diff --git a/site/content/en/docs/tasks/security/oidc.md b/site/content/en/docs/tasks/security/oidc.md index f6ad61f8aa1..ebc073c82e9 100644 --- a/site/content/en/docs/tasks/security/oidc.md +++ b/site/content/en/docs/tasks/security/oidc.md @@ -392,6 +392,153 @@ You can also try to access `https://foo.example.com:8443` and `https://www.examp be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, and the cookies are shared across subdomains. +## Connect to a OIDC Provider with Self-Signed Certificate + +In some scenarios, the OIDC provider may use a self-signed certificate. To connect to an OIDC provider with a self-signed certificate, you need to configure it using the [Backend] resource within the [SecurityPolicy]. Additionally, use the [BackendTLSPolicy] to specify the CA certificate required to authenticate the OIDC provider. + +The following example demonstrates how to configure the OIDC provider with a self-signed certificate. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing] and [Backend TLS: Gateway to Backend] tasks. + ## Clean-Up Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. @@ -411,6 +558,10 @@ Checkout the [Developer Guide](../../../../contributions/develop) to get involve [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../../../contributions/design/security-policy +[SecurityPolicy]: ../../../api/extension_types#securitypolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[Backend]: ../../../api/extension_types#backend +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[Backend Routing]: ../../traffic/backend +[Backend TLS: Gateway to Backend]: ../backend-tls diff --git a/site/content/en/latest/tasks/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md index f6ad61f8aa1..ebc073c82e9 100644 --- a/site/content/en/latest/tasks/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -392,6 +392,153 @@ You can also try to access `https://foo.example.com:8443` and `https://www.examp be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, and the cookies are shared across subdomains. +## Connect to a OIDC Provider with Self-Signed Certificate + +In some scenarios, the OIDC provider may use a self-signed certificate. To connect to an OIDC provider with a self-signed certificate, you need to configure it using the [Backend] resource within the [SecurityPolicy]. Additionally, use the [BackendTLSPolicy] to specify the CA certificate required to authenticate the OIDC provider. + +The following example demonstrates how to configure the OIDC provider with a self-signed certificate. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing] and [Backend TLS: Gateway to Backend] tasks. + ## Clean-Up Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. @@ -411,6 +558,10 @@ Checkout the [Developer Guide](../../../../contributions/develop) to get involve [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../../../contributions/design/security-policy +[SecurityPolicy]: ../../../api/extension_types#securitypolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[Backend]: ../../../api/extension_types#backend +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[Backend Routing]: ../../traffic/backend +[Backend TLS: Gateway to Backend]: ../backend-tls diff --git a/site/content/en/v1.2/tasks/security/oidc.md b/site/content/en/v1.2/tasks/security/oidc.md index f6ad61f8aa1..ebc073c82e9 100644 --- a/site/content/en/v1.2/tasks/security/oidc.md +++ b/site/content/en/v1.2/tasks/security/oidc.md @@ -392,6 +392,153 @@ You can also try to access `https://foo.example.com:8443` and `https://www.examp be able to see the response from the backend service since these HTTPRoutes are also protected by the same OIDC config, and the cookies are shared across subdomains. +## Connect to a OIDC Provider with Self-Signed Certificate + +In some scenarios, the OIDC provider may use a self-signed certificate. To connect to an OIDC provider with a self-signed certificate, you need to configure it using the [Backend] resource within the [SecurityPolicy]. Additionally, use the [BackendTLSPolicy] to specify the CA certificate required to authenticate the OIDC provider. + +The following example demonstrates how to configure the OIDC provider with a self-signed certificate. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +For more information about [Backend] and [BackendTLSPolicy], refer to the [Backend Routing] and [Backend TLS: Gateway to Backend] tasks. + ## Clean-Up Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. @@ -411,6 +558,10 @@ Checkout the [Developer Guide](../../../../contributions/develop) to get involve [oidc]: https://openid.net/connect/ [google-oidc]: https://developers.google.com/identity/protocols/oauth2/openid-connect -[SecurityPolicy]: ../../../../contributions/design/security-policy +[SecurityPolicy]: ../../../api/extension_types#securitypolicy [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[Backend]: ../../../api/extension_types#backend +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ +[Backend Routing]: ../../traffic/backend +[Backend TLS: Gateway to Backend]: ../backend-tls