diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 227265713c11..0e5d91145e59 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -495,16 +495,11 @@ func (t *Translator) buildOIDC( logoutPath = *oidc.LogoutPath } - nsName := types.NamespacedName{ - Namespace: policy.GetNamespace(), - Name: policy.GetName(), - } h := fnv.New32a() - _, err = h.Write([]byte(nsName.String())) - if err != nil { + if _, err = h.Write([]byte(policy.UID)); err != nil { return nil, fmt.Errorf("error generating oauth cookie suffix: %w", err) } - suffix := strconv.Itoa(int(h.Sum32())) + suffix := fmt.Sprintf("%X", h.Sum32()) return &ir.OIDC{ Provider: *provider, diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml index 9f49012c5288..169c7b94ecc4 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.in.yaml @@ -27,6 +27,7 @@ securityPolicies: metadata: namespace: default name: policy-non-exist-secretRef + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: targetRef: group: gateway.networking.k8s.io diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml index 29fb726b11b5..3a5ad95fc211 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-issuer.out.yaml @@ -62,6 +62,7 @@ securityPolicies: creationTimestamp: null name: policy-non-exist-secretRef namespace: default + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: oidc: clientID: client1.apps.foo.bar.com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml index c3c86142e0bf..565159c0175a 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.in.yaml @@ -63,6 +63,7 @@ securityPolicies: metadata: namespace: default name: policy-non-exist-secretRef + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: targetRef: group: gateway.networking.k8s.io @@ -81,6 +82,7 @@ securityPolicies: metadata: namespace: default name: policy-no-referenceGrant + uid: 08335a80-83ba-4592-888f-6ac0bba44ce4 spec: targetRef: group: gateway.networking.k8s.io diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml index 078fbd343ad9..0afef222a9de 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc-invalid-secretref.out.yaml @@ -172,6 +172,7 @@ securityPolicies: creationTimestamp: null name: policy-non-exist-secretRef namespace: default + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: oidc: clientID: client1.apps.googleusercontent.com @@ -200,6 +201,7 @@ securityPolicies: creationTimestamp: null name: policy-no-referenceGrant namespace: default + uid: 08335a80-83ba-4592-888f-6ac0bba44ce4 spec: oidc: clientID: client1.apps.googleusercontent.com diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml index 91fae31ce82c..086607d59393 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml @@ -80,6 +80,7 @@ securityPolicies: metadata: namespace: envoy-gateway name: policy-for-gateway-discover-endpoints # This policy should attach httproute-2 + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: targetRef: group: gateway.networking.k8s.io @@ -99,6 +100,7 @@ securityPolicies: metadata: namespace: default name: policy-for-http-route # This policy should attach httproute-1 + uid: 08335a80-83ba-4592-888f-6ac0bba44ce4 spec: targetRef: group: gateway.networking.k8s.io diff --git a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml index 154baeac55d8..c08304d3ebd6 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml @@ -139,6 +139,7 @@ securityPolicies: creationTimestamp: null name: policy-for-http-route namespace: default + uid: 08335a80-83ba-4592-888f-6ac0bba44ce4 spec: oidc: clientID: client2.oauth.foo.com @@ -174,6 +175,7 @@ securityPolicies: creationTimestamp: null name: policy-for-gateway-discover-endpoints namespace: envoy-gateway + uid: b8284d0f-de82-4c65-b204-96a0d3f258a1 spec: oidc: clientID: client1.apps.googleusercontent.com @@ -230,7 +232,7 @@ xdsIR: oidc: clientID: client2.oauth.foo.com clientSecret: Y2xpZW50MTpzZWNyZXQK - cookieSuffix: "1667669650" + cookieSuffix: 5F93C2E4 logoutPath: /foo/logout provider: authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth @@ -262,7 +264,7 @@ xdsIR: oidc: clientID: client1.apps.googleusercontent.com clientSecret: Y2xpZW50MTpzZWNyZXQK - cookieSuffix: "2003913538" + cookieSuffix: B0A1B740 logoutPath: /bar/logout provider: authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth