From a5092a49c787c7387ee74636b9add6ffad75be34 Mon Sep 17 00:00:00 2001 From: Huabing Zhao Date: Tue, 10 Dec 2024 05:28:11 +0000 Subject: [PATCH] add e2e test for OIDC provider with TLS Signed-off-by: Huabing Zhao --- internal/gatewayapi/securitypolicy.go | 75 ++++++-- ...itypolicy-with-oidc-backendcluster.in.yaml | 44 +++++ ...typolicy-with-oidc-backendcluster.out.yaml | 39 ++++- .../xds-ir/oidc-backend-cluster-provider.yaml | 6 + ...idc-backend-cluster-provider.clusters.yaml | 25 +++ ...oidc-backend-cluster-provider.secrets.yaml | 4 + test/e2e/testdata/oidc-keycloak-tls.yaml | 163 ++++++++++++++++++ test/e2e/testdata/oidc-keycloak.yaml | 56 ++++-- .../oidc-securitypolicy-backendcluster.yaml | 65 ++++++- test/e2e/tests/oidc.go | 11 +- test/e2e/tests/oidc_testclient.go | 3 + 11 files changed, 444 insertions(+), 47 deletions(-) create mode 100644 test/e2e/testdata/oidc-keycloak-tls.yaml diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index d21f240f1fa..c9371a3dcb3 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -6,6 +6,8 @@ package gatewayapi import ( + "crypto/tls" + "crypto/x509" "encoding/json" "errors" "fmt" @@ -672,25 +674,10 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources protocol ir.AppProtocol rd *ir.RouteDestination traffic *ir.TrafficFeatures + providerTLS *ir.TLSUpstreamConfig err error ) - // Discover the token and authorization endpoints from the issuer's - // well-known url if not explicitly specified - if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil { - tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer) - if err != nil { - return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err) - } - } else { - tokenEndpoint = *provider.TokenEndpoint - authorizationEndpoint = *provider.AuthorizationEndpoint - } - - if err = validateTokenEndpoint(tokenEndpoint); err != nil { - return nil, err - } - u, err := url.Parse(tokenEndpoint) if err != nil { return nil, err @@ -708,6 +695,31 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources } } + if rd != nil { + for _, st := range rd.Settings { + if st.TLS != nil { + providerTLS = st.TLS + break + } + } + } + + // Discover the token and authorization endpoints from the issuer's + // well-known url if not explicitly specified + if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil { + tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer, providerTLS) + if err != nil { + return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err) + } + } else { + tokenEndpoint = *provider.TokenEndpoint + authorizationEndpoint = *provider.AuthorizationEndpoint + } + + if err = validateTokenEndpoint(tokenEndpoint); err != nil { + return nil, err + } + if traffic, err = translateTrafficFeatures(provider.BackendSettings); err != nil { return nil, err } @@ -764,9 +776,36 @@ type OpenIDConfig struct { AuthorizationEndpoint string `json:"authorization_endpoint"` } -func fetchEndpointsFromIssuer(issuerURL string) (string, string, error) { +func fetchEndpointsFromIssuer(issuerURL string, providerTLS *ir.TLSUpstreamConfig) (string, string, error) { + var tlsConfig *tls.Config + + if providerTLS != nil { + tlsConfig = &tls.Config{ + ServerName: providerTLS.SNI, + MinVersion: tls.VersionTLS13, + } + if providerTLS.CACertificate != nil { + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM(providerTLS.CACertificate.Certificate) + tlsConfig.RootCAs = caCertPool + } + for _, cert := range providerTLS.ClientCertificates { + cert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey) + if err != nil { + return "", "", err + } + tlsConfig.Certificates = append(tlsConfig.Certificates, cert) + } + } + // Fetch the OpenID configuration from the issuer URL - resp, err := http.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL)) + client := &http.Client{} + if tlsConfig != nil { + client.Transport = &http.Transport{ + TLSClientConfig: tlsConfig, + } + } + resp, err := client.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL)) if err != nil { return "", "", err } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml index 67b051e4b31..462f369daaa 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml @@ -99,3 +99,47 @@ securityPolicies: defaultTokenTTL: 30m refreshToken: true defaultRefreshTokenTTL: 24h +configMaps: +- apiVersion: v1 + kind: ConfigMap + metadata: + name: ca-cmap + namespace: envoy-gateway + data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL + BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw + MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G + A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc + 1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM + yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b + kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU + Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq + ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR + bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48 + 6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/ + BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz + 2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J + i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE + A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg + d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1 + 3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q== + -----END CERTIFICATE----- +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + name: policy-btls-backend-fqdn + namespace: envoy-gateway + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + validation: + caCertificateRefs: + - name: ca-cmap + group: '' + kind: ConfigMap + hostname: oauth.foo.com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml index d878bcdb505..43e8fb954b9 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml @@ -1,3 +1,35 @@ +backendTLSPolicies: +- apiVersion: gateway.networking.k8s.io/v1alpha2 + kind: BackendTLSPolicy + metadata: + creationTimestamp: null + name: policy-btls-backend-fqdn + namespace: envoy-gateway + spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-fqdn + validation: + caCertificateRefs: + - group: "" + kind: ConfigMap + name: ca-cmap + hostname: oauth.foo.com + status: + ancestors: + - ancestorRef: + group: gateway.envoyproxy.io + kind: SecurityPolicy + name: policy-for-gateway + namespace: envoy-gateway + conditions: + - lastTransitionTime: null + message: Policy has been accepted. + reason: Accepted + status: "True" + type: Accepted + controllerName: gateway.envoyproxy.io/gatewayclass-controller backends: - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: Backend @@ -234,7 +266,12 @@ xdsIR: endpoints: - host: oauth.foo.com port: 443 - protocol: HTTPS + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-backend-fqdn/envoy-gateway-ca + sni: oauth.foo.com weight: 1 tokenEndpoint: https://oauth.foo.com/token traffic: diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml index 993f775947a..d0f7a913e45 100644 --- a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml @@ -40,6 +40,12 @@ http: port: 443 protocol: HTTPS weight: 1 + tls: + alpnProtocols: null + caCertificate: + certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + name: policy-btls-backend-fqdn/envoy-gateway-ca + sni: oauth.foo.com tokenEndpoint: https://oauth.foo.com/token traffic: retry: diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml index 9d60e8e0bed..3f90e1b00a8 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml @@ -35,6 +35,10 @@ address: oauth.foo.com portValue: 443 loadBalancingWeight: 1 + metadata: + filterMetadata: + envoy.transport_socket_match: + name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0 loadBalancingWeight: 1 locality: region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0 @@ -42,4 +46,25 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 respectDnsTtl: true + transportSocketMatches: + - match: + name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0 + name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0 + transportSocket: + name: envoy.transport_sockets.tls + typedConfig: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + commonTlsContext: + combinedValidationContext: + defaultValidationContext: + matchTypedSubjectAltNames: + - matcher: + exact: oauth.foo.com + sanType: DNS + validationContextSdsSecretConfig: + name: policy-btls-backend-fqdn/envoy-gateway-ca + sdsConfig: + ads: {} + resourceApiVersion: V3 + sni: oauth.foo.com type: STRICT_DNS diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml index 398ab6cef7b..20793949c74 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml @@ -1,3 +1,7 @@ +- name: policy-btls-backend-fqdn/envoy-gateway-ca + validationContext: + trustedCa: + inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - genericSecret: secret: inlineBytes: Y2xpZW50MTpzZWNyZXQK diff --git a/test/e2e/testdata/oidc-keycloak-tls.yaml b/test/e2e/testdata/oidc-keycloak-tls.yaml new file mode 100644 index 00000000000..bc13e451b53 --- /dev/null +++ b/test/e2e/testdata/oidc-keycloak-tls.yaml @@ -0,0 +1,163 @@ +apiVersion: v1 +kind: Service +metadata: + name: keycloak + namespace: gateway-conformance-infra + labels: + app: keycloak +spec: + type: LoadBalancer + ports: + - port: 80 + targetPort: 8080 + name: http-keycloak + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + selector: + app: keycloak +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + namespace: gateway-conformance-infra +spec: + replicas: 1 + selector: + matchLabels: + app: keycloak + version: v1 + template: + metadata: + labels: + app: keycloak + version: v1 + spec: + containers: + - name: keycloak + image: quay.io/keycloak/keycloak:26.0.4 + imagePullPolicy: IfNotPresent + args: + - "start-dev" + ports: + - name: https + containerPort: 8443 + protocol: TCP + - name: http + containerPort: 8080 + protocol: TCP + env: + - name: KC_BOOTSTRAP_ADMIN_USERNAME + value: admin + - name: KC_BOOTSTRAP_ADMIN_PASSWORD + value: admin + - name: KC_HOSTNAME + value: "keycloak.gateway-conformance-infra" + - name: KC_HTTPS_CERTIFICATE_FILE + value: "/etc/tls/tls.crt" + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: "/etc/tls/tls.key" + - name: KC_HTTPS_PORT + value: "8443" + - name: KC_HTTP_PORT + value: "8080" + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 5 + tcpSocket: + port: 8443 + volumeMounts: + - name: tls-volume + mountPath: /etc/tls + readOnly: true + volumes: + - name: tls-volume + secret: + secretName: keycloak-tls +--- +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpVENDQW5HZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREF0TVJVd0V3WURWUVFLREF4bGVHRnQKY0d4bElFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEkwTVRJeE1EQTBNamcxTWxvWApEVE0wTVRJd09EQTBNamcxTWxvd1RERXJNQ2tHQTFVRUF3d2lhMlY1WTJ4dllXc3VaMkYwWlhkaGVTMWpiMjVtCmIzSnRZVzVqWlMxcGJtWnlZVEVkTUJzR0ExVUVDZ3dVWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYzZJN3NicGo2OVJhak02L3UxMmpZdmdyUgpYNUx3ZUZmMFVGNlFTWWY5N2xqcHNqYnJ0Und1eFhya09qZDROUSs3em1nZGlBWGEzV2pLNUhZNURPRE9EMW1BCm55VVFRb1JtbTM3bTBEM0kra0ljdmduZzhRSHdoeEtlVDJXUnpRV0tUWmVmZmNTblNLTHJDYmxVZ0kvaFRiaVIKZHNwbnBrNlRKUmEzZ0NEUGwvT1NKNkkrcHUxd1N3ZjIxUURxQS9CVDNqRDB2MjBsejB0a3ZSblgrcDRKby9kMwoxQlFsall3RVhZcGtSWWN4d1I3cFpCM1I0eE5TVWNHaDkxeHRpUnBBdU9qVnNoTmRibThLcHkzdmJkSFZNWFBtClN0aElzZjJhYkU4ZGdFL2hVMHNOengwSWh4SzdVaFJMVjNib0dwSkF5UTNCeHVDcGMwTldhSEpUS2hKL0FnTUIKQUFHamdaUXdnWkV3Q3dZRFZSMFBCQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQzBHQTFVZApFUVFtTUNTQ0ltdGxlV05zYjJGckxtZGhkR1YzWVhrdFkyOXVabTl5YldGdVkyVXRhVzVtY21Fd0hRWURWUjBPCkJCWUVGRW9QQTA3VHZhVDZRU1NrSk1FMCs5cmNHMWliTUI4R0ExVWRJd1FZTUJhQUZNY1BVdjhtUndaVWdmd0QKNHdGeHZHeWNTVnpvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDdWxrakMxYW9NOTIxclVzcTdUMjdTNTlkTApxRjhDTUFUei8xayttck9RR0QrWkkrV1N6NEYwZTllQjBJRDFNbnZNRzZSdmtmRmU4NU1HNEw1NGdETzQ0aDBrClRHeHFaZDV1Ujc3QVRWNXZ0Q01Nc1VJQWlzR2c0eHh0djI2ZlRiSkhmbnVKdnQ0TmJZNWYzTi8yZEYxNmhQOHEKWVZVZVBzUWdMUXR6enhzNndkSmx4cW9vdWVkNHlCWUxlcVlZYW55cHcvMWNEM2V1Ynk1TnpxbFB2dXlhTDJ2VApKQ0x0MmpxaWRiaXl4M2RhYWJHVnZDTVluNlFOcWhSQkN0ZlFuSklTM1hyWmZDZExyWHMzWml2MHFnTjhraWs3ClBHbXo2NTRzOGd2c1F3QkxYU0pSSEFnZ0hHNUkydy9FOHFZTWVVNTZDTHdTbWcwQTNWRWttSDJoa1FGdwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2M2STdzYnBqNjlSYWoKTTYvdTEyall2Z3JSWDVMd2VGZjBVRjZRU1lmOTdsanBzamJydFJ3dXhYcmtPamQ0TlErN3ptZ2RpQVhhM1dqSwo1SFk1RE9ET0QxbUFueVVRUW9SbW0zN20wRDNJK2tJY3Znbmc4UUh3aHhLZVQyV1J6UVdLVFplZmZjU25TS0xyCkNibFVnSS9oVGJpUmRzcG5wazZUSlJhM2dDRFBsL09TSjZJK3B1MXdTd2YyMVFEcUEvQlQzakQwdjIwbHowdGsKdlJuWCtwNEpvL2QzMUJRbGpZd0VYWXBrUlljeHdSN3BaQjNSNHhOU1VjR2g5MXh0aVJwQXVPalZzaE5kYm04SwpweTN2YmRIVk1YUG1TdGhJc2YyYWJFOGRnRS9oVTBzTnp4MEloeEs3VWhSTFYzYm9HcEpBeVEzQnh1Q3BjME5XCmFISlRLaEovQWdNQkFBRUNnZ0VBUUptbXJrVGlpdi80Ny94SnhNVy9EdTAvT3ZCa2FNakRQWDBSVWNwVVNRR20KYmFESDU4ZEs4UjZ3OStIWUVJK1lDTFIwUFNSUmRNaVBhbWtoRzEvbjlpNXZwUHJnb1k4aFA3VnBTOUlVZmZnNgoyK2FKM3FpYktkSVNva2NDQkVNcXNzUTdWcGpMTEN4Rmx3c0wySFNOeUM3ZGZGWXlBdlovaHlsUDd3QzdnWHZpCjdkbk5yK2Q5c2ZqUGV1eElhUEEyek1tMGs3bmVESlpPSzNqWUpqUjNLWGFpd0NtV09FTlVJWEVVK0VoOFo3TFcKWXFmdWdad255Q1E4MEppdm1Ic0ROalZsTDV5ZUpUQ3hnMWFoWHY4OFlTeG4wYUFqMi9EalNUdC9TUkhRaU8rUAplRVZ2ZlZWUDdKR3hUQWxRUkY5QUc5a2NGZlRDaVhFL25KemJIWnlJOFFLQmdRREk4dnl1WDYyLzlIdDFGQ0s3CjIwWmhhK0ZDZCtpWFh1eWZhQXQveloraTk4eWNZVGVSK0k4WkNUanFuc2Q0a1E1OWQycTU4YytIRURzSTJDZGoKeW5qMURqcGhnblh4U1FabTFKTkgxRSs2ZjF6NjlYamZnMlBJa1RTcUJjVStMTXJDWjErVGhFci96TWFyclpoawp3MjdmMUg1MHh4Q2VIM0twRjVCM3FoQ2VBd0tCZ1FESDVPVnVLKzFnN242aEJsOXR0ZktZK1FYNFVvblFyK2NSCkplL20rZ0wxZVBuQnJwQ2Jid2lLV2dkU1pSbjVKVVRDMC8vSytXSXdSOUczcVMzWGZwWVBJdENNQllNOHIzSzYKUnpFL1ZUSTJFbWIwYWl0dGZTd084Mmd0K2phVnptcElabnF5ZFdnMzRPTEJNbW9kT2wxSkFNaHh5TnJnMEEvMgpkK0ZDdzNEZTFRS0JnUUNqM3FONGY4WHRONjVGOTdtcmdGR1F1S3pseTJyOXBnZElwMHhaV0pIS0VGSG5aTkF3ClZZWThZR3p0eDdYYStFL2N1VGxya1dvdk5ta3QrVGVHQldOR1UrZ0FCS2V4c0Y5c0ZBWlhHU2c3YWdtbERmRVkKTk1sMmtoTmtZM2hLRDdUNWU5dFJMUjBNSlM0T2FtNVFIWitaSUd4UFJ0YWlXL3JoTWJvNkc1R1ppUUtCZ0V6RgpXbUJQdXFGcHQzUjhrQllBdFNXUExuM0twV2RpeDJuTW1qQ3BnSTFxWXZIQjY0UG14dTdyMkxnS1lFbFJ5UERTCm53RURlblIwZ05UNndzSnF1Wk1pbWRuTkhEUW9aZldvOWY4TzUzUGc2VzJoZ1FCUi9LUFpVLytrZzJaUm1ud24KNzZPdWQ5Sk9Lb2hzcGxpSFcrQjN6b1AwMGl0WmZXZjVicWhIaTRmcEFvR0FZb3hxUnQrQVlyRGQvb3dkK3QwaApHajErd0JKdjVMM1J2QWVwbjhqVjQ4bXNidWJKQnJ1b1k2YVNaMTMrRHVma0xFbU1CS1BYeGhRUmI4YXR0YlBKClRHbVRLb2J4c3RMK0F6WWVuNHZ2YTd0Q0E4MTd1Nk4wK2lPcVpDRmZxZXBpUG5MRUt5UHBpbW42d25xQUlaN3AKRkZoZGo2NXJTRUIwYWFWWkc3bzhqQzA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +kind: Secret +metadata: + name: keycloak-tls + namespace: gateway-conformance-infra +type: kubernetes.io/tls +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: setup-keycloak + namespace: gateway-conformance-infra +spec: + template: + spec: + initContainers: + - name: wait-for-keycloak + image: busybox:stable + command: ["sh", "-c", "until nc -v -z -w3 keycloak 80; do sleep 2; done"] + containers: + - name: setup-keycloak + image: quay.io/keycloak/keycloak:26.0.4 + command: ["bash", "/opt/keycloak/scripts/setup.sh"] + env: + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: admin + volumeMounts: + - name: setup-script + mountPath: /opt/keycloak/scripts + volumes: + - name: setup-script + configMap: + name: setup-keycloak + restartPolicy: Never + backoffLimit: 4 +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: setup-keycloak + namespace: gateway-conformance-infra +data: + setup.sh: | + KEYCLOAK_SERVER="http://keycloak.gateway-conformance-infra" + REALM="master" + USERNAME=oidcuser # This is the user name that will be used for user authentication in Authorization Code Flow + PASSWORD=oidcpassword # This is the user password that will be used for user authentication in Authorization Code Flow + CLIENT_ID=oidctest + CLIENT_SECRET=oidctest-client-secret + REDIRECT_URL=http://www.example.com/myapp/oauth2/callback + + set -ex + + /opt/keycloak/bin/kcadm.sh create users \ + -s username="${USERNAME}" \ + -s enabled=true \ + --server "${KEYCLOAK_SERVER}" \ + --realm "${REALM}" \ + --user "${KEYCLOAK_ADMIN}" \ + --password "${KEYCLOAK_ADMIN_PASSWORD}" + + /opt/keycloak/bin/kcadm.sh set-password \ + --username "${USERNAME}" \ + --new-password "${PASSWORD}" \ + --server "${KEYCLOAK_SERVER}" \ + --realm "${REALM}" \ + --user "${KEYCLOAK_ADMIN}" \ + --password "${KEYCLOAK_ADMIN_PASSWORD}" + + /opt/keycloak/bin/kcreg.sh create \ + -s clientId="${CLIENT_ID}" \ + -s secret="${CLIENT_SECRET}" \ + -s "redirectUris=[\"${REDIRECT_URL}\"]" \ + -s consentRequired=false \ + --server "${KEYCLOAK_SERVER}" \ + --realm "${REALM}" \ + --user "${KEYCLOAK_ADMIN}" \ + --password "${KEYCLOAK_ADMIN_PASSWORD}" diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml index 8921b9eb204..bc13e451b53 100644 --- a/test/e2e/testdata/oidc-keycloak.yaml +++ b/test/e2e/testdata/oidc-keycloak.yaml @@ -12,17 +12,13 @@ spec: targetPort: 8080 name: http-keycloak protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP selector: app: keycloak --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: keycloak - namespace: gateway-conformance-infra - labels: - app: keycloak ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -40,7 +36,6 @@ spec: app: keycloak version: v1 spec: - serviceAccountName: keycloak containers: - name: keycloak image: quay.io/keycloak/keycloak:26.0.4 @@ -48,19 +43,50 @@ spec: args: - "start-dev" ports: - - name: keycloak + - name: https + containerPort: 8443 + protocol: TCP + - name: http containerPort: 8080 protocol: TCP env: - - name: KEYCLOAK_ADMIN + - name: KC_BOOTSTRAP_ADMIN_USERNAME value: admin - - name: KEYCLOAK_ADMIN_PASSWORD + - name: KC_BOOTSTRAP_ADMIN_PASSWORD value: admin + - name: KC_HOSTNAME + value: "keycloak.gateway-conformance-infra" + - name: KC_HTTPS_CERTIFICATE_FILE + value: "/etc/tls/tls.crt" + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: "/etc/tls/tls.key" + - name: KC_HTTPS_PORT + value: "8443" + - name: KC_HTTP_PORT + value: "8080" readinessProbe: initialDelaySeconds: 5 periodSeconds: 5 tcpSocket: - port: 8080 + port: 8443 + volumeMounts: + - name: tls-volume + mountPath: /etc/tls + readOnly: true + volumes: + - name: tls-volume + secret: + secretName: keycloak-tls +--- +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpVENDQW5HZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREF0TVJVd0V3WURWUVFLREF4bGVHRnQKY0d4bElFbHVZeTR4RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEkwTVRJeE1EQTBNamcxTWxvWApEVE0wTVRJd09EQTBNamcxTWxvd1RERXJNQ2tHQTFVRUF3d2lhMlY1WTJ4dllXc3VaMkYwWlhkaGVTMWpiMjVtCmIzSnRZVzVqWlMxcGJtWnlZVEVkTUJzR0ExVUVDZ3dVWlhoaGJYQnNaU0J2Y21kaGJtbDZZWFJwYjI0d2dnRWkKTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYzZJN3NicGo2OVJhak02L3UxMmpZdmdyUgpYNUx3ZUZmMFVGNlFTWWY5N2xqcHNqYnJ0Und1eFhya09qZDROUSs3em1nZGlBWGEzV2pLNUhZNURPRE9EMW1BCm55VVFRb1JtbTM3bTBEM0kra0ljdmduZzhRSHdoeEtlVDJXUnpRV0tUWmVmZmNTblNLTHJDYmxVZ0kvaFRiaVIKZHNwbnBrNlRKUmEzZ0NEUGwvT1NKNkkrcHUxd1N3ZjIxUURxQS9CVDNqRDB2MjBsejB0a3ZSblgrcDRKby9kMwoxQlFsall3RVhZcGtSWWN4d1I3cFpCM1I0eE5TVWNHaDkxeHRpUnBBdU9qVnNoTmRibThLcHkzdmJkSFZNWFBtClN0aElzZjJhYkU4ZGdFL2hVMHNOengwSWh4SzdVaFJMVjNib0dwSkF5UTNCeHVDcGMwTldhSEpUS2hKL0FnTUIKQUFHamdaUXdnWkV3Q3dZRFZSMFBCQVFEQWdXZ01CTUdBMVVkSlFRTU1Bb0dDQ3NHQVFVRkJ3TUJNQzBHQTFVZApFUVFtTUNTQ0ltdGxlV05zYjJGckxtZGhkR1YzWVhrdFkyOXVabTl5YldGdVkyVXRhVzVtY21Fd0hRWURWUjBPCkJCWUVGRW9QQTA3VHZhVDZRU1NrSk1FMCs5cmNHMWliTUI4R0ExVWRJd1FZTUJhQUZNY1BVdjhtUndaVWdmd0QKNHdGeHZHeWNTVnpvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFDdWxrakMxYW9NOTIxclVzcTdUMjdTNTlkTApxRjhDTUFUei8xayttck9RR0QrWkkrV1N6NEYwZTllQjBJRDFNbnZNRzZSdmtmRmU4NU1HNEw1NGdETzQ0aDBrClRHeHFaZDV1Ujc3QVRWNXZ0Q01Nc1VJQWlzR2c0eHh0djI2ZlRiSkhmbnVKdnQ0TmJZNWYzTi8yZEYxNmhQOHEKWVZVZVBzUWdMUXR6enhzNndkSmx4cW9vdWVkNHlCWUxlcVlZYW55cHcvMWNEM2V1Ynk1TnpxbFB2dXlhTDJ2VApKQ0x0MmpxaWRiaXl4M2RhYWJHVnZDTVluNlFOcWhSQkN0ZlFuSklTM1hyWmZDZExyWHMzWml2MHFnTjhraWs3ClBHbXo2NTRzOGd2c1F3QkxYU0pSSEFnZ0hHNUkydy9FOHFZTWVVNTZDTHdTbWcwQTNWRWttSDJoa1FGdwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2M2STdzYnBqNjlSYWoKTTYvdTEyall2Z3JSWDVMd2VGZjBVRjZRU1lmOTdsanBzamJydFJ3dXhYcmtPamQ0TlErN3ptZ2RpQVhhM1dqSwo1SFk1RE9ET0QxbUFueVVRUW9SbW0zN20wRDNJK2tJY3Znbmc4UUh3aHhLZVQyV1J6UVdLVFplZmZjU25TS0xyCkNibFVnSS9oVGJpUmRzcG5wazZUSlJhM2dDRFBsL09TSjZJK3B1MXdTd2YyMVFEcUEvQlQzakQwdjIwbHowdGsKdlJuWCtwNEpvL2QzMUJRbGpZd0VYWXBrUlljeHdSN3BaQjNSNHhOU1VjR2g5MXh0aVJwQXVPalZzaE5kYm04SwpweTN2YmRIVk1YUG1TdGhJc2YyYWJFOGRnRS9oVTBzTnp4MEloeEs3VWhSTFYzYm9HcEpBeVEzQnh1Q3BjME5XCmFISlRLaEovQWdNQkFBRUNnZ0VBUUptbXJrVGlpdi80Ny94SnhNVy9EdTAvT3ZCa2FNakRQWDBSVWNwVVNRR20KYmFESDU4ZEs4UjZ3OStIWUVJK1lDTFIwUFNSUmRNaVBhbWtoRzEvbjlpNXZwUHJnb1k4aFA3VnBTOUlVZmZnNgoyK2FKM3FpYktkSVNva2NDQkVNcXNzUTdWcGpMTEN4Rmx3c0wySFNOeUM3ZGZGWXlBdlovaHlsUDd3QzdnWHZpCjdkbk5yK2Q5c2ZqUGV1eElhUEEyek1tMGs3bmVESlpPSzNqWUpqUjNLWGFpd0NtV09FTlVJWEVVK0VoOFo3TFcKWXFmdWdad255Q1E4MEppdm1Ic0ROalZsTDV5ZUpUQ3hnMWFoWHY4OFlTeG4wYUFqMi9EalNUdC9TUkhRaU8rUAplRVZ2ZlZWUDdKR3hUQWxRUkY5QUc5a2NGZlRDaVhFL25KemJIWnlJOFFLQmdRREk4dnl1WDYyLzlIdDFGQ0s3CjIwWmhhK0ZDZCtpWFh1eWZhQXQveloraTk4eWNZVGVSK0k4WkNUanFuc2Q0a1E1OWQycTU4YytIRURzSTJDZGoKeW5qMURqcGhnblh4U1FabTFKTkgxRSs2ZjF6NjlYamZnMlBJa1RTcUJjVStMTXJDWjErVGhFci96TWFyclpoawp3MjdmMUg1MHh4Q2VIM0twRjVCM3FoQ2VBd0tCZ1FESDVPVnVLKzFnN242aEJsOXR0ZktZK1FYNFVvblFyK2NSCkplL20rZ0wxZVBuQnJwQ2Jid2lLV2dkU1pSbjVKVVRDMC8vSytXSXdSOUczcVMzWGZwWVBJdENNQllNOHIzSzYKUnpFL1ZUSTJFbWIwYWl0dGZTd084Mmd0K2phVnptcElabnF5ZFdnMzRPTEJNbW9kT2wxSkFNaHh5TnJnMEEvMgpkK0ZDdzNEZTFRS0JnUUNqM3FONGY4WHRONjVGOTdtcmdGR1F1S3pseTJyOXBnZElwMHhaV0pIS0VGSG5aTkF3ClZZWThZR3p0eDdYYStFL2N1VGxya1dvdk5ta3QrVGVHQldOR1UrZ0FCS2V4c0Y5c0ZBWlhHU2c3YWdtbERmRVkKTk1sMmtoTmtZM2hLRDdUNWU5dFJMUjBNSlM0T2FtNVFIWitaSUd4UFJ0YWlXL3JoTWJvNkc1R1ppUUtCZ0V6RgpXbUJQdXFGcHQzUjhrQllBdFNXUExuM0twV2RpeDJuTW1qQ3BnSTFxWXZIQjY0UG14dTdyMkxnS1lFbFJ5UERTCm53RURlblIwZ05UNndzSnF1Wk1pbWRuTkhEUW9aZldvOWY4TzUzUGc2VzJoZ1FCUi9LUFpVLytrZzJaUm1ud24KNzZPdWQ5Sk9Lb2hzcGxpSFcrQjN6b1AwMGl0WmZXZjVicWhIaTRmcEFvR0FZb3hxUnQrQVlyRGQvb3dkK3QwaApHajErd0JKdjVMM1J2QWVwbjhqVjQ4bXNidWJKQnJ1b1k2YVNaMTMrRHVma0xFbU1CS1BYeGhRUmI4YXR0YlBKClRHbVRLb2J4c3RMK0F6WWVuNHZ2YTd0Q0E4MTd1Nk4wK2lPcVpDRmZxZXBpUG5MRUt5UHBpbW42d25xQUlaN3AKRkZoZGo2NXJTRUIwYWFWWkc3bzhqQzA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K +kind: Secret +metadata: + name: keycloak-tls + namespace: gateway-conformance-infra +type: kubernetes.io/tls --- apiVersion: batch/v1 kind: Job @@ -76,7 +102,7 @@ spec: command: ["sh", "-c", "until nc -v -z -w3 keycloak 80; do sleep 2; done"] containers: - name: setup-keycloak - image: quay.io/keycloak/keycloak:23.0.6 + image: quay.io/keycloak/keycloak:26.0.4 command: ["bash", "/opt/keycloak/scripts/setup.sh"] env: - name: KEYCLOAK_ADMIN @@ -100,7 +126,7 @@ metadata: namespace: gateway-conformance-infra data: setup.sh: | - KEYCLOAK_SERVER="http://keycloak" + KEYCLOAK_SERVER="http://keycloak.gateway-conformance-infra" REALM="master" USERNAME=oidcuser # This is the user name that will be used for user authentication in Authorization Code Flow PASSWORD=oidcpassword # This is the user password that will be used for user authentication in Authorization Code Flow diff --git a/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml b/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml index 2e1a86791ec..2be4a7c1df0 100644 --- a/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml +++ b/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml @@ -17,19 +17,20 @@ spec: - name: infra-backend-v1 port: 8080 --- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute metadata: - name: http-keycloak + name: tls-keycloak namespace: gateway-conformance-infra spec: parentRefs: - name: same-namespace + sectionName: tls hostnames: ["keycloak.gateway-conformance-infra"] rules: - backendRefs: - name: keycloak - port: 80 + port: 443 --- apiVersion: v1 kind: Secret @@ -55,7 +56,7 @@ spec: - group: gateway.envoyproxy.io kind: Backend name: backend-keycloak - port: 80 + port: 443 backendSettings: retry: numRetries: 3 @@ -65,9 +66,9 @@ spec: maxInterval: 5s retryOn: triggers: ["5xx", "gateway-error", "reset"] - issuer: "http://keycloak.gateway-conformance-infra/realms/master" - authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth" - tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token" + issuer: "https://keycloak.gateway-conformance-infra/realms/master" + authorizationEndpoint: "https://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth" + tokenEndpoint: "https://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token" clientID: "oidctest" clientSecret: name: "oidctest-secret" @@ -83,4 +84,50 @@ spec: endpoints: - fqdn: hostname: 'keycloak.gateway-conformance-infra' - port: 80 + port: 443 +--- +apiVersion: gateway.networking.k8s.io/v1alpha3 +kind: BackendTLSPolicy +metadata: + name: policy-btls + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.envoyproxy.io + kind: Backend + name: backend-keycloak + sectionName: "443" + validation: + caCertificateRefs: + - name: backend-tls-certificate + group: "" + kind: ConfigMap + hostname: keycloak.gateway-conformance-infra +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MIIDOzCCAiOgAwIBAgIUahcFD8171YtKA154CofK6qg+k1IwDQYJKoZIhvcNAQEL + BQAwLTEVMBMGA1UECgwMZXhhbXBsZSBJbmMuMRQwEgYDVQQDDAtleGFtcGxlLmNv + bTAeFw0yNDEyMTAwNDI2NThaFw0zNDEyMDgwNDI2NThaMC0xFTATBgNVBAoMDGV4 + YW1wbGUgSW5jLjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDOqJMGma+m2c6T9roGr++hA0N0rzuBjUP6aPJNrLqA + kZ6MNIkXlrGA+tCjQHkQoPoR/9Jh6A0fKGsI/+X8CbmWIPhmrk/rydUV1Jq/Hld8 + pNw2o0EAeeGLQ0jPlcIYHGghzgwKm97jXvaFtb2twX9mwexXp/jswXYHWzDXaDR7 + aR7bE7EmOwzg3l9lD8uzkN91Jbo2nilbstQb3w849FdysubzxOT9loO1xdmb/YmS + tFW4S7svCKvyGeuj1tWLfFq7Qc7g5X3ORoJ8jaT1GzR0KKM94BPsgu68jTK47yRo + VVxGDJKoZZtiDMKTiCXnfJdMcOcjYhefEG58xBvsJuJpAgMBAAGjUzBRMB0GA1Ud + DgQWBBTHD1L/JkcGVIH8A+MBcbxsnElc6DAfBgNVHSMEGDAWgBTHD1L/JkcGVIH8 + A+MBcbxsnElc6DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC7 + bJ34O8upnL+Tmmzz38kVf6v+jL5BBnS6vlLKqyGZwGjmZmQjO/3eUMHUTZYMyvK2 + CDVcfVROgAMl6r38xA8Q5OfOroVt3bedxSDkB287/c8ACgctahe+rwpUigUI+W7u + FZqYsCbWq6T/olOm9LtHFMTEGOYmyaRk4zEOLars5eq8TrbBJ34ofqNXevA/y/vK + b8JIfPJxLsjjg59Rsc2KkhfdkR+tttOIFm0Kb2m5TLfpfg65EpDiVONFev1OOidz + CPKXGaW4hXk+47kIxfjnWjLGjQSAG2LsC/2II/aYIx5V/CJyQ9jMbS09pF1nwrbw + gkEmTDQtOfi1e5I7rHJm + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + name: backend-tls-certificate + namespace: gateway-conformance-infra diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index ccc11bc02c5..6310e073cf2 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -10,6 +10,7 @@ package tests import ( "context" "io" + "net" "net/http" "regexp" "testing" @@ -105,8 +106,9 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyMan routeNN := types.NamespacedName{Name: route, Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} - gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeNN) - + httpGWAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "http"), routeNN) + host, _, _ := net.SplitHostPort(httpGWAddr) + tlsGWAddr := net.JoinHostPort(host, "443") ancestorRef := gwapiv1a2.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), Kind: gatewayapi.KindPtr(resource.KindGateway), @@ -125,8 +127,9 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyMan WithLoggingOptions(t.Log, true), // Map the application and keycloak cluster DNS name to the gateway address WithCustomAddressMappings(map[string]string{ - "www.example.com:80": gwAddr, - "keycloak.gateway-conformance-infra:80": gwAddr, + "www.example.com:80": httpGWAddr, + "keycloak.gateway-conformance-infra:80": httpGWAddr, + "keycloak.gateway-conformance-infra:443": tlsGWAddr, }), ) require.NoError(t, err) diff --git a/test/e2e/tests/oidc_testclient.go b/test/e2e/tests/oidc_testclient.go index 2f1cc4d5983..03a3c6110af 100644 --- a/test/e2e/tests/oidc_testclient.go +++ b/test/e2e/tests/oidc_testclient.go @@ -23,6 +23,7 @@ package tests import ( "context" + "crypto/tls" "fmt" "io" "net" @@ -150,6 +151,8 @@ func NewOIDCTestClient(opts ...Option) (*OIDCTestClient, error) { if client.mappings != nil { defaultTransport.DialContext = client.mappings.DialContext } + // nolint: gosec + defaultTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} return client, nil }