+	}
+
+	cl, err := client.New(cfg, client.Options{})
+	if err != nil {
+		return nil, fmt.Errorf("errot creating kube client: %w", err)
+	}
+	return cl, nil
 }

internal/authz/oidc_test.go

@@ -23,6 +23,9 @@ import (
 	"github.com/tetratelabs/run"
 	"github.com/tetratelabs/telemetry"
 	"google.golang.org/protobuf/proto"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	configv1 "github.com/tetrateio/authservice-go/config/gen/go/v1"
 	mockv1 "github.com/tetrateio/authservice-go/config/gen/go/v1/mock"
@@ -62,10 +65,6 @@ func TestValidateConfig(t *testing.T) {
 		{"invalid-redis", "testdata/invalid-redis.json", errCheck{is: ErrInvalidURL}},
 		{"invalid-oidc-uris", "testdata/invalid-oidc-uris.json", errCheck{is: ErrRequiredURL}},
 		{"invalid-health-port", "testdata/invalid-health-port.json", errCheck{is: ErrHealthPortInUse}},
-		{"invalid-callback-uri", "testdata/invalid-callback.json", errCheck{is: ErrMustNotBeRootPath}},
-		{"invalid-logout-path", "testdata/invalid-logout.json", errCheck{is: ErrMustNotBeRootPath}},
-		{"valid-logout-override-default", "testdata/valid-logout-override-default.json", errCheck{is: nil}},
-		{"invalid-callback-and-logout-path", "testdata/invalid-callback-logout.json", errCheck{is: ErrMustBeDifferentPath}},
 		{"oidc-dynamic", "testdata/oidc-dynamic.json", errCheck{is: nil}},
 		{"valid", "testdata/mock.json", errCheck{is: nil}},
 	}
@@ -80,7 +79,7 @@ func TestValidateConfig(t *testing.T) {
 
 func TestValidateURLs(t *testing.T) {
 	const (
-		validURL      = "http://fake/path"
+		validURL      = "http://fake"
 		invalidURL    = "ht tp://invalid"
 		validRedisURL = "redis://localhost:6379/0"
 	)
@@ -204,18 +203,19 @@ func TestLoadOIDC(t *testing.T) {
 					{
 						Type: &configv1.Filter_Oidc{
 							Oidc: &oidcv1.OIDCConfig{
-								AuthorizationUri:        "http://fake",
-								TokenUri:                "http://fake",
-								CallbackUri:             "http://fake/callback",
-								JwksConfig:              &oidcv1.OIDCConfig_Jwks{Jwks: "fake-jwks"},
-								ClientId:                "fake-client-id",
-								ClientSecret:            "fake-client-secret",
+								AuthorizationUri: "http://fake",
+								TokenUri:         "http://fake",
+								CallbackUri:      "http://fake",
+								JwksConfig:       &oidcv1.OIDCConfig_Jwks{Jwks: "fake-jwks"},
+								ClientId:         "fake-client-id",
+								ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecret{
+									ClientSecret: "fake-client-secret",
+								},
 								CookieNamePrefix:        "",
 								IdToken:                 &oidcv1.TokenConfig{Preamble: "Bearer", Header: "authorization"},
 								ProxyUri:                "http://fake",
 								RedisSessionStoreConfig: &oidcv1.RedisConfig{ServerUri: "redis://localhost:6379/0"},
 								Scopes:                  []string{scopeOIDC},
-								Logout:                  &oidcv1.LogoutConfig{Path: "/logout", RedirectUri: "http://fake"},
 							},
 						},
 					},
@@ -255,3 +255,97 @@ func TestConfigToJSONString(t *testing.T) {
 		})
 	}
 }
+
+func TestLoadOIDCClientSecret(t *testing.T) {
+	validSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "test-secret",
+		},
+		Data: map[string][]byte{
+			clientSecretKey: []byte("fake-client-secret"),
+		},
+	}
+	invalidSecret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "invalid-secret",
+		},
+		Data: map[string][]byte{
+			clientSecretKey + "-invalid": []byte("fake-client-secret"),
+		},
+	}
+
+	// inject kube client for the test
+	kubeClient = fakeclient.NewClientBuilder().WithObjects(validSecret, invalidSecret).Build()
+
+	tests := []struct {
+		name       string
+		configFile string
+		want       *configv1.Config
+		error      string
+	}{
+		{
+			name:       "valid-secret",
+			configFile: "oidc-with-valid-secret-ref",
+			want: &configv1.Config{
+				ListenAddress: "0.0.0.0",
+				ListenPort:    8080,
+				LogLevel:      "debug",
+				Threads:       1,
+				Chains: []*configv1.FilterChain{
+					{
+						Name: "oidc",
+						Filters: []*configv1.Filter{
+							{
+								Type: &configv1.Filter_Oidc{
+									Oidc: &oidcv1.OIDCConfig{
+										AuthorizationUri: "http://fake",
+										TokenUri:         "http://fake",
+										CallbackUri:      "http://fake",
+										JwksConfig:       &oidcv1.OIDCConfig_Jwks{Jwks: "fake-jwks"},
+										ClientId:         "fake-client-id",
+										ClientSecretConfig: &oidcv1.OIDCConfig_ClientSecret{
+											ClientSecret: "fake-client-secret",
+										},
+										CookieNamePrefix:        "",
+										IdToken:                 &oidcv1.TokenConfig{Preamble: "Bearer", Header: "authorization"},
+										ProxyUri:                "http://fake",
+										RedisSessionStoreConfig: &oidcv1.RedisConfig{ServerUri: "redis://localhost:6379/0"},
+										Scopes:                  []string{scopeOIDC},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			error: "",
+		},
+		{
+			name:       "valid-secret",
+			configFile: "oidc-with-invalid-secret-ref",
+			error:      "client secret not found in secret default/invalid-secret",
+		},
+		{
+			name:       "valid-secret",
+			configFile: "oidc-with-non-existing-secret-ref",
+			error:      "secrets \"non-existing-secret\" not found",
+		},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			var cfg LocalConfigFile
+			g := run.Group{Logger: telemetry.NoopLogger()}
+			g.Register(&cfg)
+			err := g.Run("", "--config-path", fmt.Sprintf("testdata/%s.json", tc.configFile))
+			if tc.error != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.error)
+			} else {
+				require.NoError(t, err)
+				require.True(t, proto.Equal(tc.want, &cfg.Config))
+			}
+		})
+	}
+}

internal/config.go

@@ -9,7 +9,7 @@
         {
           "oidc": {
             "configuration_uri": "http://fake",
-            "callback_uri": "http://fake/callback",
+            "callback_uri": "http://fake",
             "proxy_uri": "http://fake",
             "client_id": "fake-client-id",
             "client_secret": "fake-client-secret",

internal/config_test.go

@@ -5,7 +5,7 @@
   "default_oidc_config": {
     "authorization_uri": "http://default",
     "token_uri": "http://default",
-    "callback_uri": "http://fake/callback",
+    "callback_uri": "http://fake",
     "proxy_uri": "http://fake"
   },
   "chains": [
@@ -24,11 +24,7 @@
               "header": "authorization"
             },
             "redis_session_store_config": {
-              "server_uri": "tcp://localhost:6379/0"
-            },
-            "logout": {
-              "path": "/logout",
-              "redirect_uri": "http://fake"
+              "server_uri": "redis://localhost:6379/0"
             }
           }
         }

internal/testdata/oidc-dynamic.json

@@ -0,0 +1,33 @@
+{
+  "listen_address": "0.0.0.0",
+  "listen_port": 8080,
+  "log_level": "debug",
+  "chains": [
+    {
+      "name": "oidc",
+      "filters": [
+        {
+          "oidc": {
+            "authorization_uri": "http://fake",
+            "token_uri": "http://fake",
+            "callback_uri": "http://fake",
+            "proxy_uri": "http://fake",
+            "jwks": "fake-jwks",
+            "client_id": "fake-client-id",
+            "client_secret_ref": {
+              "namespace": "default",
+              "name": "invalid-secret"
+            },
+            "id_token": {
+              "preamble": "Bearer",
+              "header": "authorization"
+            },
+            "redis_session_store_config": {
+              "server_uri": "redis://localhost:6379/0"
+            }
+          }
+        }
+      ]
+    }
+  ]
+}

internal/testdata/oidc-override.json

@@ -0,0 +1,33 @@
+{
+  "listen_address": "0.0.0.0",
+  "listen_port": 8080,
+  "log_level": "debug",
+  "chains": [
+    {
+      "name": "oidc",
+      "filters": [
+        {
+          "oidc": {
+            "authorization_uri": "http://fake",
+            "token_uri": "http://fake",
+            "callback_uri": "http://fake",
+            "proxy_uri": "http://fake",
+            "jwks": "fake-jwks",
+            "client_id": "fake-client-id",
+            "client_secret_ref": {
+              "namespace": "default",
+              "name": "non-existing-secret"
+            },
+            "id_token": {
+              "preamble": "Bearer",
+              "header": "authorization"
+            },
+            "redis_session_store_config": {
+              "server_uri": "redis://localhost:6379/0"
+            }
+          }
+        }
+      ]
+    }
+  ]
+}

internal/testdata/oidc-with-invalid-secret-ref.json

@@ -0,0 +1,33 @@
+{
+  "listen_address": "0.0.0.0",
+  "listen_port": 8080,
+  "log_level": "debug",
+  "chains": [
+    {
+      "name": "oidc",
+      "filters": [
+        {
+          "oidc": {
+            "authorization_uri": "http://fake",
+            "token_uri": "http://fake",
+            "callback_uri": "http://fake",
+            "proxy_uri": "http://fake",
+            "jwks": "fake-jwks",
+            "client_id": "fake-client-id",
+            "client_secret_ref": {
+              "namespace": "default",
+              "name": "test-secret"
+            },
+            "id_token": {
+              "preamble": "Bearer",
+              "header": "authorization"
+            },
+            "redis_session_store_config": {
+              "server_uri": "redis://localhost:6379/0"
+            }
+          }
+        }
+      ]
+    }
+  ]
+}

internal/testdata/oidc-with-non-existing-secret-ref.json

@@ -10,7 +10,7 @@
           "oidc": {
             "authorization_uri": "http://fake",
             "token_uri": "http://fake",
-            "callback_uri": "http://fake/callback",
+            "callback_uri": "http://fake",
             "proxy_uri": "http://fake",
             "jwks": "fake-jwks",
             "client_id": "fake-client-id",
@@ -21,10 +21,6 @@
             },
             "redis_session_store_config": {
               "server_uri": "redis://localhost:6379/0"
-            },
-            "logout": {
-              "path": "/logout",
-                "redirect_uri": "http://fake"
             }
           }
         }