From 879629a31964ba6170a2a88eb5b00be88c89b436 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Tue, 22 Apr 2025 12:41:58 -0600 Subject: [PATCH 1/6] feat!: update envoyfilter for ambient, defualt to client credential registration --- .../templates/path-parameter-envoyfilter.yaml | 33 ++++++++++++------- src/keycloak/chart/templates/uds-package.yaml | 10 ------ src/pepr/operator/README.md | 4 +-- src/pepr/uds-operator-config/values.yaml | 2 +- 4 files changed, 24 insertions(+), 25 deletions(-) diff --git a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml index 26db03f8bd..c414da5a0d 100644 --- a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml +++ b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml @@ -8,12 +8,16 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: block-path-parameters-in-non-final-segments - namespace: {{ .Release.Namespace }} + namespace: istio-system spec: configPatches: - applyTo: HTTP_FILTER match: - context: SIDECAR_INBOUND + context: GATEWAY + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager patch: operation: INSERT_BEFORE value: @@ -23,17 +27,22 @@ spec: inlineCode: | function envoy_on_request(request_handle) local path = request_handle:headers():get(":path") + local host = request_handle:headers():get(":authority") - if path then - -- Pattern to detect semicolons NOT in the last path segment - -- Match a ; before / (a ; after the final / is ok and will be allowed) - local invalid_semicolon = string.match(path, "^[^;]*;[^/]*/") - if invalid_semicolon then - request_handle:respond( - { [":status"] = "400" }, - "Path parameters may only appear after the final path segment" - ) + -- Only apply to keycloak endpoints + if host and ( + string.match(host, "^sso%.uds%.dev$") or + string.match(host, "^keycloak%.admin%.uds%.dev$") + ) then + if path then + local invalid_semicolon = string.match(path, "^[^;]*;[^/]*/") + if invalid_semicolon then + request_handle:respond( + { [":status"] = "400" }, + "Path parameters may only appear after the final path segment" + ) + end end end end -{{- end }} +{{- end }} \ No newline at end of file diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index c332ab6deb..e85a56a8b0 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -19,16 +19,6 @@ spec: network: allow: - - description: "UDS Operator" - direction: Ingress - selector: - app.kubernetes.io/name: keycloak - remoteNamespace: pepr-system - remoteSelector: - app: pepr-uds-core-watcher - remoteServiceAccount: pepr-uds-core - port: 8080 - - description: "Keycloak backchannel access" direction: Ingress selector: diff --git a/src/pepr/operator/README.md b/src/pepr/operator/README.md index d507158260..8f10489a4b 100644 --- a/src/pepr/operator/README.md +++ b/src/pepr/operator/README.md @@ -165,9 +165,9 @@ Client Credentials Grant uses the OAuth 2.0 Client Credentials Grant to authenti The `PEPR_KEYCLOAK_CLIENT_STRATEGY` can be set to one of the following values: -* `auto` (default): The UDS Operator will automatically determine the best strategy to use based on the Keycloak server configuration +* `auto`: The UDS Operator will automatically determine the best strategy to use based on the Keycloak server configuration * `dynamic_client_registration`: The UDS Operator will use the Dynamic Client Registration strategy -* `client_credentials`: The UDS Operator will use the Client Credentials Grant strategy +* `client_credentials` (default): The UDS Operator will use the Client Credentials Grant strategy ### Key Files and Folders diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 1b4c87495a..b9269a3a4f 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -18,4 +18,4 @@ operator: # Configure Pepr reconcile strategy to have separate queues for faster reconciliation PEPR_RECONCILE_STRATEGY: "kindNsName" # Keycloak Client Mode. Possible values: "dynamic_client_registration", "client_credentials" and "auto" - PEPR_KEYCLOAK_CLIENT_STRATEGY: "auto" + PEPR_KEYCLOAK_CLIENT_STRATEGY: "client_credentials" From 26a84baf848a6cd1c36b85ccd81d3f89bd822d9a Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Tue, 22 Apr 2025 12:50:37 -0600 Subject: [PATCH 2/6] fix: add authpol back in --- src/keycloak/chart/templates/uds-package.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index e85a56a8b0..c332ab6deb 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -19,6 +19,16 @@ spec: network: allow: + - description: "UDS Operator" + direction: Ingress + selector: + app.kubernetes.io/name: keycloak + remoteNamespace: pepr-system + remoteSelector: + app: pepr-uds-core-watcher + remoteServiceAccount: pepr-uds-core + port: 8080 + - description: "Keycloak backchannel access" direction: Ingress selector: From e2696933ee700cea559b4fa14b7ad5aea4529e5f Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Wed, 23 Apr 2025 13:25:12 -0600 Subject: [PATCH 3/6] chore: address pr comments --- .../chart/templates/path-parameter-envoyfilter.yaml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml index c414da5a0d..6f04d8c332 100644 --- a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml +++ b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml @@ -13,11 +13,7 @@ spec: configPatches: - applyTo: HTTP_FILTER match: - context: GATEWAY - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager + context: SIDECAR_INBOUND patch: operation: INSERT_BEFORE value: @@ -31,8 +27,8 @@ spec: -- Only apply to keycloak endpoints if host and ( - string.match(host, "^sso%.uds%.dev$") or - string.match(host, "^keycloak%.admin%.uds%.dev$") + host == "sso.{{ .Values.domain }}" or + host == "keycloak.{{ .Values.adminDomain }}" ) then if path then local invalid_semicolon = string.match(path, "^[^;]*;[^/]*/") From 29a8921b0ebe12a8a7d995922951a0673298f518 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Wed, 23 Apr 2025 15:15:39 -0600 Subject: [PATCH 4/6] fix: broken envoyfilter --- src/keycloak/chart/templates/path-parameter-envoyfilter.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml index 6f04d8c332..42e23cf39d 100644 --- a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml +++ b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml @@ -8,7 +8,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: block-path-parameters-in-non-final-segments - namespace: istio-system + namespace: {{ .Release.Namespace }} spec: configPatches: - applyTo: HTTP_FILTER @@ -28,7 +28,7 @@ spec: -- Only apply to keycloak endpoints if host and ( host == "sso.{{ .Values.domain }}" or - host == "keycloak.{{ .Values.adminDomain }}" + host == "keycloak.{{ tpl .Values.adminDomain . }}" ) then if path then local invalid_semicolon = string.match(path, "^[^;]*;[^/]*/") From 670b297927a4f54e12fad1a91117651cd2b51654 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Wed, 23 Apr 2025 15:23:18 -0600 Subject: [PATCH 5/6] chore: revert envoyfilter changes --- .../templates/path-parameter-envoyfilter.yaml | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml index 42e23cf39d..89e0460c53 100644 --- a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml +++ b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml @@ -23,21 +23,16 @@ spec: inlineCode: | function envoy_on_request(request_handle) local path = request_handle:headers():get(":path") - local host = request_handle:headers():get(":authority") - -- Only apply to keycloak endpoints - if host and ( - host == "sso.{{ .Values.domain }}" or - host == "keycloak.{{ tpl .Values.adminDomain . }}" - ) then - if path then - local invalid_semicolon = string.match(path, "^[^;]*;[^/]*/") - if invalid_semicolon then - request_handle:respond( - { [":status"] = "400" }, - "Path parameters may only appear after the final path segment" - ) - end + if path then + -- Pattern to detect semicolons NOT in the last path segment + -- Match a ; before / (a ; after the final / is ok and will be allowed) + local invalid_semicolon = string.match(path, "^[^;]*;[^/]*/") + if invalid_semicolon then + request_handle:respond( + { [":status"] = "400" }, + "Path parameters may only appear after the final path segment" + ) end end end From d9bb7e4c25a763a9448469e035f640c34aa18260 Mon Sep 17 00:00:00 2001 From: UnicornChance Date: Wed, 23 Apr 2025 15:26:16 -0600 Subject: [PATCH 6/6] chore: lint --- src/keycloak/chart/templates/path-parameter-envoyfilter.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml index 89e0460c53..26db03f8bd 100644 --- a/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml +++ b/src/keycloak/chart/templates/path-parameter-envoyfilter.yaml @@ -36,4 +36,4 @@ spec: end end end -{{- end }} \ No newline at end of file +{{- end }}