diff --git a/examples/extension-server/go.mod b/examples/extension-server/go.mod index a0f576544e..f770be3eba 100644 --- a/examples/extension-server/go.mod +++ b/examples/extension-server/go.mod @@ -4,8 +4,8 @@ go 1.26.2 require ( github.com/envoyproxy/gateway v1.3.1 - github.com/envoyproxy/go-control-plane v0.14.0 - github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 + github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 + github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 github.com/urfave/cli/v2 v2.27.7 google.golang.org/grpc v1.80.0 google.golang.org/protobuf v1.36.11 diff --git a/examples/extension-server/go.sum b/examples/extension-server/go.sum index b7e334f444..446a82ea42 100644 --- a/examples/extension-server/go.sum +++ b/examples/extension-server/go.sum @@ -22,10 +22,10 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= -github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= -github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE= -github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097/go.mod h1:237/ZQHepDd4v5BjpRNFI2mMG7WEBd+mQnt8jwbqrnk= +github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk= +github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok= +github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 h1:zEzMNlk4Kb4GpwKt2pmEc2B5+iM9rcmUYoB0mGHhXyU= +github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14/go.mod h1:5yRfenlmRH8sxKrhXyiFtK8BDz3syDWcFm81rkCcATM= github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds= github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0= github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w= diff --git a/go.mod b/go.mod index 830cb3f5f4..7ed5044d0c 100644 --- a/go.mod +++ b/go.mod @@ -11,10 +11,10 @@ require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc github.com/docker/cli v29.4.0+incompatible github.com/dominikbraun/graph v0.23.0 - github.com/envoyproxy/go-control-plane v0.14.0 - github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 - github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 - github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 + github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 + github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14 + github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 + github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14 github.com/envoyproxy/ratelimit v1.4.1-0.20260122083618-3fb702589d36 github.com/evanphx/json-patch v5.9.11+incompatible github.com/evanphx/json-patch/v5 v5.9.11 diff --git a/go.sum b/go.sum index d9813ced47..a2544ef3fa 100644 --- a/go.sum +++ b/go.sum @@ -140,14 +140,14 @@ github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/ github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= -github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= -github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 h1:KTd1TJym7dgV1L1XlxXeJNct7rJI3xTV+iuArq40wm0= -github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo= -github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE= -github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097/go.mod h1:237/ZQHepDd4v5BjpRNFI2mMG7WEBd+mQnt8jwbqrnk= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 h1:8tBwE+GI3IWMywGVrJjc2grm7SCpPMydVu+HiBYb4+E= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989/go.mod h1:buWyXJdrI6ayYbeGm3upu3Qf/qHHrdWfUHKnVrTD+vM= +github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk= +github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok= +github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14 h1:VszH+75Lfplgo/ZDOe79HOGnLHAgPHWqFjMl7AdQEWw= +github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14/go.mod h1:29VWPXU81Y5hg3S89D3zXhbOgqgh93Os+W911d6SxP8= +github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 h1:zEzMNlk4Kb4GpwKt2pmEc2B5+iM9rcmUYoB0mGHhXyU= +github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14/go.mod h1:5yRfenlmRH8sxKrhXyiFtK8BDz3syDWcFm81rkCcATM= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14 h1:128xSbKG9xp2W6JAyfb2Q2pDrEC5bhtUcfYpJZf6OdA= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14/go.mod h1://utHaGoDyMdS6rB87A76UIaRn+Ss9dS2ZJ5rM2psGU= github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds= github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0= github.com/envoyproxy/ratelimit v1.4.1-0.20260122083618-3fb702589d36 h1:nEi1OH2qhE8NtcuBgO/uKpTw/P0nVu4i8mZvL6oD9CQ= diff --git a/internal/xds/extensions/extensions.gen.go b/internal/xds/extensions/extensions.gen.go index 4304546458..4f69d885ab 100644 --- a/internal/xds/extensions/extensions.gen.go +++ b/internal/xds/extensions/extensions.gen.go @@ -29,6 +29,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/metadata_exchange/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/mysql_proxy/v3" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/peer_metadata/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/rocketmq_proxy/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha" @@ -42,6 +43,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/private_key_providers/qat/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/regex_engines/hyperscan/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha" + _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/stat_sinks/kafka/v3" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha" _ "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/vcl/v3alpha" @@ -185,6 +187,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_dst/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/original_src/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/set_filter_state/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/connection_limit/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/direct_response/v3" @@ -225,6 +228,8 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/udp_proxy/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/cel/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/file_content/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/generic_secret/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/metadata/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/req_without_query/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/common/v3" @@ -296,6 +301,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/apple/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/cares/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/getaddrinfo/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/hickory/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/network/socket_interface/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/outlier_detection_monitors/common/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/outlier_detection_monitors/consecutive_errors/v3" @@ -330,6 +336,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/open_telemetry/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/wasm/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/string_matcher/lua/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/dynamic_modules/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/fluentd/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/resource_detectors/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/tracers/opentelemetry/samplers/v3" @@ -350,6 +357,7 @@ import ( _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_validator/dynamic_modules/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/udp_packet_writer/v3" + _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/dynamic_modules/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/generic/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/http/v3" _ "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/tcp/v3" diff --git a/internal/xds/translator/oidc.go b/internal/xds/translator/oidc.go index 739a110f8f..6ec49c0204 100644 --- a/internal/xds/translator/oidc.go +++ b/internal/xds/translator/oidc.go @@ -36,11 +36,7 @@ var _ httpFilter = &oidc{} // patchHCM builds and appends the oauth2 Filters to the HTTP Connection Manager // if applicable, and it does not already exist. -// Note: this method creates an oauth2 filter for each route that contains an OIDC config. -// the filter is disabled by default. It is enabled on the route level. func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListener) error { - var errs error - if mgr == nil { return errors.New("hcm is nil") } @@ -49,56 +45,43 @@ func (*oidc) patchHCM(mgr *hcmv3.HttpConnectionManager, irListener *ir.HTTPListe return errors.New("ir listener is nil") } + if hcmContainsFilter(mgr, string(egv1a1.EnvoyFilterOAuth2)) { + return nil + } + for _, route := range irListener.Routes { if !routeContainsOIDC(route) { continue } - // Only generates one OAuth2 Envoy filter for each unique name. - // For example, if there are two routes under the same gateway with the - // same OAuth2 config, only one OAuth2 filter will be generated. - if hcmContainsFilter(mgr, oauth2FilterName(route.Security.OIDC)) { - continue - } - - filter, err := buildHCMOAuth2Filter(route.Security) + filter, err := buildHCMOAuth2Filter() if err != nil { - errs = errors.Join(errs, err) - continue + return err } - mgr.HttpFilters = append(mgr.HttpFilters, filter) + return nil } - return errs + return nil } -// buildHCMOAuth2Filter returns an OAuth2 HTTP filter from the provided IR HTTPRoute. -func buildHCMOAuth2Filter(securityFeatures *ir.SecurityFeatures) (*hcmv3.HttpFilter, error) { - oauth2Proto, err := oauth2Config(securityFeatures) - if err != nil { - return nil, err - } - +// buildHCMOAuth2Filter returns the listener-level OAuth2 HTTP filter. +func buildHCMOAuth2Filter() (*hcmv3.HttpFilter, error) { + oauth2Proto := &oauth2v3.OAuth2{} OAuth2Any, err := proto.ToAnyWithValidation(oauth2Proto) if err != nil { return nil, err } return &hcmv3.HttpFilter{ - Name: oauth2FilterName(securityFeatures.OIDC), - Disabled: true, + Name: string(egv1a1.EnvoyFilterOAuth2), ConfigType: &hcmv3.HttpFilter_TypedConfig{ TypedConfig: OAuth2Any, }, }, nil } -func oauth2FilterName(oidc *ir.OIDC) string { - return perRouteFilterName(egv1a1.EnvoyFilterOAuth2, oidc.Name) -} - -func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2, error) { +func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2PerRoute, error) { var ( tokenEndpointCluster string err error @@ -135,7 +118,7 @@ func oauth2Config(securityFeatures *ir.SecurityFeatures) (*oauth2v3.OAuth2, erro // If the user wants to forward the oauth2 access token to the upstream service, // we should not preserve the original authorization header. preserveAuthorizationHeader := !oidc.ForwardAccessToken - oauth2 := &oauth2v3.OAuth2{ + oauth2 := &oauth2v3.OAuth2PerRoute{ Config: &oauth2v3.OAuth2Config{ StatPrefix: oidc.Name, TokenEndpoint: &corev3.HttpUri{ @@ -586,11 +569,19 @@ func (*oidc) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute, _ *ir.HTTPL if irRoute.Security == nil || irRoute.Security.OIDC == nil { return nil } - filterName := oauth2FilterName(irRoute.Security.OIDC) - if err := enableFilterOnRoute(route, filterName, &routev3.FilterConfig{ - Config: &anypb.Any{}, - }); err != nil { + oauth2Proto, err := oauth2Config(irRoute.Security) + if err != nil { return err } + if route.TypedPerFilterConfig == nil { + route.TypedPerFilterConfig = make(map[string]*anypb.Any) + } + + oauth2Any, err := proto.ToAnyWithValidation(oauth2Proto) + if err != nil { + return err + } + + route.TypedPerFilterConfig[string(egv1a1.EnvoyFilterOAuth2)] = oauth2Any return nil } diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml index 5f7136d106..b5cde10a4f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.listeners.yaml @@ -39,50 +39,9 @@ '@type': type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth users: inlineBytes: dXNlcjE6e1NIQX10RVNzQm1FL3lOWTNsYjZhMEw2dlZRRVpOcXc9CnVzZXIyOntTSEF9RUo5TFBGRFhzTjl5blNtYnh2anA3NUJtbHg4PQo= - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-gateway-2 + - name: envoy.filters.http.oauth2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - - email - - profile - authType: BASIC_AUTH - authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth - credentials: - clientId: client.oauth.foo.com - cookieNames: - bearerToken: AccessToken-5F93C2E4 - idToken: IdToken-5F93C2E4 - oauthExpires: OauthExpires-5F93C2E4 - oauthHmac: OauthHMAC-5F93C2E4 - oauthNonce: OauthNonce-5F93C2E4 - refreshToken: RefreshToken-5F93C2E4 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2 - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2 - sdsConfig: - ads: {} - resourceApiVersion: V3 - preserveAuthorizationHeader: true - redirectPathMatcher: - path: - exact: /foo/oauth2/callback - redirectUri: https://www.example.com/foo/oauth2/callback - signoutPath: - path: - exact: /foo/logout - statPrefix: securitypolicy/default/policy-for-gateway-2 - tokenEndpoint: - cluster: oauth_foo_com_443 - timeout: 10s - uri: https://oauth.foo.com/token - useRefreshToken: true - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.routes.yaml index b89641e052..50a4088656 100644 --- a/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/multiple-listeners-same-port-with-different-filters.routes.yaml @@ -40,6 +40,45 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/securitypolicy/default/policy-for-gateway-2: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + - email + - profile + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client.oauth.foo.com + cookieNames: + bearerToken: AccessToken-5F93C2E4 + idToken: IdToken-5F93C2E4 + oauthExpires: OauthExpires-5F93C2E4 + oauthHmac: OauthHMAC-5F93C2E4 + oauthNonce: OauthNonce-5F93C2E4 + refreshToken: RefreshToken-5F93C2E4 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/default/policy-for-gateway-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/default/policy-for-gateway-2 + sdsConfig: + ads: {} + resourceApiVersion: V3 + preserveAuthorizationHeader: true + redirectPathMatcher: + path: + exact: /foo/oauth2/callback + redirectUri: https://www.example.com/foo/oauth2/callback + signoutPath: + path: + exact: /foo/logout + statPrefix: securitypolicy/default/policy-for-gateway-2 + tokenEndpoint: + cluster: oauth_foo_com_443 + timeout: 10s + uri: https://oauth.foo.com/token + useRefreshToken: true diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.listeners.yaml index f37ebe3e15..1ced08194a 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.listeners.yaml @@ -14,56 +14,9 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/envoy-gateway/security-policy-1 + - name: envoy.filters.http.oauth2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - authType: BASIC_AUTH - authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth - credentials: - clientId: client.oauth.foo.com - cookieNames: - bearerToken: AccessToken-b0a1b740 - idToken: IdToken-b0a1b740 - oauthExpires: OauthExpires-b0a1b740 - oauthHmac: OauthHMAC-b0a1b740 - oauthNonce: OauthNonce-b0a1b740 - refreshToken: RefreshToken-b0a1b740 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/envoy-gateway/security-policy-1 - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/envoy-gateway/security-policy-1 - sdsConfig: - ads: {} - resourceApiVersion: V3 - passThroughMatcher: - - name: Authorization - stringMatch: - prefix: 'Bearer ' - - name: MyHeaderPrefixed - stringMatch: - prefix: MyPrefix - - name: MyHeaderNoPrefix - preserveAuthorizationHeader: true - redirectPathMatcher: - path: - exact: /oauth2/callback - redirectUri: https://www.example.com/oauth2/callback - signoutPath: - path: - exact: /logout - statPrefix: securitypolicy/envoy-gateway/security-policy-1 - tokenEndpoint: - cluster: oauth_foo_com_443 - timeout: 10s - uri: https://oauth.foo.com/token - useRefreshToken: true - name: envoy.filters.http.jwt_authn typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.routes.yaml index 532d7d5046..a95bc837eb 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-and-jwt-with-passthrough.routes.yaml @@ -16,6 +16,51 @@ envoy.filters.http.jwt_authn: '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com - envoy.filters.http.oauth2/securitypolicy/envoy-gateway/security-policy-1: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client.oauth.foo.com + cookieNames: + bearerToken: AccessToken-b0a1b740 + idToken: IdToken-b0a1b740 + oauthExpires: OauthExpires-b0a1b740 + oauthHmac: OauthHMAC-b0a1b740 + oauthNonce: OauthNonce-b0a1b740 + refreshToken: RefreshToken-b0a1b740 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/security-policy-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/envoy-gateway/security-policy-1 + sdsConfig: + ads: {} + resourceApiVersion: V3 + passThroughMatcher: + - name: Authorization + stringMatch: + prefix: 'Bearer ' + - name: MyHeaderPrefixed + stringMatch: + prefix: MyPrefix + - name: MyHeaderNoPrefix + preserveAuthorizationHeader: true + redirectPathMatcher: + path: + exact: /oauth2/callback + redirectUri: https://www.example.com/oauth2/callback + signoutPath: + path: + exact: /logout + statPrefix: securitypolicy/envoy-gateway/security-policy-1 + tokenEndpoint: + cluster: oauth_foo_com_443 + timeout: 10s + uri: https://oauth.foo.com/token + useRefreshToken: true diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml index fbeee17a15..91576c946e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.listeners.yaml @@ -14,56 +14,9 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway + - name: envoy.filters.http.oauth2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - authType: BASIC_AUTH - authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth - credentials: - clientId: client1.apps.googleusercontent.com - cookieNames: - bearerToken: AccessToken-b0a1b740 - idToken: IdToken-b0a1b740 - oauthExpires: OauthExpires-b0a1b740 - oauthHmac: OauthHMAC-b0a1b740 - oauthNonce: OauthNonce-b0a1b740 - refreshToken: RefreshToken-b0a1b740 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway - sdsConfig: - ads: {} - resourceApiVersion: V3 - defaultExpiresIn: 1800s - defaultRefreshTokenExpiresIn: 86400s - forwardBearerToken: true - redirectPathMatcher: - path: - exact: /bar/oauth2/callback - redirectUri: https://www.example.com/bar/oauth2/callback - retryPolicy: - numRetries: 3 - retryBackOff: - baseInterval: 0.500s - maxInterval: 5s - retryOn: 5xx,gateway-error,reset - signoutPath: - path: - exact: /bar/logout - statPrefix: securitypolicy/envoy-gateway/policy-for-gateway - tokenEndpoint: - cluster: securitypolicy/envoy-gateway/policy-for-gateway/0 - timeout: 5s - uri: https://oauth.foo.com/token - useRefreshToken: true - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml index b17df86476..db7b3ef1f4 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-backend-cluster-provider.routes.yaml @@ -13,6 +13,51 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client1.apps.googleusercontent.com + cookieNames: + bearerToken: AccessToken-b0a1b740 + idToken: IdToken-b0a1b740 + oauthExpires: OauthExpires-b0a1b740 + oauthHmac: OauthHMAC-b0a1b740 + oauthNonce: OauthNonce-b0a1b740 + refreshToken: RefreshToken-b0a1b740 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + defaultExpiresIn: 1800s + defaultRefreshTokenExpiresIn: 86400s + forwardBearerToken: true + redirectPathMatcher: + path: + exact: /bar/oauth2/callback + redirectUri: https://www.example.com/bar/oauth2/callback + retryPolicy: + numRetries: 3 + retryBackOff: + baseInterval: 0.500s + maxInterval: 5s + retryOn: 5xx,gateway-error,reset + signoutPath: + path: + exact: /bar/logout + statPrefix: securitypolicy/envoy-gateway/policy-for-gateway + tokenEndpoint: + cluster: securitypolicy/envoy-gateway/policy-for-gateway/0 + timeout: 5s + uri: https://oauth.foo.com/token + useRefreshToken: true diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.listeners.yaml index 39415579dc..df96bdb639 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.listeners.yaml @@ -14,56 +14,9 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway + - name: envoy.filters.http.oauth2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - authType: BASIC_AUTH - authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth - credentials: - clientId: client1.apps.googleusercontent.com - cookieNames: - bearerToken: AccessToken-b0a1b740 - idToken: IdToken-b0a1b740 - oauthExpires: OauthExpires-b0a1b740 - oauthHmac: OauthHMAC-b0a1b740 - oauthNonce: OauthNonce-b0a1b740 - refreshToken: RefreshToken-b0a1b740 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway - sdsConfig: - ads: {} - resourceApiVersion: V3 - defaultExpiresIn: 1800s - defaultRefreshTokenExpiresIn: 86400s - forwardBearerToken: true - redirectPathMatcher: - path: - exact: /bar/oauth2/callback - redirectUri: https://www.example.com/bar/oauth2/callback - retryPolicy: - numRetries: 3 - retryBackOff: - baseInterval: 1s - maxInterval: 5s - retryOn: 5xx,gateway-error,reset - signoutPath: - path: - exact: /bar/logout - statPrefix: securitypolicy/envoy-gateway/policy-for-gateway - tokenEndpoint: - cluster: oauth_foo_com_443 - timeout: 5s - uri: https://oauth.foo.com/token - useRefreshToken: true - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.routes.yaml index d490b4e6b2..2880e8d414 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc-provider-traffic-features.routes.yaml @@ -28,6 +28,51 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/securitypolicy/envoy-gateway/policy-for-gateway: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client1.apps.googleusercontent.com + cookieNames: + bearerToken: AccessToken-b0a1b740 + idToken: IdToken-b0a1b740 + oauthExpires: OauthExpires-b0a1b740 + oauthHmac: OauthHMAC-b0a1b740 + oauthNonce: OauthNonce-b0a1b740 + refreshToken: RefreshToken-b0a1b740 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/envoy-gateway/policy-for-gateway + sdsConfig: + ads: {} + resourceApiVersion: V3 + defaultExpiresIn: 1800s + defaultRefreshTokenExpiresIn: 86400s + forwardBearerToken: true + redirectPathMatcher: + path: + exact: /bar/oauth2/callback + redirectUri: https://www.example.com/bar/oauth2/callback + retryPolicy: + numRetries: 3 + retryBackOff: + baseInterval: 1s + maxInterval: 5s + retryOn: 5xx,gateway-error,reset + signoutPath: + path: + exact: /bar/logout + statPrefix: securitypolicy/envoy-gateway/policy-for-gateway + tokenEndpoint: + cluster: oauth_foo_com_443 + timeout: 5s + uri: https://oauth.foo.com/token + useRefreshToken: true diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml index 5c011bfc2a..91576c946e 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.listeners.yaml @@ -14,120 +14,9 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-first-route + - name: envoy.filters.http.oauth2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - - email - - profile - authType: BASIC_AUTH - authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth - credentials: - clientId: client.oauth.foo.com - cookieNames: - bearerToken: AccessToken-5F93C2E4 - idToken: IdToken-5F93C2E4 - oauthExpires: OauthExpires-5F93C2E4 - oauthHmac: OauthHMAC-5F93C2E4 - oauthNonce: OauthNonce-5F93C2E4 - refreshToken: RefreshToken-5F93C2E4 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/default/policy-for-first-route - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/default/policy-for-first-route - sdsConfig: - ads: {} - resourceApiVersion: V3 - csrfTokenExpiresIn: 2100s - defaultExpiresIn: 3600s - defaultRefreshTokenExpiresIn: 172800s - forwardBearerToken: true - redirectPathMatcher: - path: - exact: /foo/oauth2/callback - redirectUri: https://www.example.com/foo/oauth2/callback - resources: - - api - signoutPath: - path: - exact: /foo/logout - statPrefix: securitypolicy/default/policy-for-first-route - tokenEndpoint: - cluster: oauth_foo_com_443 - timeout: 10s - uri: https://oauth.foo.com/token - useRefreshToken: true - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-second-route - typedConfig: - '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - - email - - profile - authType: BASIC_AUTH - authorizationEndpoint: https://oauth.bar.com/oauth2/v2/auth - credentials: - clientId: client.oauth.bar.com - cookieDomain: example.com - cookieNames: - bearerToken: CustomAccessTokenOverride - idToken: CustomIdTokenOverride - oauthExpires: OauthExpires-5f93c2e4 - oauthHmac: OauthHMAC-5f93c2e4 - oauthNonce: OauthNonce-5f93c2e4 - refreshToken: RefreshToken-5f93c2e4 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/default/policy-for-second-route - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/default/policy-for-second-route - sdsConfig: - ads: {} - resourceApiVersion: V3 - denyRedirectMatcher: - - name: test-exact - stringMatch: - exact: /api - - name: test-regex - stringMatch: - safeRegex: - regex: .* - - name: test-suffix - stringMatch: - suffix: bar - - name: test-prefix - stringMatch: - prefix: foo - - name: test-no-type - stringMatch: - exact: foobar - disableTokenEncryption: true - preserveAuthorizationHeader: true - redirectPathMatcher: - path: - exact: /bar/oauth2/callback - redirectUri: https://www.example.com/bar/oauth2/callback - resources: - - api - signoutPath: - path: - exact: /bar/logout - statPrefix: securitypolicy/default/policy-for-second-route - tokenEndpoint: - cluster: oauth_bar_com_443 - timeout: 10s - uri: https://oauth.bar.com/token - useRefreshToken: false - name: envoy.filters.http.router typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router diff --git a/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml index 2170a16d13..1480d3874f 100644 --- a/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/oidc.routes.yaml @@ -13,9 +13,53 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/securitypolicy/default/policy-for-first-route: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + - email + - profile + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.foo.com/oauth2/v2/auth + credentials: + clientId: client.oauth.foo.com + cookieNames: + bearerToken: AccessToken-5F93C2E4 + idToken: IdToken-5F93C2E4 + oauthExpires: OauthExpires-5F93C2E4 + oauthHmac: OauthHMAC-5F93C2E4 + oauthNonce: OauthNonce-5F93C2E4 + refreshToken: RefreshToken-5F93C2E4 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/default/policy-for-first-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/default/policy-for-first-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + csrfTokenExpiresIn: 2100s + defaultExpiresIn: 3600s + defaultRefreshTokenExpiresIn: 172800s + forwardBearerToken: true + redirectPathMatcher: + path: + exact: /foo/oauth2/callback + redirectUri: https://www.example.com/foo/oauth2/callback + resources: + - api + signoutPath: + path: + exact: /foo/logout + statPrefix: securitypolicy/default/policy-for-first-route + tokenEndpoint: + cluster: oauth_foo_com_443 + timeout: 10s + uri: https://oauth.foo.com/token + useRefreshToken: true - match: path: bar name: second-route @@ -24,6 +68,66 @@ upgradeConfigs: - upgradeType: websocket typedPerFilterConfig: - envoy.filters.http.oauth2/securitypolicy/default/policy-for-second-route: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + - email + - profile + authType: BASIC_AUTH + authorizationEndpoint: https://oauth.bar.com/oauth2/v2/auth + credentials: + clientId: client.oauth.bar.com + cookieDomain: example.com + cookieNames: + bearerToken: CustomAccessTokenOverride + idToken: CustomIdTokenOverride + oauthExpires: OauthExpires-5f93c2e4 + oauthHmac: OauthHMAC-5f93c2e4 + oauthNonce: OauthNonce-5f93c2e4 + refreshToken: RefreshToken-5f93c2e4 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/default/policy-for-second-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/default/policy-for-second-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + denyRedirectMatcher: + - name: test-exact + stringMatch: + exact: /api + - name: test-regex + stringMatch: + safeRegex: + regex: .* + - name: test-suffix + stringMatch: + suffix: bar + - name: test-prefix + stringMatch: + prefix: foo + - name: test-no-type + stringMatch: + exact: foobar + disableTokenEncryption: true + preserveAuthorizationHeader: true + redirectPathMatcher: + path: + exact: /bar/oauth2/callback + redirectUri: https://www.example.com/bar/oauth2/callback + resources: + - api + signoutPath: + path: + exact: /bar/logout + statPrefix: securitypolicy/default/policy-for-second-route + tokenEndpoint: + cluster: oauth_bar_com_443 + timeout: 10s + uri: https://oauth.bar.com/token + useRefreshToken: false diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml index 4e7771401e..7ef1bf32a9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.listeners.yaml @@ -14,50 +14,9 @@ initialStreamWindowSize: 65536 maxConcurrentStreams: 100 httpFilters: - - disabled: true - name: envoy.filters.http.oauth2/securitypolicy/default/policy-for-http-route + - name: envoy.filters.http.oauth2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 - config: - authScopes: - - openid - - email - - profile - authType: BASIC_AUTH - authorizationEndpoint: https://oidc.example.com/authorize - credentials: - clientId: prometheus - cookieNames: - bearerToken: AccessToken-5f93c2e4 - idToken: IdToken - oauthExpires: OauthExpires-5f93c2e4 - oauthHmac: OauthHMAC-5f93c2e4 - oauthNonce: OauthNonce-5f93c2e4 - refreshToken: RefreshToken-5f93c2e4 - hmacSecret: - name: oauth2/hmac_secret/securitypolicy/default/policy-for-http-route - sdsConfig: - ads: {} - resourceApiVersion: V3 - tokenSecret: - name: oauth2/client_secret/securitypolicy/default/policy-for-http-route - sdsConfig: - ads: {} - resourceApiVersion: V3 - preserveAuthorizationHeader: true - redirectPathMatcher: - path: - exact: /oauth2/callback - redirectUri: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback' - signoutPath: - path: - exact: /logout - statPrefix: securitypolicy/default/policy-for-http-route - tokenEndpoint: - cluster: oidc_example_com_443 - timeout: 10s - uri: https://oidc.example.com/oauth/token - useRefreshToken: true - name: envoy.filters.http.jwt_authn typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication diff --git a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml index 9c66aad8e6..b02933886c 100644 --- a/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/securitypolicy-with-oidc-jwt-authz.routes.yaml @@ -31,9 +31,48 @@ envoy.filters.http.jwt_authn: '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig requirementName: httproute/default/httproute-1/rule/0/match/0/www_example_com - envoy.filters.http.oauth2/securitypolicy/default/policy-for-http-route: - '@type': type.googleapis.com/envoy.config.route.v3.FilterConfig - config: {} + envoy.filters.http.oauth2: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2PerRoute + config: + authScopes: + - openid + - email + - profile + authType: BASIC_AUTH + authorizationEndpoint: https://oidc.example.com/authorize + credentials: + clientId: prometheus + cookieNames: + bearerToken: AccessToken-5f93c2e4 + idToken: IdToken + oauthExpires: OauthExpires-5f93c2e4 + oauthHmac: OauthHMAC-5f93c2e4 + oauthNonce: OauthNonce-5f93c2e4 + refreshToken: RefreshToken-5f93c2e4 + hmacSecret: + name: oauth2/hmac_secret/securitypolicy/default/policy-for-http-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + tokenSecret: + name: oauth2/client_secret/securitypolicy/default/policy-for-http-route + sdsConfig: + ads: {} + resourceApiVersion: V3 + preserveAuthorizationHeader: true + redirectPathMatcher: + path: + exact: /oauth2/callback + redirectUri: '%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback' + signoutPath: + path: + exact: /logout + statPrefix: securitypolicy/default/policy-for-http-route + tokenEndpoint: + cluster: oidc_example_com_443 + timeout: 10s + uri: https://oidc.example.com/oauth/token + useRefreshToken: true envoy.filters.http.rbac: '@type': type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute rbac: diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 1421339b55..988dff278e 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -6,6 +6,7 @@ breaking changes: | The `0s` timeout in SecurityPolicy is now treated as infinite timeout instead of immediate timeout. `SamplingFraction` behavior changed from raw fraction to percentage ratio. This will lead to 100x more sampling than before. E.g. `numerator: 100` used to result in 1% sampling rate, now will result in 100% sampling. The controller now uses production logging encoder config by default, which provides better output when using JSON encoder. + SecurityPolicy OIDC now generates a single native `envoy.filters.http.oauth2` HTTP filter in the HCM filter chain and moves route-specific OAuth2 configuration to route `typed_per_filter_config`. This can break existing EnvoyPatchPolicies and extension managers that depend on the previous per-route OAuth2 filter instances or on the old OAuth2 filter configuration shape in the HCM filter chain. # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | diff --git a/test/e2e/testdata/oidc-keycloak.yaml b/test/e2e/testdata/oidc-keycloak.yaml index 22db62f24e..5100310678 100644 --- a/test/e2e/testdata/oidc-keycloak.yaml +++ b/test/e2e/testdata/oidc-keycloak.yaml @@ -133,6 +133,12 @@ data: CLIENT_ID=oidctest CLIENT_SECRET=oidctest-client-secret REDIRECT_URL=http://www.example.com/myapp/oauth2/callback + CLIENT_FOO_ID=oidctest-foo + CLIENT_FOO_SECRET=oidctest-foo-client-secret + CLIENT_FOO_REDIRECT_URL=http://www.example.com/foo/oauth2/callback + CLIENT_BAR_ID=oidctest-bar + CLIENT_BAR_SECRET=oidctest-bar-client-secret + CLIENT_BAR_REDIRECT_URL=http://www.example.com/bar/oauth2/callback set -ex @@ -152,12 +158,22 @@ data: --user "${KEYCLOAK_ADMIN}" \ --password "${KEYCLOAK_ADMIN_PASSWORD}" - /opt/keycloak/bin/kcreg.sh create \ - -s clientId="${CLIENT_ID}" \ - -s secret="${CLIENT_SECRET}" \ - -s "redirectUris=[\"${REDIRECT_URL}\"]" \ - -s consentRequired=false \ - --server "${KEYCLOAK_SERVER}" \ - --realm "${REALM}" \ - --user "${KEYCLOAK_ADMIN}" \ - --password "${KEYCLOAK_ADMIN_PASSWORD}" + create_client() { + local client_id="$1" + local client_secret="$2" + local redirect_url="$3" + + /opt/keycloak/bin/kcreg.sh create \ + -s clientId="${client_id}" \ + -s secret="${client_secret}" \ + -s "redirectUris=[\"${redirect_url}\"]" \ + -s consentRequired=false \ + --server "${KEYCLOAK_SERVER}" \ + --realm "${REALM}" \ + --user "${KEYCLOAK_ADMIN}" \ + --password "${KEYCLOAK_ADMIN_PASSWORD}" + } + + create_client "${CLIENT_ID}" "${CLIENT_SECRET}" "${REDIRECT_URL}" + create_client "${CLIENT_FOO_ID}" "${CLIENT_FOO_SECRET}" "${CLIENT_FOO_REDIRECT_URL}" + create_client "${CLIENT_BAR_ID}" "${CLIENT_BAR_SECRET}" "${CLIENT_BAR_REDIRECT_URL}" diff --git a/test/e2e/testdata/oidc-securitypolicy.yaml b/test/e2e/testdata/oidc-securitypolicy.yaml index 4477fd7399..64798d70c3 100644 --- a/test/e2e/testdata/oidc-securitypolicy.yaml +++ b/test/e2e/testdata/oidc-securitypolicy.yaml @@ -2,7 +2,7 @@ apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: - name: http-with-oidc + name: http-with-oidc-foo namespace: gateway-conformance-infra spec: parentRefs: @@ -12,7 +12,25 @@ spec: - matches: - path: type: PathPrefix - value: /myapp # This is the path that will be protected by OIDC + value: /foo # This is the path that will be protected by OIDC + backendRefs: + - name: infra-backend-v1 + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-with-oidc-bar + namespace: gateway-conformance-infra +spec: + parentRefs: + - name: same-namespace + hostnames: ["www.example.com"] + rules: + - matches: + - path: + type: PathPrefix + value: /bar # This is the path that will be protected by OIDC backendRefs: - name: infra-backend-v1 port: 8080 @@ -53,31 +71,73 @@ apiVersion: v1 kind: Secret metadata: namespace: gateway-conformance-infra - name: oidctest-secret + name: oidctest-foo-secret +data: + client-secret: b2lkY3Rlc3QtZm9vLWNsaWVudC1zZWNyZXQ= # base64 encoding of "oidctest-foo-client-secret" +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: oidc-test-foo + namespace: gateway-conformance-infra +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: HTTPRoute + name: http-with-oidc-foo + oidc: + provider: + issuer: "http://keycloak.gateway-conformance-infra/realms/master" + authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth" + tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token" + endSessionEndpoint: "https://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/logout" + clientID: "oidctest-foo" + clientSecret: + name: "oidctest-foo-secret" + redirectURL: "http://www.example.com/foo/oauth2/callback" + logoutPath: "/foo/logout" + forwardAccessToken: true + passThroughAuthHeader: true + jwt: + providers: + - name: "keycloak" # This is needed so JWTs generated through the OIDC flow can be validated + remoteJWKS: + uri: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/certs" + cacheDuration: 300s + - name: "example" # This allows us to use the static JWTs in the test + remoteJWKS: + uri: "http://static-file-server.gateway-conformance-infra/jwt/jwks.json" + cacheDuration: 300s +--- +apiVersion: v1 +kind: Secret +metadata: + namespace: gateway-conformance-infra + name: oidctest-bar-secret data: - client-secret: b2lkY3Rlc3QtY2xpZW50LXNlY3JldA== # base64 encoding of "oidctest-client-secret" + client-secret: b2lkY3Rlc3QtYmFyLWNsaWVudC1zZWNyZXQ= # base64 encoding of "oidctest-bar-client-secret" --- apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: - name: oidc-test + name: oidc-test-bar namespace: gateway-conformance-infra spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute - name: http-with-oidc + name: http-with-oidc-bar oidc: provider: issuer: "http://keycloak.gateway-conformance-infra/realms/master" authorizationEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/auth" tokenEndpoint: "http://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/token" endSessionEndpoint: "https://keycloak.gateway-conformance-infra/realms/master/protocol/openid-connect/logout" - clientID: "oidctest" + clientID: "oidctest-bar" clientSecret: - name: "oidctest-secret" - redirectURL: "http://www.example.com/myapp/oauth2/callback" - logoutPath: "/myapp/logout" + name: "oidctest-bar-secret" + redirectURL: "http://www.example.com/bar/oauth2/callback" + logoutPath: "/bar/logout" forwardAccessToken: true passThroughAuthHeader: true jwt: diff --git a/test/e2e/tests/oidc.go b/test/e2e/tests/oidc.go index 062df3b5e3..1330919f1f 100644 --- a/test/e2e/tests/oidc.go +++ b/test/e2e/tests/oidc.go @@ -39,6 +39,13 @@ const ( password = "oidcpassword" ) +type oidcRouteTestCase struct { + routeName string + securityPolicyName string + testURL string + logoutURL string +} + func init() { ConformanceTests = append(ConformanceTests, OIDCTest) } @@ -58,15 +65,35 @@ var OIDCTest = suite.ConformanceTest{ // OIDC configuration from the keycloak's well-known endpoint suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/oidc-securitypolicy.yaml", true) + urlBackedCases := []oidcRouteTestCase{ + { + routeName: "http-with-oidc-foo", + securityPolicyName: "oidc-test-foo", + testURL: "http://www.example.com/foo", + logoutURL: "http://www.example.com/foo/logout", + }, + { + routeName: "http-with-oidc-bar", + securityPolicyName: "oidc-test-bar", + testURL: "http://www.example.com/bar", + logoutURL: "http://www.example.com/bar/logout", + }, + } + t.Run("oidc provider represented by a URL", func(t *testing.T) { - testOIDC(t, suite, "testdata/oidc-securitypolicy.yaml") + for _, tc := range urlBackedCases { + t.Run(tc.routeName, func(t *testing.T) { + testOIDC(t, suite, tc, "testdata/oidc-securitypolicy.yaml") + }) + } }) t.Run("oidc bypass", func(t *testing.T) { - routeWithOIDCNN := types.NamespacedName{Name: "http-with-oidc", Namespace: ns} + routeWithOIDCFooNN := types.NamespacedName{Name: "http-with-oidc-foo", Namespace: ns} + routeWithOIDCBarNN := types.NamespacedName{Name: "http-with-oidc-bar", Namespace: ns} routeWithoutOIDCNN := types.NamespacedName{Name: "http-without-oidc", Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} - gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeWithOIDCNN, routeWithoutOIDCNN) + gwAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN), routeWithOIDCFooNN, routeWithOIDCBarNN, routeWithoutOIDCNN) ancestorRef := gwapiv1.ParentReference{ Group: gatewayapi.GroupPtr(gwapiv1.GroupName), @@ -74,7 +101,8 @@ var OIDCTest = suite.ConformanceTest{ Namespace: gatewayapi.NamespacePtr(gwNN.Namespace), Name: gwapiv1.ObjectName(gwNN.Name), } - SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "oidc-test", Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "oidc-test-foo", Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: "oidc-test-bar", Namespace: ns}, suite.ControllerName, ancestorRef) testCases := []gwhttp.ExpectedResponse{ { @@ -92,7 +120,7 @@ var OIDCTest = suite.ConformanceTest{ TestCaseName: "oidc with jwt passthrough", Request: gwhttp.Request{ Host: "www.example.com", - Path: "/myapp", + Path: "/foo", Headers: map[string]string{ "Authorization": "Bearer " + v1Token, }, @@ -115,35 +143,36 @@ var OIDCTest = suite.ConformanceTest{ } }) - // Delete the existing policy before applying the BackendCluster variant so the - // dataplane does not race between two versions of the same SecurityPolicy. - existingSP := &egv1a1.SecurityPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: ns, - Name: "oidc-test", - }, + // Delete the existing policy before applying the BackendCluster variant to avoid flaky test. + for _, spName := range []string{"oidc-test-foo", "oidc-test-bar"} { + existingSP := &egv1a1.SecurityPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: ns, + Name: spName, + }, + } + err := suite.Client.Delete(context.TODO(), existingSP) + require.Truef(t, err == nil || apierrors.IsNotFound(err), "failed to delete SecurityPolicy %s/%s: %v", ns, existingSP.Name, err) + SecurityPolicyMustNotExist(t, suite.Client, types.NamespacedName{Name: existingSP.Name, Namespace: ns}) } - err := suite.Client.Delete(context.TODO(), existingSP) - require.Truef(t, err == nil || apierrors.IsNotFound(err), "failed to delete SecurityPolicy %s/%s: %v", ns, existingSP.Name, err) - SecurityPolicyMustNotExist(t, suite.Client, types.NamespacedName{Name: existingSP.Name, Namespace: ns}) // Apply the security policy that configures OIDC authentication with BackendCluster. suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, "testdata/oidc-securitypolicy-backendcluster.yaml", true) t.Run("oidc provider represented by a BackendCluster", func(t *testing.T) { - testOIDC(t, suite, "testdata/oidc-securitypolicy-backendcluster.yaml") + testOIDC(t, suite, oidcRouteTestCase{ + routeName: "http-with-oidc", + securityPolicyName: "oidc-test", + testURL: "http://www.example.com/myapp", + logoutURL: "http://www.example.com/myapp/logout", + }, "testdata/oidc-securitypolicy-backendcluster.yaml") }) }, } -func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyManifest string) { - var ( - testURL = "http://www.example.com/myapp" - logoutURL = "http://www.example.com/myapp/logout" - route = "http-with-oidc" - sp = "oidc-test" - ns = "gateway-conformance-infra" - ) - routeNN := types.NamespacedName{Name: route, Namespace: ns} +func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, tc oidcRouteTestCase, securityPolicyManifest string) { + const ns = "gateway-conformance-infra" + + routeNN := types.NamespacedName{Name: tc.routeName, Namespace: ns} gwNN := types.NamespacedName{Name: "same-namespace", Namespace: ns} httpGWAddr := kubernetes.GatewayAndHTTPRoutesMustBeAccepted(t, suite.Client, suite.TimeoutConfig, suite.ControllerName, kubernetes.NewGatewayRef(gwNN, "http"), routeNN) host, _, _ := net.SplitHostPort(httpGWAddr) @@ -155,7 +184,7 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyMan Name: gwapiv1.ObjectName(gwNN.Name), } - SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: sp, Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: tc.securityPolicyName, Namespace: ns}, suite.ControllerName, ancestorRef) // Initialize the test OIDC client that will keep track of the state of the OIDC login process oidcClient, err := NewOIDCTestClient( @@ -171,11 +200,11 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyMan if err := wait.PollUntilContextTimeout(context.TODO(), time.Second, 5*time.Minute, true, func(_ context.Context) (done bool, err error) { - tlog.Logf(t, "sending request to %s", testURL) + tlog.Logf(t, "sending request to %s", tc.testURL) // Send a request to the http route with OIDC configured. // It will be redirected to the keycloak login page - res, err := oidcClient.Get(testURL, true) + res, err := oidcClient.Get(tc.testURL, true) if err != nil { tlog.Logf(t, "failed to get the login page: %v", err) return false, nil @@ -194,12 +223,12 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyMan existingSP := &egv1a1.SecurityPolicy{ ObjectMeta: metav1.ObjectMeta{ Namespace: ns, - Name: sp, + Name: tc.securityPolicyName, }, } require.NoError(t, suite.Client.Delete(context.TODO(), existingSP)) suite.Applier.MustApplyWithCleanup(t, suite.Client, suite.TimeoutConfig, securityPolicyManifest, false) - SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: sp, Namespace: ns}, suite.ControllerName, ancestorRef) + SecurityPolicyMustBeAccepted(t, suite.Client, types.NamespacedName{Name: tc.securityPolicyName, Namespace: ns}, suite.ControllerName, ancestorRef) return false, nil } @@ -221,14 +250,16 @@ func testOIDC(t *testing.T, suite *suite.ConformanceTestSuite, securityPolicyMan require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can access the application without logging in again - res, err = oidcClient.Get(testURL, false) + res, err = oidcClient.Get(tc.testURL, false) + require.NoError(t, err) + body, err = io.ReadAll(res.Body) require.NoError(t, err) require.Equal(t, http.StatusOK, res.StatusCode) require.Contains(t, string(body), "infra-backend-v1", "Expected response from the application") // Verify that we can logout // Note: OAuth2 filter just clears its cookies and does not log out from the IdP. - res, err = oidcClient.Get(logoutURL, false) + res, err = oidcClient.Get(tc.logoutURL, false) require.NoError(t, err) require.Equal(t, http.StatusFound, res.StatusCode) diff --git a/test/go.mod b/test/go.mod index 108465c62c..a4ccb597ef 100644 --- a/test/go.mod +++ b/test/go.mod @@ -99,10 +99,10 @@ require ( github.com/dominikbraun/graph v0.23.0 // indirect github.com/ebitengine/purego v0.10.0 // indirect github.com/emicklei/go-restful/v3 v3.13.0 // indirect - github.com/envoyproxy/go-control-plane v0.14.0 // indirect - github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 // indirect - github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 // indirect - github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 // indirect + github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 // indirect + github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14 // indirect + github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 // indirect + github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14 // indirect github.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect github.com/envoyproxy/ratelimit v1.4.1-0.20260122083618-3fb702589d36 // indirect github.com/evanphx/json-patch v5.9.11+incompatible // indirect diff --git a/test/go.sum b/test/go.sum index 3815bf21ac..45fba4320a 100644 --- a/test/go.sum +++ b/test/go.sum @@ -162,14 +162,14 @@ github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/ github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA= -github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU= -github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989 h1:KTd1TJym7dgV1L1XlxXeJNct7rJI3xTV+iuArq40wm0= -github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260115164926-066cbd5b3989/go.mod h1:+fG/snSdlOxU+5RWuuKSYxF9zusT3Duy1MDbETA44Bo= -github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097 h1:Ou9X6qsPOiDOsQgaboj3jlCE5ZYngdYeSVDKBcT95QE= -github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260304210048-a81710db7097/go.mod h1:237/ZQHepDd4v5BjpRNFI2mMG7WEBd+mQnt8jwbqrnk= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989 h1:8tBwE+GI3IWMywGVrJjc2grm7SCpPMydVu+HiBYb4+E= -github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260115164926-066cbd5b3989/go.mod h1:buWyXJdrI6ayYbeGm3upu3Qf/qHHrdWfUHKnVrTD+vM= +github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14 h1:7g8SJv4OrVcLT4yfkzIbsTcwLBwyLu8gKb/yCf3Loxk= +github.com/envoyproxy/go-control-plane v0.14.1-0.20260409050421-3f47accd6e14/go.mod h1:18SVzvkoF8AL2O7baVikhojMZ+7rFPh3o8tOOsBVyok= +github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14 h1:VszH+75Lfplgo/ZDOe79HOGnLHAgPHWqFjMl7AdQEWw= +github.com/envoyproxy/go-control-plane/contrib v1.36.1-0.20260409050421-3f47accd6e14/go.mod h1:29VWPXU81Y5hg3S89D3zXhbOgqgh93Os+W911d6SxP8= +github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14 h1:zEzMNlk4Kb4GpwKt2pmEc2B5+iM9rcmUYoB0mGHhXyU= +github.com/envoyproxy/go-control-plane/envoy v1.37.1-0.20260409050421-3f47accd6e14/go.mod h1:5yRfenlmRH8sxKrhXyiFtK8BDz3syDWcFm81rkCcATM= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14 h1:128xSbKG9xp2W6JAyfb2Q2pDrEC5bhtUcfYpJZf6OdA= +github.com/envoyproxy/go-control-plane/ratelimit v0.1.1-0.20260409050421-3f47accd6e14/go.mod h1://utHaGoDyMdS6rB87A76UIaRn+Ss9dS2ZJ5rM2psGU= github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds= github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0= github.com/envoyproxy/ratelimit v1.4.1-0.20260122083618-3fb702589d36 h1:nEi1OH2qhE8NtcuBgO/uKpTw/P0nVu4i8mZvL6oD9CQ= diff --git a/tools/osv-scanner/license-scan-config.toml b/tools/osv-scanner/license-scan-config.toml index b41a21633b..d7afa24a5c 100644 --- a/tools/osv-scanner/license-scan-config.toml +++ b/tools/osv-scanner/license-scan-config.toml @@ -39,6 +39,22 @@ ecosystem = "Go" license.override = ["Apache-2.0"] reason = "This package is dual-licensed: the code under the Apache 2.0 license and the documentation under the CC-BY-SA-4.0 license" +# TODO: Remove this override after github.com/envoyproxy/go-control-plane v0.14.1 is released. +[[PackageOverrides]] +name = "github.com/envoyproxy/go-control-plane" +version = "0.14.1-0.20260409050421-3f47accd6e14" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Module LICENSE is Apache-2.0; OSV license scan reports UNKNOWN for this pseudo-version before the v0.14.1 release is available" + +# TODO: Remove this override after github.com/envoyproxy/go-control-plane/ratelimit v0.1.1 is released. +[[PackageOverrides]] +name = "github.com/envoyproxy/go-control-plane/ratelimit" +version = "0.1.1-0.20260409050421-3f47accd6e14" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Module LICENSE is Apache-2.0; OSV license scan reports UNKNOWN for this pseudo-version before the v0.1.1 release is available" + # Remove this once OSV image updated [[PackageOverrides]] name = "stdlib"