Merge branch 'main' into client-cert-api

.github/workflows/cherrypick.yaml

@@ -6,6 +6,7 @@ on:
     types: ["closed"]
 
 permissions:
+  pull-requests: write
   contents: write
 
 jobs:

ADOPTERS.md

@@ -41,3 +41,13 @@ If you would like to be included in this table, please submit a PR to this file
 * Status: production
 * (Option) https://tetrate.io/wp-content/uploads/2023/03/tetrate-logo-dark.svg
 * (Option) Description:
+
+## Airspace Link
+* Organizatioin: Airspace Link
+* Website: https://airspacelink.com/
+* Category: End User
+* Environments: Azure
+* Use Cases:
+    - Airspace Link is using Envoy Gateway to route all public APIs to Kubernetes clusters, developers are manipulating routes descriptions using agnostic manifest files, which are then automatically provisioned using Envoy Gateway.
+* Status: production
+* Logo: https://airhub.airspacelink.com/images/asl-flat-logo.png

api/v1alpha1/oidc_types.go

@@ -37,6 +37,11 @@ type OIDC struct {
 	// +optional
 	Scopes []string `json:"scopes,omitempty"`
 
+	// The OIDC resources to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	// +optional
+	Resources []string `json:"resources,omitempty"`
+
 	// The redirect URL to be used in the OIDC
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	// If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -592,6 +592,12 @@ spec:
                       Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
                       If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
                     type: string
+                  resources:
+                    description: The OIDC resources to be used in the [Authentication
+                      Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+                    items:
+                      type: string
+                    type: array
                   scopes:
                     description: The OIDC scopes to be used in the [Authentication
                       Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).

internal/gatewayapi/securitypolicy.go

@@ -644,6 +644,7 @@ func (t *Translator) buildOIDC(
 		ClientID:     oidc.ClientID,
 		ClientSecret: clientSecretBytes,
 		Scopes:       scopes,
+		Resources:    oidc.Resources,
 		RedirectURL:  redirectURL,
 		RedirectPath: redirectPath,
 		LogoutPath:   logoutPath,

internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml

@@ -123,5 +123,6 @@ securityPolicies:
       clientSecret:
         name: "client2-secret"
       scopes: ["openid", "email", "profile"]
+      resources: ["api"]
       redirectURL: "https://www.example.com/foo/oauth2/callback"
       logoutPath: "/foo/logout"

internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml

@@ -153,6 +153,8 @@ securityPolicies:
         issuer: https://oauth.foo.com
         tokenEndpoint: https://oauth.foo.com/token
       redirectURL: https://www.example.com/foo/oauth2/callback
+      resources:
+      - api
       scopes:
       - openid
       - email
@@ -263,6 +265,8 @@ xdsIR:
             tokenEndpoint: https://oauth.foo.com/token
           redirectPath: /foo/oauth2/callback
           redirectURL: https://www.example.com/foo/oauth2/callback
+          resources:
+          - api
           scopes:
           - openid
           - email

internal/ir/xds.go

@@ -544,6 +544,10 @@ type OIDC struct {
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
 
+	// The OIDC resources to be used in the
+	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+	Resources []string `json:"resources,omitempty" yaml:"resources,omitempty"`
+
 	// The redirect URL to be used in the OIDC
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	RedirectURL string `json:"redirectURL,omitempty"`

internal/xds/translator/oidc.go

@@ -170,6 +170,7 @@ func oauth2Config(oidc *ir.OIDC) (*oauth2v3.OAuth2, error) {
 			// every OIDC provider supports basic auth
 			AuthType:   oauth2v3.OAuth2Config_BASIC_AUTH,
 			AuthScopes: oidc.Scopes,
+			Resources:  oidc.Resources,
 		},
 	}
 	return oauth2, nil

internal/xds/translator/testdata/in/xds-ir/oidc.yaml

@@ -30,6 +30,8 @@ http:
       - openid
       - email
       - profile
+      resources:
+      - api
       redirectURL: "https://www.example.com/foo/oauth2/callback"
       redirectPath: "/foo/oauth2/callback"
       logoutPath: "/foo/logout"
@@ -56,6 +58,8 @@ http:
       - openid
       - email
       - profile
+      resources:
+      - api
       redirectURL: "https://www.example.com/bar/oauth2/callback"
       redirectPath: "/bar/oauth2/callback"
       logoutPath: "/bar/logout"

internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml

@@ -48,6 +48,8 @@
                 path:
                   exact: /foo/oauth2/callback
               redirectUri: https://www.example.com/foo/oauth2/callback
+              resources:
+              - api
               signoutPath:
                 path:
                   exact: /foo/logout
@@ -89,6 +91,8 @@
                 path:
                   exact: /bar/oauth2/callback
               redirectUri: https://www.example.com/bar/oauth2/callback
+              resources:
+              - api
               signoutPath:
                 path:
                   exact: /bar/logout

site/content/en/latest/api/extension_types.md

@@ -1719,6 +1719,7 @@ _Appears in:_
 | `clientID` | _string_ |  true  | The client ID to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  | The Kubernetes secret which contains the OIDC client secret to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). <br /><br /> This is an Opaque secret. The client secret should be stored in the key "client-secret". |
 | `scopes` | _string array_ |  false  | The OIDC scopes to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). The "openid" scope is always added to the list of scopes if not already specified. |
+| `resources` | _string array_ |  false  | The OIDC resources to be used in the [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
 | `redirectURL` | _string_ |  true  | The redirect URL to be used in the OIDC [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). If not specified, uses the default redirect URI "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback" |
 | `logoutPath` | _string_ |  true  | The path to log a user out, clearing their credential cookies. If not specified, uses a default logout path "/logout" |