impl getting OIDC client ID from secret

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

Author: zhaohuabing

api/v1alpha1/oidc_types.go

@@ -11,27 +11,30 @@ import (
 )
 
 const OIDCClientSecretKey = "client-secret"
+const OIDCClientIDKey = "client-id"
 
 // OIDC defines the configuration for the OpenID Connect (OIDC) authentication.
+// +kubebuilder:validation:XValidation:rule="(has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID) && has(self.clientIDRef))", message="only one of clientID or clientIDRef must be set"
 type OIDC struct {
 	// The OIDC Provider configuration.
 	Provider OIDCProvider `json:"provider"`
 
 	// The client ID to be used in the OIDC
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	//
+	// Only one of clientID or clientIDRef must be set.
+	// +optional
 	// +kubebuilder:validation:MinLength=1
-	ClientID string `json:"clientID"`
-
-	// TODO zhaohuabing make ClientID optional in the implementation PR
+	ClientID *string `json:"clientID, omitempty"`
 
 	// The Kubernetes secret which contains the client ID to be used in the
 	// [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
 	// Exactly one of clientID or clientIDRef must be set.
 	// This is an Opaque secret. The client ID should be stored in the key "client-id".
 	//
+	// Only one of clientID or clientIDRef must be set.
+	//
 	// +optional
-	// +notImplementedHide
 	ClientIDRef *gwapiv1.SecretObjectReference `json:"clientIDRef,omitempty"`
 
 	// The Kubernetes secret which contains the OIDC client secret to be used in the

api/v1alpha1/zz_generated.deepcopy.go

@@ -3676,6 +3676,8 @@ spec:
                     description: |-
                       The client ID to be used in the OIDC
                       [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+                      Only one of clientID or clientIDRef must be set.
                     minLength: 1
                     type: string
                   clientIDRef:
@@ -3684,6 +3686,8 @@ spec:
                       [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
                       Exactly one of clientID or clientIDRef must be set.
                       This is an Opaque secret. The client ID should be stored in the key "client-id".
+
+                      Only one of clientID or clientIDRef must be set.
                     properties:
                       group:
                         default: ""
@@ -4900,10 +4904,13 @@ spec:
                       type: string
                     type: array
                 required:
-                - clientID
                 - clientSecret
                 - provider
                 type: object
+                x-kubernetes-validations:
+                - message: only one of clientID or clientIDRef must be set
+                  rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
+                    && has(self.clientIDRef))
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -3675,6 +3675,8 @@ spec:
                     description: |-
                       The client ID to be used in the OIDC
                       [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+
+                      Only one of clientID or clientIDRef must be set.
                     minLength: 1
                     type: string
                   clientIDRef:
@@ -3683,6 +3685,8 @@ spec:
                       [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
                       Exactly one of clientID or clientIDRef must be set.
                       This is an Opaque secret. The client ID should be stored in the key "client-id".
+
+                      Only one of clientID or clientIDRef must be set.
                     properties:
                       group:
                         default: ""
@@ -4899,10 +4903,13 @@ spec:
                       type: string
                     type: array
                 required:
-                - clientID
                 - clientSecret
                 - provider
                 type: object
+                x-kubernetes-validations:
+                - message: only one of clientID or clientIDRef must be set
+                  rule: (has(self.clientID) && !has(self.clientIDRef)) || (!has(self.clientID)
+                    && has(self.clientIDRef))
               targetRef:
                 description: |-
                   TargetRef is the name of the resource this policy is being attached to.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml

@@ -990,6 +990,7 @@ func (t *Translator) buildOIDC(
 	var (
 		oidc                  = policy.Spec.OIDC
 		provider              *ir.OIDCProvider
+		clientID              string
 		clientSecret          *corev1.Secret
 		redirectURL           = defaultRedirectURL
 		redirectPath          = defaultRedirectPath
@@ -1010,6 +1011,24 @@ func (t *Translator) buildOIDC(
 		namespace: policy.Namespace,
 	}
 
+	// Client ID can be specified either as a string or as a reference to a secret.
+	if oidc.ClientID != nil {
+		clientID = *oidc.ClientID
+	} else if oidc.ClientIDRef != nil {
+		var clientIDSecret *corev1.Secret
+		if clientIDSecret, err = t.validateSecretRef(false, from, *oidc.ClientIDRef, resources); err != nil {
+			return nil, err
+		}
+		clientIDBytes, ok := clientIDSecret.Data[egv1a1.OIDCClientIDKey]
+		if !ok || len(clientIDBytes) == 0 {
+			return nil, fmt.Errorf("client ID not found in secret %s/%s",clientIDSecret.Namespace, clientIDSecret.Name)
+		}
+		clientID = string(clientIDBytes)
+	} else {
+		// This is just a sanity check - the CRD validation should have caught this.
+		return nil, fmt.Errorf("client ID must be specified in OIDC policy %s/%s", policy.Namespace, policy.Name)
+	}
+
 	if clientSecret, err = t.validateSecretRef(
 		false, from, oidc.ClientSecret, resources); err != nil {
 		return nil, err
@@ -1068,7 +1087,7 @@ func (t *Translator) buildOIDC(
 	return &ir.OIDC{
 		Name:                   irConfigName(policy),
 		Provider:               *provider,
-		ClientID:               oidc.ClientID,
+		ClientID:               clientID,
 		ClientSecret:           clientSecretBytes,
 		Scopes:                 scopes,
 		Resources:              oidc.Resources,

internal/gatewayapi/securitypolicy.go

@@ -13,13 +13,7 @@ secrets:
     name: client2-secret
   data:
     client-secret: Y2xpZW50MTpzZWNyZXQK
-- apiVersion: v1
-  kind: Secret
-  metadata:
-    namespace: default
-    name: client3-secret
-  data:
-    client-secret: Y2xpZW50MTpzZWNyZXQK
+    client-id: Y2xpZW50Mi5vYXV0aC5mb28uY29t
 - apiVersion: v1
   kind: Secret
   metadata:
@@ -121,7 +115,8 @@ securityPolicies:
         issuer: "https://oauth.foo.com"
         authorizationEndpoint: "https://oauth.foo.com/oauth2/v2/auth"
         tokenEndpoint: "https://oauth.foo.com/token"
-      clientID: "client2.oauth.foo.com"
+      clientIDRef:
+        name: "client2-secret"
       clientSecret:
         name: "client2-secret"
       scopes: ["openid", "email", "profile"]

internal/gatewayapi/testdata/securitypolicy-with-oidc.in.yaml

@@ -146,7 +146,11 @@ securityPolicies:
     uid: 08335a80-83ba-4592-888f-6ac0bba44ce4
   spec:
     oidc:
-      clientID: client2.oauth.foo.com
+      clientID: null
+      clientIDRef:
+        group: null
+        kind: null
+        name: client2-secret
       clientSecret:
         group: null
         kind: null

internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml

@@ -745,6 +745,25 @@ func (r *gatewayAPIReconciler) processSecurityPolicyObjectRefs(
 					"policy", policy, "secretRef", oidc.ClientSecret)
 			}
 
+			if oidc.ClientIDRef != nil {
+				if err := r.processSecretRef(
+					ctx,
+					resourceMap,
+					resourceTree,
+					resource.KindSecurityPolicy,
+					policy.Namespace,
+					policy.Name,
+					*oidc.ClientIDRef); err != nil {
+					// If the error is transient, we return it to allow Reconcile to retry.
+					if isTransientError(err) {
+						return err
+					}
+					r.log.Error(err,
+						"failed to process OIDC ClientIDRef for SecurityPolicy",
+						"policy", policy, "secretRef", oidc.ClientIDRef)
+				}
+			}
+
 			var backendRefs []gwapiv1.BackendObjectReference
 			if oidc.Provider.BackendRef != nil {
 				backendRefs = append(backendRefs, *oidc.Provider.BackendRef)

internal/provider/kubernetes/controller.go

@@ -589,6 +589,9 @@ func secretSecurityPolicyIndexFunc(rawObj client.Object) []string {
 
 	if securityPolicy.Spec.OIDC != nil {
 		secretReferences = append(secretReferences, securityPolicy.Spec.OIDC.ClientSecret)
+		if securityPolicy.Spec.OIDC.ClientIDRef != nil {
+			secretReferences = append(secretReferences, *securityPolicy.Spec.OIDC.ClientIDRef)
+		}
 	}
 	if securityPolicy.Spec.APIKeyAuth != nil {
 		secretReferences = append(secretReferences, securityPolicy.Spec.APIKeyAuth.CredentialRefs...)

internal/provider/kubernetes/indexers.go

@@ -3229,7 +3229,8 @@ _Appears in:_
 | Field | Type | Required | Default | Description |
 | ---   | ---  | ---      | ---     | ---         |
 | `provider` | _[OIDCProvider](#oidcprovider)_ |  true  |  | The OIDC Provider configuration. |
-| `clientID` | _string_ |  true  |  | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). |
+| `clientID` | _string_ |  false  |  | The client ID to be used in the OIDC<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />Only one of clientID or clientIDRef must be set. |
+| `clientIDRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  false  |  | The Kubernetes secret which contains the client ID to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />Exactly one of clientID or clientIDRef must be set.<br />This is an Opaque secret. The client ID should be stored in the key "client-id".<br />Only one of clientID or clientIDRef must be set. |
 | `clientSecret` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  |  | The Kubernetes secret which contains the OIDC client secret to be used in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />This is an Opaque secret. The client secret should be stored in the key<br />"client-secret". |
 | `cookieNames` | _[OIDCCookieNames](#oidccookienames)_ |  false  |  | The optional cookie name overrides to be used for Bearer and IdToken cookies in the<br />[Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).<br />If not specified, uses a randomly generated suffix |
 | `cookieConfig` | _[OIDCCookieConfig](#oidccookieconfig)_ |  false  |  | CookieConfigs allows setting the SameSite attribute for OIDC cookies.<br />By default, its unset. |