From d9dc4eb9b57c4ed9d4a27756930976c5abfc8e94 Mon Sep 17 00:00:00 2001
From: Huabing Zhao <zhaohuabing@gmail.com>
Date: Fri, 6 Dec 2024 13:42:44 +0000
Subject: [PATCH] use tls config from BTP to fetch oidc provider endpoints

Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
---
 internal/crypto/cert_load.go                  |  2 +-
 internal/gatewayapi/securitypolicy.go         | 55 +++++++++++++++---
 ...itypolicy-with-oidc-backendcluster.in.yaml | 44 ++++++++++++++
 ...typolicy-with-oidc-backendcluster.out.yaml | 38 ++++++++++++
 .../xds-ir/oidc-backend-cluster-provider.yaml |  6 ++
 ...idc-backend-cluster-provider.clusters.yaml | 25 ++++++++
 ...oidc-backend-cluster-provider.secrets.yaml |  4 ++
 test/e2e/testdata/oidc-keycloak.yaml          | 58 ++++++++++++++++---
 .../oidc-securitypolicy-backendcluster.yaml   | 54 +++++++++++++++--
 9 files changed, 262 insertions(+), 24 deletions(-)

diff --git a/internal/crypto/cert_load.go b/internal/crypto/cert_load.go
index f00dec1d9a3..de71f9a560a 100644
--- a/internal/crypto/cert_load.go
+++ b/internal/crypto/cert_load.go
@@ -35,7 +35,7 @@ func LoadTLSConfig(tlsCrt, tlsKey, caCrt string) (*tls.Config, error) {
 		return &tls.Config{
 			Certificates: []tls.Certificate{cert},
 			NextProtos:   []string{"h2"},
-			ClientAuth:   tls.RequireAndVerifyClientCert,
+			ClientAuth:   tls.RequireAndVerifyClientCert ,
 			ClientCAs:    certPool,
 			MinVersion:   tls.VersionTLS13,
 		}, nil
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index d21f240f1fa..ca1e3f1fc2c 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -6,6 +6,8 @@
 package gatewayapi
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -672,13 +674,28 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
 		protocol              ir.AppProtocol
 		rd                    *ir.RouteDestination
 		traffic               *ir.TrafficFeatures
+		providerTLS           *ir.TLSUpstreamConfig
 		err                   error
 	)
+	if len(provider.BackendRefs) > 0 {
+		if rd, err = t.translateExtServiceBackendRefs(policy, provider.BackendRefs, protocol, resources, envoyProxy, "oidc", 0); err != nil {
+			return nil, err
+		}
+	}
+
+	if rd != nil {
+		for _, st := range rd.Settings {
+			if st.TLS != nil {
+				providerTLS = st.TLS
+				break
+			}
+		}
+	}
 
 	// Discover the token and authorization endpoints from the issuer's
 	// well-known url if not explicitly specified
 	if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
-		tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer)
+		tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer, providerTLS)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err)
 		}
@@ -702,12 +719,6 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
 		protocol = ir.HTTP
 	}
 
-	if len(provider.BackendRefs) > 0 {
-		if rd, err = t.translateExtServiceBackendRefs(policy, provider.BackendRefs, protocol, resources, envoyProxy, "oidc", 0); err != nil {
-			return nil, err
-		}
-	}
-
 	if traffic, err = translateTrafficFeatures(provider.BackendSettings); err != nil {
 		return nil, err
 	}
@@ -764,9 +775,35 @@ type OpenIDConfig struct {
 	AuthorizationEndpoint string `json:"authorization_endpoint"`
 }
 
-func fetchEndpointsFromIssuer(issuerURL string) (string, string, error) {
+func fetchEndpointsFromIssuer(issuerURL string, providerTLS *ir.TLSUpstreamConfig) (string, string, error) {
+	var tlsConfig *tls.Config
+
+	if providerTLS != nil {
+		tlsConfig := &tls.Config{
+			ServerName: providerTLS.SNI,
+		}
+		if providerTLS.CACertificate != nil {
+			caCertPool := x509.NewCertPool()
+	          caCertPool.AppendCertsFromPEM(providerTLS.CACertificate.Certificate)
+			tlsConfig.RootCAs = caCertPool
+		}
+		for _, cert := range providerTLS.ClientCertificates {
+			cert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
+			if err != nil {
+				return "", "", err
+			}
+			tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+		}
+	}
+
 	// Fetch the OpenID configuration from the issuer URL
-	resp, err := http.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL))
+	client := &http.Client{}
+	if tlsConfig != nil {
+		client.Transport = &http.Transport{
+			TLSClientConfig: tlsConfig,
+		}
+	}
+	resp, err := client.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL))
 	if err != nil {
 		return "", "", err
 	}
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml
index 67b051e4b31..5042dad1479 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml
@@ -99,3 +99,47 @@ securityPolicies:
       defaultTokenTTL: 30m
       refreshToken: true
       defaultRefreshTokenTTL: 24h
+configMaps:
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: ca-cmap
+      namespace: envoy-gateway
+    data:
+      ca.crt: |
+        -----BEGIN CERTIFICATE-----
+        MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
+        BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
+        MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
+        A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
+        1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
+        yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
+        kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
+        Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
+        ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
+        bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
+        6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
+        BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
+        2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
+        i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
+        A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
+        d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
+        3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
+        -----END CERTIFICATE-----
+backendTLSPolicies:
+  - apiVersion: gateway.networking.k8s.io/v1alpha2
+    kind: BackendTLSPolicy
+    metadata:
+      name: policy-btls-backend-fqdn
+      namespace: envoy-gateway
+    spec:
+      targetRefs:
+        - group: gateway.envoyproxy.io
+          kind: Backend
+          name: backend-fqdn
+      validation:
+        caCertificateRefs:
+          - name: ca-cmap
+            group: ''
+            kind: ConfigMap
+        hostname: oauth.foo.com
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml
index d878bcdb505..d0bb9f408bd 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml
@@ -1,3 +1,35 @@
+backendTLSPolicies:
+- apiVersion: gateway.networking.k8s.io/v1alpha2
+  kind: BackendTLSPolicy
+  metadata:
+    creationTimestamp: null
+    name: policy-btls-backend-fqdn
+    namespace: envoy-gateway
+  spec:
+    targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: backend-fqdn
+    validation:
+      caCertificateRefs:
+      - group: ""
+        kind: ConfigMap
+        name: ca-cmap
+      hostname: oauth.foo.com
+  status:
+    ancestors:
+    - ancestorRef:
+        group: gateway.envoyproxy.io
+        kind: SecurityPolicy
+        name: policy-for-gateway
+        namespace: envoy-gateway
+      conditions:
+      - lastTransitionTime: null
+        message: Policy has been accepted.
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
 backends:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: Backend
@@ -235,6 +267,12 @@ xdsIR:
                   - host: oauth.foo.com
                     port: 443
                   protocol: HTTPS
+                  tls:
+                    alpnProtocols: null
+                    caCertificate:
+                      certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+                      name: policy-btls-backend-fqdn/envoy-gateway-ca
+                    sni: oauth.foo.com
                   weight: 1
               tokenEndpoint: https://oauth.foo.com/token
               traffic:
diff --git a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml
index 993f775947a..d0f7a913e45 100644
--- a/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml
@@ -40,6 +40,12 @@ http:
                 port: 443
               protocol: HTTPS
               weight: 1
+              tls:
+                alpnProtocols: null
+                caCertificate:
+                  certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+                  name: policy-btls-backend-fqdn/envoy-gateway-ca
+                sni: oauth.foo.com
           tokenEndpoint: https://oauth.foo.com/token
           traffic:
             retry:
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml
index 9d60e8e0bed..3f90e1b00a8 100644
--- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml
@@ -35,6 +35,10 @@
               address: oauth.foo.com
               portValue: 443
         loadBalancingWeight: 1
+        metadata:
+          filterMetadata:
+            envoy.transport_socket_match:
+              name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0
       loadBalancingWeight: 1
       locality:
         region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0
@@ -42,4 +46,25 @@
   outlierDetection: {}
   perConnectionBufferLimitBytes: 32768
   respectDnsTtl: true
+  transportSocketMatches:
+  - match:
+      name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0
+    name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0
+    transportSocket:
+      name: envoy.transport_sockets.tls
+      typedConfig:
+        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+        commonTlsContext:
+          combinedValidationContext:
+            defaultValidationContext:
+              matchTypedSubjectAltNames:
+              - matcher:
+                  exact: oauth.foo.com
+                sanType: DNS
+            validationContextSdsSecretConfig:
+              name: policy-btls-backend-fqdn/envoy-gateway-ca
+              sdsConfig:
+                ads: {}
+                resourceApiVersion: V3
+        sni: oauth.foo.com
   type: STRICT_DNS
diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml
index 398ab6cef7b..20793949c74 100644
--- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml
+++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml
@@ -1,3 +1,7 @@
+- name: policy-btls-backend-fqdn/envoy-gateway-ca
+  validationContext:
+    trustedCa:
+      inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
 - genericSecret:
     secret:
       inlineBytes: Y2xpZW50MTpzZWNyZXQK
diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml
index 8921b9eb204..4787f936638 100644
--- a/test/e2e/testdata/oidc-keycloak.yaml
+++ b/test/e2e/testdata/oidc-keycloak.yaml
@@ -10,18 +10,27 @@ spec:
   ports:
     - port: 80
       targetPort: 8080
-      name: http-keycloak
+      name: http
       protocol: TCP
   selector:
     app: keycloak
 ---
 apiVersion: v1
-kind: ServiceAccount
+kind: Service
 metadata:
-  name: keycloak
+  name: keycloak-https
   namespace: gateway-conformance-infra
   labels:
     app: keycloak
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 443
+      targetPort: 8443
+      name: https
+      protocol: TCP
+  selector:
+    app: keycloak
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -40,7 +49,6 @@ spec:
         app: keycloak
         version: v1
     spec:
-      serviceAccountName: keycloak
       containers:
         - name: keycloak
           image: quay.io/keycloak/keycloak:26.0.4
@@ -48,19 +56,50 @@ spec:
           args:
             - "start-dev"
           ports:
-            - name: keycloak
+            - name: http
               containerPort: 8080
               protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
           env:
-            - name: KEYCLOAK_ADMIN
+            - name: KC_BOOTSTRAP_ADMIN_USERNAME
               value: admin
-            - name: KEYCLOAK_ADMIN_PASSWORD
+            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
               value: admin
+            - name: KC_HOSTNAME
+              value: "keycloak.gateway-conformance-infra"
+            - name: KC_HTTPS_CERTIFICATE_FILE
+              value: "/etc/tls/tls.crt"
+            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+              value: "/etc/tls/tls.key"
+            - name: KC_HTTP_PORT
+              value: "8080"
+            - name: KC_HTTPS_PORT
+              value: "8443"
           readinessProbe:
             initialDelaySeconds: 5
             periodSeconds: 5
             tcpSocket:
               port: 8080
+          volumeMounts:
+            - name: tls-volume
+              mountPath: /etc/tls
+              readOnly: true
+      volumes:
+        - name: tls-volume
+          secret:
+            secretName: keycloak-tls
+---
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4VENDQWRrQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd0xURVZNQk1HQTFVRUNnd01aWGhoYlhCc1pTQkoKYm1NdU1SUXdFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVEFlRncweU5ERXlNRGt3TnpVd05EbGFGdzB5TlRFeQpNRGt3TnpVd05EbGFNRkF4THpBdEJnTlZCQU1NSm10bGVXTnNiMkZyTFhSc2N5NW5ZWFJsZDJGNUxXTnZibVp2CmNtMWhibU5sTFdsdVpuSmhNUjB3R3dZRFZRUUtEQlJsZUdGdGNHeGxJRzl5WjJGdWFYcGhkR2x2YmpDQ0FTSXcKRFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUtvbGNsMlNWa3pIRlRhZjNXMUxWclJ3UkhQQwpVQWJBU0hHUmE3cVNUNng4RDl6TDVnOFhZbG5HdmZodWs5YVlQWHlOc1JTNlovb3NtNmxTVEdOQ2xqNkJoaC9tCjB0YTQ0ODBmcGtpNlBvUThkT1N0Z25lbWs3OUxySnZXM21zMll1TUpaVFNKdDdYS3l5M0NydXBMb3VGSFd6cWsKMVJOQWtFa3N3SmFwSjFSaXlWY0JOZ1dpakZmRnRSWEFEWElHUC9laXh3bWVSRlc2enFXSmdvNmZjaTdxZmIzSgpIRER2TG5CcWo4RzFvTEREMUtJRGU3dHllTnlhUjVCZ1pwdDNMQVUyMXhXTHZlc0VhQ0J5V3VtaGVDTGtzcjZqCnNLYWFjUFVVVmI4ZU1BaWRHeHpBRVJTTzkyTmhNb0UxeTBEY2RpQXBEbnpPM2t4ZVpzY0dyVks5T2NrQ0F3RUEKQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUZFVjlXd3BRSlJleXY3aWViNGdxUERyUWxxUWZqSGozRmJoSwpWK1ZCblRmL0hQcmxDa2dFNUo5UmZtY0VuRWc5MSs0TjZXaDROMThYL056bmhnMmsybmJzd3YyQjUzRTBoY0FnCkJacnVhQWVCTzV2ODl4TE5nU1dwa2ZxZVNBNHlIS0RmemtBYlNrakNNQmFLTUlKeFlxbXVIa1RsTVFFNVo3Z2YKSXBuVSt5WHJ5M1VYclZnWWN3VWY0Um5weUtNWUt4ZmJWQjhCdXdTc1pnNG1DOStHTkZJeEFYbW9QNzJqcTczaQpjb1dadTBlTUJKWFZIYXdaN0pFeTZrdGMwZUpObDlWVEFlWVpKL3M0blBwa3p4aEU5em1CWVhVcXRZT2hKNDNGCmRERmhWcWhPS21NRFVYTEZDQTc2UG5RczI1WTJOdkF3cEFRQzcvZ3NwaDM2NFBHSU9RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ3FKWEpka2xaTXh4VTIKbjkxdFMxYTBjRVJ6d2xBR3dFaHhrV3U2a2src2ZBL2N5K1lQRjJKWnhyMzRicFBXbUQxOGpiRVV1bWY2TEp1cApVa3hqUXBZK2dZWWY1dExXdU9QTkg2Wkl1ajZFUEhUa3JZSjNwcE8vUzZ5YjF0NXJObUxqQ1dVMGliZTF5c3N0CndxN3FTNkxoUjFzNnBOVVRRSkJKTE1DV3FTZFVZc2xYQVRZRm9veFh4YlVWd0ExeUJqLzNvc2NKbmtSVnVzNmwKaVlLT24zSXU2bjI5eVJ3dzd5NXdhby9CdGFDd3c5U2lBM3U3Y25qY21rZVFZR2FiZHl3Rk50Y1ZpNzNyQkdnZwpjbHJwb1hnaTVMSytvN0NtbW5EMUZGVy9IakFJblJzY3dCRVVqdmRqWVRLQk5jdEEzSFlnS1E1OHp0NU1YbWJICkJxMVN2VG5KQWdNQkFBRUNnZ0VBTnZKdDZ4c0JwTHpjTkc1UE4yY1BvcWpvNmt0VHhjSmVBdE1ZSzhIcFdnWWMKcDB6dnlHcmdWNmJQbmNXMEY2YkZvSTR2cEVhSW9xbTZRV1d6QnBFdjdSS3VLbXBFSjVUQStITGlvL1VGa0hYbgp1QnZ5bU1waVIzSmNWVjJBS2JhQUc5cmlaS09mQU9YelZKMWRHSXdCbDJnUVpiRnFvRk9HNVNLL05VaCtTNGt0CjcyWTVoMDJMekNBbVlYT1dZNllNZmNocjVoZlFTaUw0Y2hENld5aTJBZUlZNk85WFdrMjJNNkI5WW50MENhUjAKOEpTWWpiQ2lFaS8xRTNrOWh1amNwQ3U2TDllYm9SVEFCR0hOU3JRSWwrQnVRb1NUOFViendkbEc1ZTEzd1lobwpFdFdtd0pVdG5vdDd6SFJ5RTloQ0xCYWFsVExkQy9sc1JzQWVlb1UzZXdLQmdRRG9mY0ttNEQ5NmlrVmVWS0ZFCjA3YXc1S1NGUlJvUmtWNG9xWkJLUnQvOFNDRERPUU5GY1dIbnQwTkcyUVRXdnQxV2dBZ1FOY09DL1gzNjVtWCsKOWxBY0RCc2FpVDlHY3RTQ1ZjN2NtVGVSbDdERXVzZWY0V3BRNkZHbXJZSmlXTy81aENub3Nyd3Nja2tkUFI2TwpGN1NEamJ0b3N4dTRpeG8yN3ZDN2ppZlZSd0tCZ1FDN1dkVUV6cEFlYmJqUjNwZUU0ckhZMlJxbVFMSFJta2lsCnFFRDlvM2FDVytYR2FJblEvcmNIMkhlTHZQajRTRkYvSGp0a2h3U0w4SGV5bUhLV2hyN0tZczcxNnMrbXRvM2IKSlUzcC93cXlrMWZOMURkdVdjRkpISGRrR21FdmN5OEFjMm5sLzNsUmRqRzNQeVFDK0lQYlVkNjlscS9NejV5OApsbjNxbjZwQWJ3S0JnRXB4b25kK3pMUzNPN2tWemtIVXJPWDlnSFN3Q01YaFQwNGo1WER6T3R0MFdSRkoyek5NCk4vWlRaelp6WFNwS0dXT09RWWEzUUhCY0xRKys0S0FBVE94K0w5dVNZUEYwNlhrR2N1T09LQTMxallPZzd6VFIKb0JKaUlXc0dtZjVWemhtT2FVRDZvbWgwKzlaaDhMdTgrVzg2WGUwTGxPL0ZrdEpPTmtWSUlwY1hBb0dBSlVIcgpHK2FjUUlEZmRWVUgydFJlTzlxSTh6RUFhOGQ3MVAzTjF1THdDV0tQSWxMZHZXTTZNT1E2ZWQ2ZHdIcFpRcWRYCmRsbG5iUkRvTE9zbU5vc2JYQklrU0VGbkJDZGZ0SW9Kb1pRbm8zV3J5M0g5aUFOdmJjT3Nkb3JNY3V3OEY2SGMKR0hJaXhURjFGNVVGNjFWU200WC9mc0o5dVlROERrRDdUM0pySUI4Q2dZRUFuWGI2TzJSWjZzYU51eGxhbldISApUdDA3UDFRUEl6WUQrUzdKVUN3Y0RvZEVZQVBuYUVpNk5aTWg2bnI4a2Y2VDdjdUFDVkFiY1RLZjcwY2c4VkxaCmwyMEhSa2VFSk9oRmQ5dHJ2N1oyc2IvYUxyL3ZqYVg2Ymt6N1l4NlkvV2IyckVxdktiQ0dRN241UU9XWXJ1akoKT092Qm4xcENqemVkYlJlalVSVzFabVE9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+kind: Secret
+metadata:
+  name: keycloak-tls
+  namespace: gateway-conformance-infra
+type: kubernetes.io/tls
 ---
 apiVersion: batch/v1
 kind: Job
@@ -106,7 +145,8 @@ data:
     PASSWORD=oidcpassword              # This is the user password that will be used for user authentication in Authorization Code Flow
     CLIENT_ID=oidctest
     CLIENT_SECRET=oidctest-client-secret
-    REDIRECT_URL=http://www.example.com/myapp/oauth2/callback
+    HTTP_REDIRECT_URL=http://www.example.com/myapp/oauth2/callback
+    HTTPS_REDIRECT_URL=https://www.example.com/myapp/oauth2/callback
 
     set -ex
 
@@ -129,7 +169,7 @@ data:
     /opt/keycloak/bin/kcreg.sh create \
     -s clientId="${CLIENT_ID}" \
     -s secret="${CLIENT_SECRET}" \
-    -s "redirectUris=[\"${REDIRECT_URL}\"]" \
+    -s "redirectUris=[\"${HTTP_REDIRECT_URL}\", \"${HTTPS_REDIRECT_URL}\"]" \
     -s consentRequired=false \
     --server "${KEYCLOAK_SERVER}" \
     --realm "${REALM}" \
diff --git a/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml b/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
index 2e1a86791ec..594b89f7405 100644
--- a/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
+++ b/test/e2e/testdata/oidc-securitypolicy-backendcluster.yaml
@@ -55,7 +55,7 @@ spec:
       - group: gateway.envoyproxy.io
         kind: Backend
         name: backend-keycloak
-        port: 80
+        port: 443
       backendSettings:
         retry:
           numRetries: 3
@@ -65,9 +65,9 @@ spec:
               maxInterval: 5s
           retryOn:
             triggers: ["5xx", "gateway-error", "reset"]
-      issuer: "http://keycloak.gateway-conformance-infra/realms/master"
-      authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth"
-      tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token"
+      issuer: "https://keycloak.gateway-conformance-infra/realms/master"
+      authorizationEndpoint: "https://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth"
+      tokenEndpoint: "https://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token"
     clientID: "oidctest"
     clientSecret:
       name: "oidctest-secret"
@@ -83,4 +83,48 @@ spec:
   endpoints:
   - fqdn:
       hostname: 'keycloak.gateway-conformance-infra'
-      port: 80
+      port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: policy-btls
+  namespace: gateway-conformance-infra
+spec:
+  targetRefs:
+    - group: gateway.envoyproxy.io
+      kind: Backend
+      name: backend-keycloak
+      sectionName: "443"
+  validation:
+    caCertificateRefs:
+      - name: backend-tls-certificate
+        group: ""
+        kind: ConfigMap
+    hostname: keycloak.gateway-conformance-infra
+---
+apiVersion: v1
+data:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    MIIC8TCCAdkCAQAwDQYJKoZIhvcNAQELBQAwLTEVMBMGA1UECgwMZXhhbXBsZSBJ
+    bmMuMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNDEyMDkwNzUwNDlaFw0yNTEy
+    MDkwNzUwNDlaMFAxLzAtBgNVBAMMJmtleWNsb2FrLXRscy5nYXRld2F5LWNvbmZv
+    cm1hbmNlLWluZnJhMR0wGwYDVQQKDBRleGFtcGxlIG9yZ2FuaXphdGlvbjCCASIw
+    DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKolcl2SVkzHFTaf3W1LVrRwRHPC
+    UAbASHGRa7qST6x8D9zL5g8XYlnGvfhuk9aYPXyNsRS6Z/osm6lSTGNClj6Bhh/m
+    0ta4480fpki6PoQ8dOStgnemk79LrJvW3ms2YuMJZTSJt7XKyy3CrupLouFHWzqk
+    1RNAkEkswJapJ1RiyVcBNgWijFfFtRXADXIGP/eixwmeRFW6zqWJgo6fci7qfb3J
+    HDDvLnBqj8G1oLDD1KIDe7tyeNyaR5BgZpt3LAU21xWLvesEaCByWumheCLksr6j
+    sKaacPUUVb8eMAidGxzAERSO92NhMoE1y0DcdiApDnzO3kxeZscGrVK9OckCAwEA
+    ATANBgkqhkiG9w0BAQsFAAOCAQEAFEV9WwpQJReyv7ieb4gqPDrQlqQfjHj3FbhK
+    V+VBnTf/HPrlCkgE5J9RfmcEnEg91+4N6Wh4N18X/Nznhg2k2nbswv2B53E0hcAg
+    BZruaAeBO5v89xLNgSWpkfqeSA4yHKDfzkAbSkjCMBaKMIJxYqmuHkTlMQE5Z7gf
+    IpnU+yXry3UXrVgYcwUf4RnpyKMYKxfbVB8BuwSsZg4mC9+GNFIxAXmoP72jq73i
+    coWZu0eMBJXVHawZ7JEy6ktc0eJNl9VTAeYZJ/s4nPpkzxhE9zmBYXUqtYOhJ43F
+    dDFhVqhOKmMDUXLFCA76PnQs25Y2NvAwpAQC7/gsph364PGIOQ==
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: backend-tls-certificate
+  namespace: gateway-conformance-infra