Skip to content

Commit

Permalink
fix: use tls config from BTP when connecting to the OIDC provider's w…
Browse files Browse the repository at this point in the history 
…ell-known endpoint. (envoyproxy#4857)

* add e2e test for OIDC provider with TLS

Signed-off-by: Huabing Zhao <[email protected]>

* delete file

Signed-off-by: Huabing Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing Zhao <[email protected]>

* use TLS config from BTLPolicy to fetch auth endpoint

Signed-off-by: Huabing Zhao <[email protected]>

* refactor

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* update release note

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix test

Signed-off-by: Huabing Zhao <[email protected]>

* fix lint

Signed-off-by: Huabing Zhao <[email protected]>

---------

Signed-off-by: Huabing Zhao <[email protected]>
Signed-off-by: Huabing (Robin) Zhao <[email protected]>
(cherry picked from commit 3a39c35)
Signed-off-by: Huabing Zhao <[email protected]>
  • Loading branch information
@zhaohuabing
zhaohuabing committed Jan 13, 2025
1 parent de7e1c6 commit 7c84916
Show file tree
Hide file tree
Showing 14 changed files with 351 additions and 64 deletions.
84 changes: 62 additions & 22 deletions internal/gatewayapi/securitypolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
package gatewayapi

import (
"crypto/tls"
"encoding/json"
"errors"
"fmt"
Expand All @@ -16,7 +17,9 @@ import (
"sort"
"strconv"
"strings"
"time"

"github.com/cenkalti/backoff/v4"
perr "github.com/pkg/errors"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -672,26 +675,17 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
protocol ir.AppProtocol
rd *ir.RouteDestination
traffic *ir.TrafficFeatures
providerTLS *ir.TLSUpstreamConfig
err error
)

// Discover the token and authorization endpoints from the issuer's
// well-known url if not explicitly specified
if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer)
if err != nil {
return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err)
}
var u *url.URL
if provider.TokenEndpoint != nil {
u, err = url.Parse(*provider.TokenEndpoint)
} else {
tokenEndpoint = *provider.TokenEndpoint
authorizationEndpoint = *provider.AuthorizationEndpoint
}

if err = validateTokenEndpoint(tokenEndpoint); err != nil {
return nil, err
u, err = url.Parse(provider.Issuer)
}

u, err := url.Parse(tokenEndpoint)
if err != nil {
return nil, err
}
Expand All @@ -708,6 +702,32 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
}
}

if rd != nil {
for _, st := range rd.Settings {
if st.TLS != nil {
providerTLS = st.TLS
break
}
}
}

// Discover the token and authorization endpoints from the issuer's well-known url if not explicitly specified.
// EG assumes that the issuer url uses the same protocol and CA as the token endpoint.
// If we need to support different protocols or CAs, we need to add more fields to the OIDCProvider CRD.
if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
tokenEndpoint, authorizationEndpoint, err = fetchEndpointsFromIssuer(provider.Issuer, providerTLS)
if err != nil {
return nil, fmt.Errorf("error fetching endpoints from issuer: %w", err)
}
} else {
tokenEndpoint = *provider.TokenEndpoint
authorizationEndpoint = *provider.AuthorizationEndpoint
}

if err = validateTokenEndpoint(tokenEndpoint); err != nil {
return nil, err
}

if traffic, err = translateTrafficFeatures(provider.BackendSettings); err != nil {
return nil, err
}
Expand Down Expand Up @@ -764,18 +784,38 @@ type OpenIDConfig struct {
AuthorizationEndpoint string `json:"authorization_endpoint"`
}

func fetchEndpointsFromIssuer(issuerURL string) (string, string, error) {
// Fetch the OpenID configuration from the issuer URL
resp, err := http.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL))
if err != nil {
return "", "", err
func fetchEndpointsFromIssuer(issuerURL string, providerTLS *ir.TLSUpstreamConfig) (string, string, error) {
var (
tlsConfig *tls.Config
err error
)

if providerTLS != nil {
if tlsConfig, err = providerTLS.ToTLSConfig(); err != nil {
return "", "", err
}
}

client := &http.Client{}
if tlsConfig != nil {
client.Transport = &http.Transport{
TLSClientConfig: tlsConfig,
}
}
defer resp.Body.Close()

// Parse the OpenID configuration response
var config OpenIDConfig
err = json.NewDecoder(resp.Body).Decode(&config)
if err != nil {
if err = backoff.Retry(func() error {
resp, err := client.Get(fmt.Sprintf("%s/.well-known/openid-configuration", issuerURL))
if err != nil {
return err
}
defer resp.Body.Close()
if err = json.NewDecoder(resp.Body).Decode(&config); err != nil {
return err
}
return nil
}, backoff.NewExponentialBackOff(backoff.WithMaxElapsedTime(5*time.Second))); err != nil {
return "", "", err
}

Expand Down
44 changes: 44 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.in.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,3 +99,47 @@ securityPolicies:
defaultTokenTTL: 30m
refreshToken: true
defaultRefreshTokenTTL: 24h
configMaps:
- apiVersion: v1
kind: ConfigMap
metadata:
name: ca-cmap
namespace: envoy-gateway
data:
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIUAl6UKIuKmzte81cllz5PfdN2IlIwDQYJKoZIhvcNAQEL
BQAwIzEQMA4GA1UEAwwHbXljaWVudDEPMA0GA1UECgwGa3ViZWRiMB4XDTIzMTAw
MjA1NDE1N1oXDTI0MTAwMTA1NDE1N1owIzEQMA4GA1UEAwwHbXljaWVudDEPMA0G
A1UECgwGa3ViZWRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwSTc
1yj8HW62nynkFbXo4VXKv2jC0PM7dPVky87FweZcTKLoWQVPQE2p2kLDK6OEszmM
yyr+xxWtyiveremrWqnKkNTYhLfYPhgQkczib7eUalmFjUbhWdLvHakbEgCodn3b
kz57mInX2VpiDOKg4kyHfiuXWpiBqrCx0KNLpxo3DEQcFcsQTeTHzh4752GV04RU
Ti/GEWyzIsl4Rg7tGtAwmcIPgUNUfY2Q390FGqdH4ahn+mw/6aFbW31W63d9YJVq
ioyOVcaMIpM5B/c7Qc8SuhCI1YGhUyg4cRHLEw5VtikioyE3X04kna3jQAj54YbR
bpEhc35apKLB21HOUQIDAQABo1MwUTAdBgNVHQ4EFgQUyvl0VI5vJVSuYFXu7B48
6PbMEAowHwYDVR0jBBgwFoAUyvl0VI5vJVSuYFXu7B486PbMEAowDwYDVR0TAQH/
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAMLxrgFVMuNRq2wAwcBt7SnNR5Cfz
2MvXq5EUmuawIUi9kaYjwdViDREGSjk7JW17vl576HjDkdfRwi4E28SydRInZf6J
i8HZcZ7caH6DxR335fgHVzLi5NiTce/OjNBQzQ2MJXVDd8DBmG5fyatJiOJQ4bWE
A7FlP0RdP3CO3GWE0M5iXOB2m1qWkE2eyO4UHvwTqNQLdrdAXgDQlbam9e4BG3Gg
d/6thAkWDbt/QNT+EJHDCvhDRKh1RuGHyg+Y+/nebTWWrFWsktRrbOoHCZiCpXI1
3eXE6nt0YkgtDxG22KqnhpAg9gUSs2hlhoxyvkzyF0mu6NhPlwAgnq7+/Q==
-----END CERTIFICATE-----
backendTLSPolicies:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: BackendTLSPolicy
metadata:
name: policy-btls-backend-fqdn
namespace: envoy-gateway
spec:
targetRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: backend-fqdn
validation:
caCertificateRefs:
- name: ca-cmap
group: ''
kind: ConfigMap
hostname: oauth.foo.com
38 changes: 38 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-oidc-backendcluster.out.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,35 @@
backendTLSPolicies:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: BackendTLSPolicy
metadata:
creationTimestamp: null
name: policy-btls-backend-fqdn
namespace: envoy-gateway
spec:
targetRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: backend-fqdn
validation:
caCertificateRefs:
- group: ""
kind: ConfigMap
name: ca-cmap
hostname: oauth.foo.com
status:
ancestors:
- ancestorRef:
group: gateway.envoyproxy.io
kind: SecurityPolicy
name: policy-for-gateway
namespace: envoy-gateway
conditions:
- lastTransitionTime: null
message: Policy has been accepted.
reason: Accepted
status: "True"
type: Accepted
controllerName: gateway.envoyproxy.io/gatewayclass-controller
backends:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
Expand Down Expand Up @@ -235,6 +267,12 @@ xdsIR:
- host: oauth.foo.com
port: 443
protocol: HTTPS
tls:
alpnProtocols: null
caCertificate:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
name: policy-btls-backend-fqdn/envoy-gateway-ca
sni: oauth.foo.com
weight: 1
tokenEndpoint: https://oauth.foo.com/token
traffic:
Expand Down
45 changes: 45 additions & 0 deletions internal/ir/xds.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ package ir

import (
"cmp"
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
Expand Down Expand Up @@ -341,6 +343,23 @@ const (
TLSv13 = TLSVersion(egv1a1.TLSv13)
)

func (t TLSVersion) Int() uint16 {
switch t {
case TLSAuto:
return tls.VersionTLS13
case TLSv10:
return tls.VersionTLS10
case TLSv11:
return tls.VersionTLS11
case TLSv12:
return tls.VersionTLS12
case TLSv13:
return tls.VersionTLS13
default:
return tls.VersionTLS13
}
}

// TLSConfig holds the configuration for downstream TLS context.
// +k8s:deepcopy-gen=true
type TLSConfig struct {
Expand Down Expand Up @@ -2518,6 +2537,32 @@ type TLSUpstreamConfig struct {
TLSConfig `json:",inline"`
}

func (t *TLSUpstreamConfig) ToTLSConfig() (*tls.Config, error) {
// nolint:gosec
tlsConfig := &tls.Config{
ServerName: t.SNI,
}
if t.MinVersion != nil {
tlsConfig.MinVersion = t.MinVersion.Int()
}
if t.MaxVersion != nil {
tlsConfig.MaxVersion = t.MaxVersion.Int()
}
if t.CACertificate != nil {
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(t.CACertificate.Certificate)
tlsConfig.RootCAs = caCertPool
}
for _, cert := range t.ClientCertificates {
cert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
if err != nil {
return nil, err
}
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
}
return tlsConfig, nil
}

// BackendConnection settings for upstream connections
// +k8s:deepcopy-gen=true
type BackendConnection struct {
Expand Down
6 changes: 6 additions & 0 deletions internal/xds/translator/testdata/in/xds-ir/oidc-backend-cluster-provider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,12 @@ http:
port: 443
protocol: HTTPS
weight: 1
tls:
alpnProtocols: null
caCertificate:
certificate: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
name: policy-btls-backend-fqdn/envoy-gateway-ca
sni: oauth.foo.com
tokenEndpoint: https://oauth.foo.com/token
traffic:
retry:
Expand Down
25 changes: 25 additions & 0 deletions internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.clusters.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,36 @@
address: oauth.foo.com
portValue: 443
loadBalancingWeight: 1
metadata:
filterMetadata:
envoy.transport_socket_match:
name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0
loadBalancingWeight: 1
locality:
region: securitypolicy/envoy-gateway/policy-for-gateway/0/backend/0
name: securitypolicy/envoy-gateway/policy-for-gateway/0
outlierDetection: {}
perConnectionBufferLimitBytes: 32768
respectDnsTtl: true
transportSocketMatches:
- match:
name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0
name: securitypolicy/envoy-gateway/policy-for-gateway/0/tls/0
transportSocket:
name: envoy.transport_sockets.tls
typedConfig:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
commonTlsContext:
combinedValidationContext:
defaultValidationContext:
matchTypedSubjectAltNames:
- matcher:
exact: oauth.foo.com
sanType: DNS
validationContextSdsSecretConfig:
name: policy-btls-backend-fqdn/envoy-gateway-ca
sdsConfig:
ads: {}
resourceApiVersion: V3
sni: oauth.foo.com
type: STRICT_DNS
4 changes: 4 additions & 0 deletions internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
- name: policy-btls-backend-fqdn/envoy-gateway-ca
validationContext:
trustedCa:
inlineBytes: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lVQWw2VUtJdUttenRlODFjbGx6NVBmZE4ySWxJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHQTFVRUNnd0dhM1ZpWldSaU1CNFhEVEl6TVRBdwpNakExTkRFMU4xb1hEVEkwTVRBd01UQTFOREUxTjFvd0l6RVFNQTRHQTFVRUF3d0hiWGxqYVdWdWRERVBNQTBHCkExVUVDZ3dHYTNWaVpXUmlNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdTVGMKMXlqOEhXNjJueW5rRmJYbzRWWEt2MmpDMFBNN2RQVmt5ODdGd2VaY1RLTG9XUVZQUUUycDJrTERLNk9Fc3ptTQp5eXIreHhXdHlpdmVyZW1yV3FuS2tOVFloTGZZUGhnUWtjemliN2VVYWxtRmpVYmhXZEx2SGFrYkVnQ29kbjNiCmt6NTdtSW5YMlZwaURPS2c0a3lIZml1WFdwaUJxckN4MEtOTHB4bzNERVFjRmNzUVRlVEh6aDQ3NTJHVjA0UlUKVGkvR0VXeXpJc2w0Umc3dEd0QXdtY0lQZ1VOVWZZMlEzOTBGR3FkSDRhaG4rbXcvNmFGYlczMVc2M2Q5WUpWcQppb3lPVmNhTUlwTTVCL2M3UWM4U3VoQ0kxWUdoVXlnNGNSSExFdzVWdGlraW95RTNYMDRrbmEzalFBajU0WWJSCmJwRWhjMzVhcEtMQjIxSE9VUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEVGZ1FVeXZsMFZJNXZKVlN1WUZYdTdCNDgKNlBiTUVBb3dId1lEVlIwakJCZ3dGb0FVeXZsMFZJNXZKVlN1WUZYdTdCNDg2UGJNRUFvd0R3WURWUjBUQVFILwpCQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFNTHhyZ0ZWTXVOUnEyd0F3Y0J0N1NuTlI1Q2Z6CjJNdlhxNUVVbXVhd0lVaTlrYVlqd2RWaURSRUdTams3SlcxN3ZsNTc2SGpEa2RmUndpNEUyOFN5ZFJJblpmNkoKaThIWmNaN2NhSDZEeFIzMzVmZ0hWekxpNU5pVGNlL09qTkJRelEyTUpYVkRkOERCbUc1ZnlhdEppT0pRNGJXRQpBN0ZsUDBSZFAzQ08zR1dFME01aVhPQjJtMXFXa0UyZXlPNFVIdndUcU5RTGRyZEFYZ0RRbGJhbTllNEJHM0dnCmQvNnRoQWtXRGJ0L1FOVCtFSkhEQ3ZoRFJLaDFSdUdIeWcrWSsvbmViVFdXckZXc2t0UnJiT29IQ1ppQ3BYSTEKM2VYRTZudDBZa2d0RHhHMjJLcW5ocEFnOWdVU3MyaGxob3h5dmt6eUYwbXU2TmhQbHdBZ25xNysvUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
- genericSecret:
secret:
inlineBytes: Y2xpZW50MTpzZWNyZXQK
Expand Down
2 changes: 1 addition & 1 deletion release-notes/current.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ security updates: |
new features: |
Add support for modifying container securityContext for Envoy Gateway deployment in Helm
# Fixes for bugs identified in previous versions.
bug fixes: |
Fixed a nil pointer error that occurs when a SecurityPolicy refers to a UDS backend
Fixed the Gateway API translator didn't use the TLS configuration from the BackendTLSPolicy when connecting to the OIDC provider's well-known endpoint.
Fixed a validation failure when multiple HTTPRoutes refer to the same extension filter
# Enhancements that improve performance.
Expand Down
Loading

0 comments on commit 7c84916

Please sign in to comment.