Skip to content

feat: client credential registration default#1482

Merged
chance-coleman merged 10 commits intomainfrom
envoyfilter-ambient
Apr 24, 2025
Merged

feat: client credential registration default#1482
chance-coleman merged 10 commits intomainfrom
envoyfilter-ambient

Conversation

@chance-coleman
Copy link
Copy Markdown
Contributor

@chance-coleman chance-coleman commented Apr 22, 2025
edited
Loading

Description

In moving uds-core to ambient we need to rework how we implement the envoyfilter used to protect path parameters. In addition to that, in the coming release we will phase out the use of the dynamic client registration in favor client credential registration. This will improve security and decrease complexity when working with istio ambient.

This PR will focus on the following:

  1. Change the default keycloak client registration strategy from auto to client_credentials

Related Issue

Fixes #1388

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@chance-coleman chance-coleman self-assigned this Apr 22, 2025
@slaskawi slaskawi marked this pull request as ready for review April 23, 2025 07:14
@slaskawi slaskawi requested a review from a team as a code owner April 23, 2025 07:14
slaskawi
slaskawi previously approved these changes Apr 23, 2025
View reviewed changes
@slaskawi slaskawi changed the title feat!: envoyfilter ambient updates and client registration default feat: envoyfilter ambient updates and client registration default Apr 23, 2025
mjnagel
mjnagel reviewed Apr 23, 2025
View reviewed changes
Comment thread src/keycloak/chart/templates/path-parameter-envoyfilter.yaml Outdated
Comment thread src/keycloak/chart/templates/path-parameter-envoyfilter.yaml Outdated
noahpb
noahpb reviewed Apr 23, 2025
View reviewed changes
Comment thread src/keycloak/chart/templates/path-parameter-envoyfilter.yaml Outdated
@mjnagel
Copy link
Copy Markdown
Contributor

mjnagel commented Apr 23, 2025

LGTM - can probably update the PR title/description to reflect that there are no envoyfilter changes in this PR anymore.

@chance-coleman chance-coleman changed the title feat: envoyfilter ambient updates and client registration default feat: client credential registration default Apr 24, 2025
@chance-coleman chance-coleman enabled auto-merge (squash) April 24, 2025 14:15
@chance-coleman chance-coleman merged commit 894c5d9 into main Apr 24, 2025
23 checks passed
@chance-coleman chance-coleman deleted the envoyfilter-ambient branch April 24, 2025 14:16
@github-actions github-actions Bot mentioned this pull request Apr 28, 2025
Merged
noahpb pushed a commit that referenced this pull request Apr 29, 2025
@github-actions
chore(main): release 0.41.0 (#1475)
a5c1cd2 
🤖 I have created a release *beep* *boop*
---


##
[0.41.0](v0.40.1...v0.41.0)
(2025-04-28)


### Features

* add conditional netpol for coredns
([#1501](#1501))
([fc7ace3](fc7ace3))
* client credential registration default
([#1482](#1482))
([894c5d9](894c5d9))
* keycloak fips mode
([#1469](#1469))
([74e632e](74e632e))
* operator ambient mode
([#1496](#1496))
([71f03fd](71f03fd))
* opt Grafana into ambient
([#1466](#1466))
([dac2d3e](dac2d3e))
* opt logging into ambient
([#1472](#1472))
([117d586](117d586))
* opt metrics-server into ambient
([#1458](#1458))
([01c2ec6](01c2ec6))
* opt velero into ambient
([#1490](#1490))
([a0591c7](a0591c7))


### Bug Fixes

* **ci:** permissions on release workflow
([#1507](#1507))
([cb12f13](cb12f13))
* **ci:** renovate readiness version loop fix
([#1488](#1488))
([a40c15b](a40c15b))
* update loki images to fips images
([#1502](#1502))
([eb20b4e](eb20b4e))


### Miscellaneous

* **ci:** automated renovate readiness action checks
([#1465](#1465))
([ed0ca6b](ed0ca6b))
* **ci:** switch eks CI to FIPS ami, update to 1.31 k8s testing
([#1474](#1474))
([7307d03](7307d03))
* **deps:** update grafana
([#1489](#1489))
([0c063f1](0c063f1))
* **deps:** update istio to v1.25.2
([#1461](#1461))
([1067560](1067560))
* **deps:** update istio to v1.3.0
([#1491](#1491))
([9066584](9066584))
* **deps:** update keycloak to v0.13.0
([#1506](#1506))
([04d42ef](04d42ef))
* **deps:** update keycloak to v26.2.0
([#1452](#1452))
([927a57b](927a57b))
* **deps:** update keycloak to v26.2.1
([#1486](#1486))
([d68cad8](d68cad8))
* **deps:** update loki
([#1483](#1483))
([3a697df](3a697df))
* **deps:** update neuvector
([#1417](#1417))
([4c0d95d](4c0d95d))
* **deps:** update pepr
([#1454](#1454))
([a98640f](a98640f))
* **deps:** update support dependencies to v4.7.0
([#1477](#1477))
([dcee0a3](dcee0a3))
* **deps:** update support-deps
([#1473](#1473))
([3d9d501](3d9d501))
* **deps:** update support-deps
([#1480](#1480))
([c41f359](c41f359))
* **deps:** update support-deps
([#1481](#1481))
([cc2af2b](cc2af2b))
* **deps:** update support-deps
([#1487](#1487))
([cdcba75](cdcba75))
* **deps:** update support-deps
([#1493](#1493))
([88cbf29](88cbf29))
* **deps:** update support-deps
([#1497](#1497))
([f308176](f308176))
* **deps:** update velero
([#1453](#1453))
([7330ea9](7330ea9))
* **deps:** update velero
([#1492](#1492))
([ff504c0](ff504c0))
* **deps:** update velero to v1.32.4
([#1484](#1484))
([06709e8](06709e8))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mjnagel pushed a commit to BagelLab/uds-core that referenced this pull request Nov 14, 2025
@chance-coleman @slaskawi @mjnagel
feat: client credential registration default (defenseunicorns#1482)
416525e 
## Description
In moving uds-core to ambient we need to rework how we implement the
envoyfilter used to protect path parameters. In addition to that, in the
coming release we will phase out the use of the dynamic client
registration in favor client credential registration. This will improve
security and decrease complexity when working with istio ambient.

This PR will focus on the following:
1. Change the default keycloak client registration strategy from `auto`
to `client_credentials`

## Related Issue

Fixes defenseunicorns#1388 

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor
Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)
followed

---------

Co-authored-by: Sebastian Łaskawiec <sebastian.laskawiec@defenseunicorns.com>
mjnagel pushed a commit to BagelLab/uds-core that referenced this pull request Nov 14, 2025
@github-actions @mjnagel
chore(main): release 0.41.0 (defenseunicorns#1475)
f2ea483 
🤖 I have created a release *beep* *boop*
---


##
[0.41.0](defenseunicorns/uds-core@v0.40.1...v0.41.0)
(2025-04-28)


### Features

* add conditional netpol for coredns
([defenseunicorns#1501](defenseunicorns#1501))
([fc7ace3](defenseunicorns@fc7ace3))
* client credential registration default
([defenseunicorns#1482](defenseunicorns#1482))
([894c5d9](defenseunicorns@894c5d9))
* keycloak fips mode
([defenseunicorns#1469](defenseunicorns#1469))
([74e632e](defenseunicorns@74e632e))
* operator ambient mode
([defenseunicorns#1496](defenseunicorns#1496))
([71f03fd](defenseunicorns@71f03fd))
* opt Grafana into ambient
([defenseunicorns#1466](defenseunicorns#1466))
([dac2d3e](defenseunicorns@dac2d3e))
* opt logging into ambient
([defenseunicorns#1472](defenseunicorns#1472))
([117d586](defenseunicorns@117d586))
* opt metrics-server into ambient
([defenseunicorns#1458](defenseunicorns#1458))
([01c2ec6](defenseunicorns@01c2ec6))
* opt velero into ambient
([defenseunicorns#1490](defenseunicorns#1490))
([a0591c7](defenseunicorns@a0591c7))


### Bug Fixes

* **ci:** permissions on release workflow
([defenseunicorns#1507](defenseunicorns#1507))
([cb12f13](defenseunicorns@cb12f13))
* **ci:** renovate readiness version loop fix
([defenseunicorns#1488](defenseunicorns#1488))
([a40c15b](defenseunicorns@a40c15b))
* update loki images to fips images
([defenseunicorns#1502](defenseunicorns#1502))
([eb20b4e](defenseunicorns@eb20b4e))


### Miscellaneous

* **ci:** automated renovate readiness action checks
([defenseunicorns#1465](defenseunicorns#1465))
([ed0ca6b](defenseunicorns@ed0ca6b))
* **ci:** switch eks CI to FIPS ami, update to 1.31 k8s testing
([defenseunicorns#1474](defenseunicorns#1474))
([7307d03](defenseunicorns@7307d03))
* **deps:** update grafana
([defenseunicorns#1489](defenseunicorns#1489))
([0c063f1](defenseunicorns@0c063f1))
* **deps:** update istio to v1.25.2
([defenseunicorns#1461](defenseunicorns#1461))
([1067560](defenseunicorns@1067560))
* **deps:** update istio to v1.3.0
([defenseunicorns#1491](defenseunicorns#1491))
([9066584](defenseunicorns@9066584))
* **deps:** update keycloak to v0.13.0
([defenseunicorns#1506](defenseunicorns#1506))
([04d42ef](defenseunicorns@04d42ef))
* **deps:** update keycloak to v26.2.0
([defenseunicorns#1452](defenseunicorns#1452))
([927a57b](defenseunicorns@927a57b))
* **deps:** update keycloak to v26.2.1
([defenseunicorns#1486](defenseunicorns#1486))
([d68cad8](defenseunicorns@d68cad8))
* **deps:** update loki
([defenseunicorns#1483](defenseunicorns#1483))
([3a697df](defenseunicorns@3a697df))
* **deps:** update neuvector
([defenseunicorns#1417](defenseunicorns#1417))
([4c0d95d](defenseunicorns@4c0d95d))
* **deps:** update pepr
([defenseunicorns#1454](defenseunicorns#1454))
([a98640f](defenseunicorns@a98640f))
* **deps:** update support dependencies to v4.7.0
([defenseunicorns#1477](defenseunicorns#1477))
([dcee0a3](defenseunicorns@dcee0a3))
* **deps:** update support-deps
([defenseunicorns#1473](defenseunicorns#1473))
([3d9d501](defenseunicorns@3d9d501))
* **deps:** update support-deps
([defenseunicorns#1480](defenseunicorns#1480))
([c41f359](defenseunicorns@c41f359))
* **deps:** update support-deps
([defenseunicorns#1481](defenseunicorns#1481))
([cc2af2b](defenseunicorns@cc2af2b))
* **deps:** update support-deps
([defenseunicorns#1487](defenseunicorns#1487))
([cdcba75](defenseunicorns@cdcba75))
* **deps:** update support-deps
([defenseunicorns#1493](defenseunicorns#1493))
([88cbf29](defenseunicorns@88cbf29))
* **deps:** update support-deps
([defenseunicorns#1497](defenseunicorns#1497))
([f308176](defenseunicorns@f308176))
* **deps:** update velero
([defenseunicorns#1453](defenseunicorns#1453))
([7330ea9](defenseunicorns@7330ea9))
* **deps:** update velero
([defenseunicorns#1492](defenseunicorns#1492))
([ff504c0](defenseunicorns@ff504c0))
* **deps:** update velero to v1.32.4
([defenseunicorns#1484](defenseunicorns#1484))
([06709e8](defenseunicorns@06709e8))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slaskawi slaskawi slaskawi approved these changes

@mjnagel mjnagel mjnagel approved these changes

+1 more reviewer

@noahpb noahpb noahpb left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@chance-coleman chance-coleman

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Istio Ambient: Envoyfilter updates

4 participants

@chance-coleman @mjnagel @slaskawi @noahpb