Oauth2 proxy (#443)

* update envoy and add oauth2 proxy

* fix

* fix

* update oauth2 proxy args

* update oauth2 proxy args

* update envoy filters

* upgrade proxy to v7.14

* fix envoy checksum

* fix envoy

* update x-osmo-auth approach

* update ui to handle session

* remove oauth2 proxy sign in page

* update UI to handle auth header from proxy

* fix token

* use envoy to copy token to  header

* update ui accordingly

* add user info to header

* fix

* set name in header

* fix

Author: vvnpn-nv

deployments/charts/router/templates/_envoy-config-helpers.tpl

@@ -27,22 +27,6 @@ Envoy sidecar container
   command: ["/bin/sh", "-c"]
   args:
     - |
-      echo "$(date -Iseconds) Waiting to populate secrets..."
-      {{- if .Values.sidecars.envoy.useKubernetesSecrets }}
-      # For Kubernetes secrets, just wait and start
-      sleep 5
-      {{- else }}
-      # For Other secrets, wait for files and process config
-      while [ ! -f "{{ .Values.sidecars.envoy.secretPaths.clientSecret }}" ] || [ ! -s "{{ .Values.sidecars.envoy.secretPaths.clientSecret }}" ]; do
-        echo "$(date -Iseconds) Waiting for client secret file..."
-        sleep 2
-      done
-      while [ ! -f "{{ .Values.sidecars.envoy.secretPaths.hmacSecret }}" ] || [ ! -s "{{ .Values.sidecars.envoy.secretPaths.hmacSecret }}" ]; do
-        echo "$(date -Iseconds) Waiting for HMAC secret file..."
-        sleep 2
-      done
-      echo "$(date -Iseconds) Secret files ready..."
-      {{- end }}
       echo "$(date -Iseconds) Starting Envoy..."
       exec /usr/local/bin/envoy -c /var/config/config.yaml --log-level {{ .Values.sidecars.envoy.logLevel | default "info" }} --log-path /logs/envoy.txt
   ports:
@@ -58,11 +42,6 @@ Envoy sidecar container
     - name: logs
       mountPath: /logs
     {{- end }}
-    {{- if .Values.sidecars.envoy.useKubernetesSecrets }}
-    - name: envoy-secrets
-      mountPath: /etc/envoy/secrets
-      readOnly: true
-    {{- end }}
     {{- with .Values.sidecars.envoy.extraVolumeMounts }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -185,16 +164,6 @@ Envoy volumes
   configMap:
     name: {{ .Values.services.service.serviceName }}-envoy-config
 {{- end }}
-{{- if .Values.sidecars.envoy.useKubernetesSecrets }}
-- name: envoy-secrets
-  secret:
-    secretName: {{ .Values.sidecars.envoy.oauth2Filter.secretName | default "oidc-secrets" }}
-    items:
-    - key: {{ .Values.sidecars.envoy.oauth2Filter.clientSecretKey | default "client_secret" }}
-      path: client_secret
-    - key: {{ .Values.sidecars.envoy.oauth2Filter.hmacSecretKey | default "hmac_secret" }}
-      path: hmac_secret
-{{- end }}
 {{- end }}
 
 {{/*
@@ -209,6 +178,92 @@ Log agent volumes
 {{- end }}
 
 {{/*
+OAuth2 Proxy sidecar container
+*/}}
+{{- define "router.oauth2-proxy-sidecar-container" -}}
+{{- if .Values.sidecars.oauth2Proxy.enabled }}
+- name: oauth2-proxy
+  image: "{{ .Values.sidecars.oauth2Proxy.image }}"
+  imagePullPolicy: {{ .Values.sidecars.oauth2Proxy.imagePullPolicy }}
+  securityContext:
+    {{- toYaml .Values.sidecars.oauth2Proxy.securityContext | nindent 4 }}
+  args:
+    - --config={{ .Values.sidecars.oauth2Proxy.secretPaths.cookieSecret }}
+    - --http-address=0.0.0.0:{{ .Values.sidecars.oauth2Proxy.httpPort }}
+    - --metrics-address=0.0.0.0:{{ .Values.sidecars.oauth2Proxy.metricsPort }}
+    - --reverse-proxy=true
+    - --provider={{ .Values.sidecars.oauth2Proxy.provider }}
+    - --oidc-issuer-url={{ .Values.sidecars.oauth2Proxy.oidcIssuerUrl }}
+    - --client-id={{ .Values.sidecars.oauth2Proxy.clientId }}
+    - --cookie-secure={{ .Values.sidecars.oauth2Proxy.cookieSecure }}
+    - --cookie-name={{ .Values.sidecars.oauth2Proxy.cookieName }}
+    {{- if .Values.sidecars.oauth2Proxy.cookieDomain }}
+    - --cookie-domain={{ .Values.sidecars.oauth2Proxy.cookieDomain }}
+    {{- end }}
+    - --cookie-expire={{ .Values.sidecars.oauth2Proxy.cookieExpire }}
+    - --cookie-refresh={{ .Values.sidecars.oauth2Proxy.cookieRefresh }}
+    - --scope={{ .Values.sidecars.oauth2Proxy.scope }}
+    - --email-domain=*
+    - --set-xauthrequest=true
+    - --set-authorization-header=true
+    - --pass-access-token={{ .Values.sidecars.oauth2Proxy.passAccessToken }}
+    - --upstream=static://200
+    - --redirect-url=https://{{ .Values.sidecars.envoy.service.hostname }}/oauth2/callback
+    - --silence-ping-logging=true
+    - --skip-provider-button=true
+    {{- range .Values.sidecars.oauth2Proxy.extraArgs }}
+    - {{ . }}
+    {{- end }}
+  ports:
+  - name: http
+    containerPort: {{ .Values.sidecars.oauth2Proxy.httpPort }}
+  - name: metrics
+    containerPort: {{ .Values.sidecars.oauth2Proxy.metricsPort }}
+  livenessProbe:
+    httpGet:
+      path: /ping
+      port: http
+    initialDelaySeconds: 10
+    periodSeconds: 10
+    timeoutSeconds: 3
+  readinessProbe:
+    httpGet:
+      path: /ready
+      port: http
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    timeoutSeconds: 3
+  resources:
+    {{- toYaml .Values.sidecars.oauth2Proxy.resources | nindent 4 }}
+  volumeMounts:
+    {{- if .Values.sidecars.oauth2Proxy.useKubernetesSecrets }}
+    - name: oauth2-proxy-secrets
+      mountPath: /etc/oauth2-proxy
+      readOnly: true
+    {{- end }}
+    {{- with .Values.sidecars.oauth2Proxy.extraVolumeMounts }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+OAuth2 Proxy volumes
+*/}}
+{{- define "router.oauth2-proxy-volumes" -}}
+{{- if .Values.sidecars.oauth2Proxy.enabled }}
+{{- if .Values.sidecars.oauth2Proxy.useKubernetesSecrets }}
+- name: oauth2-proxy-secrets
+  secret:
+    secretName: {{ .Values.sidecars.oauth2Proxy.secretName | default "oauth2-proxy-secrets" }}
+    items:
+    - key: {{ .Values.sidecars.oauth2Proxy.clientSecretKey | default "client_secret" }}
+      path: client-secret
+    - key: {{ .Values.sidecars.oauth2Proxy.cookieSecretKey | default "cookie_secret" }}
+      path: cookie-secret
+{{- end }}
+{{- end }}
+{{- end }}
 Authorization sidecar container
 */}}
 {{- define "router.authz-sidecar-container" -}}

deployments/charts/router/templates/_sidecar-helpers.tpl

@@ -33,6 +33,7 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
+        checksum/envoy-config: {{ .Values.sidecars.envoy | toYaml | sha256sum }}
         {{- with .Values.extraPodAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -186,13 +187,15 @@ spec:
         {{- end }}
 
       {{- include "router.envoy-sidecar-container" . | nindent 6}}
+      {{- include "router.oauth2-proxy-sidecar-container" . | nindent 6}}
       {{- include "router.authz-sidecar-container" . | nindent 6}}
       {{- include "router.log-agent-sidecar-container" . | nindent 6}}
       {{- with .Values.extraContainers }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
       volumes:
         {{- include "router.envoy-volumes" . | nindent 8 }}
+        {{- include "router.oauth2-proxy-volumes" . | nindent 8 }}
         {{- include "router.log-agent-volumes" . | nindent 8 }}
         {{- if .Values.global.logs.enabled }}
         - name: logs

deployments/charts/router/templates/router-service.yaml

@@ -355,50 +355,17 @@ sidecars:
         timeout: 0s
 
 
-    ## OAuth2 authentication filter configuration
+    ## IDP (Identity Provider) configuration for JWT JWKS fetching
     ##
-    oauth2Filter:
-      ## Enable OAuth2 authentication for incoming requests
-      ##
-      enabled: true
-
-      ## Forward bearer token to upstream service
-      ##
-      forwardBearerToken: true
-
-      ## OAuth2 token endpoint URL for token exchange
+    idp:
+      ## Hostname for the identity provider (e.g., login.microsoftonline.com)
       ##
-      tokenEndpoint: ""
+      host: ""
 
-      ## OAuth2 authorization endpoint URL for user authentication
-      ##
-      authEndpoint: ""
-
-      ## Redirect path for OAuth2 callback after authentication
-      ##
-      redirectPath: api/auth/getAToken
-
-      ## OAuth2 client ID for this application
-      ##
-      clientId: ""
-
-      ## OAuth2 authentication provider identifier
-      ##
-      authProvider: ""
-
-      ## Logout path for ending user sessions
-      ##
-      logoutPath: logout
-
-      ## Kubernetes secret keys (when useKubernetesSecrets is true)
-      ##
-      secretName: oidc-secrets
-      clientSecretKey: client_secret
-      hmacSecretKey: hmac_secret
-
-      ## Force re-authentication when IdToken is missing on refresh
-      ##
-      forceReauthOnMissingIdToken: false
+    ## OAuth2 authentication filter configuration (DEPRECATED - use sidecars.oauth2Proxy instead)
+    ##
+    oauth2Filter:
+      enabled: false
 
     ## JWT (JSON Web Token) authentication configuration
     ##
@@ -434,11 +401,10 @@ sidecars:
       ##
       address: osmo-service
 
-    ## Secret paths for OAuth2 secrets
+    ## Secret paths (legacy, kept for backward compatibility)
     ##
     secretPaths:
       clientSecret: /etc/envoy/secrets/client_secret
-      hmacSecret: /etc/envoy/secrets/hmac_secret
 
     ## Additional volume mounts for the Envoy container
     ##
@@ -471,6 +437,111 @@ sidecars:
       timeoutSeconds: 3
 
 
+  ## OAuth2 Proxy sidecar configuration
+  ##
+  oauth2Proxy:
+    ## Enable OAuth2 Proxy sidecar container
+    ##
+    enabled: true
+
+    ## OAuth2 Proxy container image
+    ##
+    image: "quay.io/oauth2-proxy/oauth2-proxy:v7.14.2"
+
+    ## Image pull policy
+    ##
+    imagePullPolicy: IfNotPresent
+
+    ## HTTP port for OAuth2 Proxy
+    ##
+    httpPort: 4180
+
+    ## Metrics port for OAuth2 Proxy
+    ##
+    metricsPort: 44180
+
+    ## OIDC provider type
+    ##
+    provider: oidc
+
+    ## OIDC issuer URL
+    ##
+    oidcIssuerUrl: ""
+
+    ## OAuth2 client ID
+    ##
+    clientId: ""
+
+    ## Cookie name for session management
+    ##
+    cookieName: _osmo_session
+
+    ## Whether to set the secure flag on cookies
+    ##
+    cookieSecure: true
+
+    ## Cookie domain (leave empty for default)
+    ##
+    cookieDomain: ""
+
+    ## Cookie expiration duration
+    ##
+    cookieExpire: 168h
+
+    ## Cookie refresh interval
+    ##
+    cookieRefresh: 1h
+
+    ## OAuth2 scopes to request
+    ##
+    scope: "openid email profile"
+
+    ## Pass the access token to upstream (disabled to reduce cookie size)
+    ##
+    passAccessToken: false
+
+    ## Use Kubernetes secrets for credentials
+    ##
+    useKubernetesSecrets: false
+
+    ## Kubernetes secret configuration (when useKubernetesSecrets is true)
+    ##
+    secretName: oauth2-proxy-secrets
+    clientSecretKey: client_secret
+    cookieSecretKey: cookie_secret
+
+    ## Secret file paths (when using vault or other secret managers)
+    ##
+    secretPaths:
+      clientSecret: /etc/oauth2-proxy/client-secret
+      cookieSecret: /etc/oauth2-proxy/cookie-secret
+
+    ## Additional arguments passed to oauth2-proxy
+    ##
+    extraArgs: []
+
+    ## Additional volume mounts
+    ##
+    extraVolumeMounts: []
+
+    ## Security context for OAuth2 Proxy container
+    ##
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop: ["ALL"]
+      runAsNonRoot: true
+      runAsUser: 1001
+
+    ## Resource limits and requests
+    ##
+    resources:
+      requests:
+        cpu: "50m"
+        memory: "64Mi"
+      limits:
+        memory: "128Mi"
+
   ## Log agent sidecar configuration for centralized logging on AWS CloudWatch
   ##
   logAgent: