Skip to content

api: add GCP OIDC auth support in BackendSecurityPolicies#635

Merged
mathetake merged 26 commits intoenvoyproxy:mainfrom
sukumargaonkar:gcp-auth-api
Jun 17, 2025
Merged

api: add GCP OIDC auth support in BackendSecurityPolicies#635
mathetake merged 26 commits intoenvoyproxy:mainfrom
sukumargaonkar:gcp-auth-api

Conversation

@sukumargaonkar
Copy link
Copy Markdown
Contributor

@sukumargaonkar sukumargaonkar commented May 22, 2025
edited
Loading

Commit Message
This Commit adds required fields on BackendSecurityPolicy for GCP authentication

Related Issues/PRs (if applicable)
Related Issue: #609

Special notes for reviewers (if applicable)
This PR only make API changes. Implementation for token rotator and backendauth will follow in future PRs

@sukumargaonkar
api: add GCP support for backend security policies and API schemas
bd5edf3 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar sukumargaonkar requested a review from a team as a code owner May 22, 2025 20:07
@sukumargaonkar sukumargaonkar mentioned this pull request May 22, 2025
Closed
@sukumargaonkar sukumargaonkar changed the title api: add GCP support for backend security policies and API schemas api: Add GCP support for BackendSecurityPolicies and API schemas May 22, 2025
@sukumargaonkar sukumargaonkar changed the title api: Add GCP support for BackendSecurityPolicies and API schemas api: add GCP support for BackendSecurityPolicies and API schemas May 22, 2025
@sukumargaonkar sukumargaonkar changed the title api: add GCP support for BackendSecurityPolicies and API schemas api: add GCP OIDC auth support in BackendSecurityPolicies May 22, 2025
@sukumargaonkar sukumargaonkar marked this pull request as draft May 22, 2025 20:43
@sukumargaonkar
api: add GCP auth support in filter configuration
6c7df97 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar sukumargaonkar marked this pull request as ready for review May 22, 2025 20:54
xiaolin593
xiaolin593 reviewed May 22, 2025
View reviewed changes
aabchoo
aabchoo reviewed May 23, 2025
View reviewed changes
xiaolin593
xiaolin593 reviewed May 23, 2025
View reviewed changes
@sukumargaonkar
Reorganize fields under BackendSecurityPolicyGCPCredentials
40b1477 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Merge remote-tracking branch 'upstream/main' into gcp-auth-api
f7e2634 
# Conflicts:
#	go.mod
@sukumargaonkar
make precommit
2414542 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
aabchoo
aabchoo reviewed May 27, 2025
View reviewed changes
aabchoo
aabchoo reviewed May 30, 2025
View reviewed changes
@sukumargaonkar
Add Region and ProjectName to GCPAuth
f7d5192 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Merge remote-tracking branch 'upstream/main' into gcp-auth-api
c538a45 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>

# Conflicts:
#	go.mod
#	manifests/charts/ai-gateway-crds-helm/templates/aigateway.envoyproxy.io_backendsecuritypolicies.yaml
#	site/docs/api/api.mdx
@sukumargaonkar
Rename GCPWorkloadIdentityProvider.OIDCConfig to OIDCProvider
e101a82 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Merge remote-tracking branch 'upstream/main' into gcp-auth-api
e851bcc
@sukumargaonkar
Fix go.mod
7263be3 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Switch from GCP CredentialFile to AccessToken
622f5f5 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Merge remote-tracking branch 'upstream/main' into gcp-auth-api
3001321
@sukumargaonkar
Merge remote-tracking branch 'upstream/main' into gcp-auth-api
c4208b4
aabchoo
aabchoo reviewed Jun 11, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@aabchoo aabchoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: please add cel validation

@sukumargaonkar
Fix gitignore
831b6d2 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Add crdcel test for gcp backendsecurity policy
04b7c08 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
aabchoo
aabchoo reviewed Jun 12, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@aabchoo aabchoo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good to me -- made a few comments

api/v1alpha1/api.go
//
// +kubebuilder:validation:Required
// +kubebuilder:validation:MinLength=1
ProjectID string `json:"projectID"`
Copy link
Copy Markdown
Contributor

@aabchoo aabchoo Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is ProjectID specific to Federation Config? Would it make sense to bubble this field up if it's needed for all GCP auth

Copy link
Copy Markdown
Contributor Author

@sukumargaonkar sukumargaonkar Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if other authentication methods would need project-id, so keeping it within federation config for now

filterapi/filterconfig.go
// Region is the GCP region to use for the request.
Region string `json:"region"`
// ProjectName is the GCP project name to use for the request.
ProjectName string `json:"projectName"`
Copy link
Copy Markdown
Contributor

@aabchoo aabchoo Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How will region and project be used in the extproc?

Copy link
Copy Markdown
Contributor Author

@sukumargaonkar sukumargaonkar Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The region and project-id are required while transforming request path
https://<region>-aiplatform.googleapis.com/v1/projects/<project-id>/locations/<region>/publishers/google/models/<model-name>:generateContent

Copy link
Copy Markdown
Member

@mathetake mathetake Jun 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then maybe ProjectID instead of ProjectName

Copy link
Copy Markdown
Contributor Author

@sukumargaonkar sukumargaonkar Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried using project ID in the request url, but kept getting IAM_PERMISSION_DENIED error
not sure if that is an account specific configuration issue or GCP just doesn't like project ID instead of project-name

if future project name is found to be acceptable, we can add that as another field and accept either of them as valid config

Copy link
Copy Markdown
Contributor

@yuzisun yuzisun Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like it is using the name from the examples

https://aiplatform.googleapis.com/v1/projects/test-project/locations/global/publishers/google/models/gemini-2.0-flash-001:generateContent

Copy link
Copy Markdown
Contributor

@yuzisun yuzisun Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if project name is currently required on the url path, then it needs to be added to the BackendSecurityPolicy as well?

@sukumargaonkar
Remove unnecessary comments
2ae31ec 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
mathetake
mathetake reviewed Jun 13, 2025
View reviewed changes
mathetake
mathetake reviewed Jun 14, 2025
View reviewed changes
mathetake
mathetake reviewed Jun 14, 2025
View reviewed changes
@sukumargaonkar
refactor: GeminiVertexAI schema to GCPVertexAI
a4e725c 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@sukumargaonkar
Merge remote-tracking branch 'upstream/main' into gcp-auth-api
700dc73
@sukumargaonkar
Fix CI
687d29c 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
yuzisun
yuzisun reviewed Jun 17, 2025
View reviewed changes
yuzisun
yuzisun reviewed Jun 17, 2025
View reviewed changes
yuzisun
yuzisun reviewed Jun 17, 2025
View reviewed changes
@sukumargaonkar
Update docs and comments
a48254b 
Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
@mathetake mathetake merged commit 7e42af9 into envoyproxy:main Jun 17, 2025
17 checks passed
@sukumargaonkar sukumargaonkar mentioned this pull request Jun 23, 2025
Merged
yuzisun pushed a commit that referenced this pull request Jul 2, 2025
@sukumargaonkar
feat: add GCP Authentication Support (#752)
10bf331 
**Description**

- Implement GCP integration via OIDC token rotator.
This PR add support for authenticating against GCP via external OIDC
tokens. It uses google's Workload Identity Federation [1] to exchange an
OIDC token for GCP's access token. It also support optional service
account impersonation.
- Add `ProjectName` and `Region` field in
BackendSecurityPolicyGCPCredentials

1: https://cloud.google.com/iam/docs/workload-identity-federation

**Related Issues/PRs (if applicable)**
Previous PR: #635
Related Issue: #609

---------

Signed-off-by: Sukumar Gaonkar <sgaonkar4@bloomberg.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuzisun yuzisun yuzisun left review comments

@aabchoo aabchoo aabchoo left review comments

@mathetake mathetake mathetake approved these changes

+1 more reviewer

@xiaolin593 xiaolin593 xiaolin593 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sukumargaonkar @yuzisun @mathetake @aabchoo @xiaolin593