kgateway-dev
diff --git a/‎api/v1alpha1/kgateway/oauth2.go‎
Lines changed: 72 additions & 0 deletions b/‎api/v1alpha1/kgateway/oauth2.go‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎api/v1alpha1/kgateway/zz_generated.deepcopy.go‎
Lines changed: 87 additions & 0 deletions b/‎api/v1alpha1/kgateway/zz_generated.deepcopy.go‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml‎
Lines changed: 105 additions & 0 deletions b/‎install/helm/kgateway-crds/templates/gateway.kgateway.dev_gatewayextensions.yaml‎
Lines changed: 105 additions & 0 deletions
@@ -15,6 +15,21 @@ func (h HttpsUri) String() string {
 	return string(h)
 }
 
+// OAuth2CookieSameSite specifies the SameSite attribute for OAuth2 cookies
+// +kubebuilder:validation:Enum=Lax;Strict;None
+type OAuth2CookieSameSite string
+
+const (
+	// OAuth2CookieSameSiteLax specifies the Lax SameSite attribute for OAuth2 cookies
+	OAuth2CookieSameSiteLax OAuth2CookieSameSite = "Lax"
+
+	// OAuth2CookieSameSiteStrict specifies the Strict SameSite attribute for OAuth2 cookies
+	OAuth2CookieSameSiteStrict OAuth2CookieSameSite = "Strict"
+
+	// OAuth2CookieSameSiteNone specifies the None SameSite attribute for OAuth2 cookies
+	OAuth2CookieSameSiteNone OAuth2CookieSameSite = "None"
+)
+
 // OAuth2Provider specifies the configuration for OAuth2 extension provider.
 //
 // +kubebuilder:validation:XValidation:message="Either issuerURI, or both authorizationEndpoint and tokenEndpoint must be specified",rule="has(self.issuerURI) || (has(self.authorizationEndpoint) && has(self.tokenEndpoint))"
@@ -82,6 +97,39 @@ type OAuth2Provider struct {
 	// Refer to https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout for more details.
 	// +optional
 	EndSessionEndpoint *HttpsUri `json:"endSessionEndpoint,omitempty"`
+
+	// Cookies specifies the configuration for the OAuth2 cookies.
+	// +optional
+	Cookies *OAuth2CookieConfig `json:"cookies,omitempty"`
+
+	// DenyRedirectMatcher specifies the matcher to match requests that should be denied redirects to the authorization endpoint.
+	// Matching requests will receive a 401 Unauthorized response instead of being redirected.
+	// This is useful for AJAX requests where redirects should be avoided.
+	// +optional
+	DenyRedirect *OAuth2DenyRedirectMatcher `json:"denyRedirect,omitempty"`
+}
+
+type OAuth2CookieConfig struct {
+	// CookieDomain specifies the domain to set on the access and ID token cookies.
+	// If set, the cookies will be set for the specified domain and all its subdomains. This is useful when requests
+	// to subdomains are not required to be re-authenticated after the user has logged into the parent domain.
+	// If not set, the cookies will default to the host of the request, not including the subdomains.
+	// +optional
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$`
+	Domain *string `json:"domain,omitempty"`
+
+	// Names specifies the names of the cookies used to store the tokens.
+	// If not set, the default names will be used.
+	// +optional
+	Names *OAuth2CookieNames `json:"names,omitempty"`
+
+	// SameSite specifies the SameSite attribute for the OAuth2 cookies.
+	// If not set, the default is Lax.
+	// +optional
+	SameSite *OAuth2CookieSameSite `json:"sameSite,omitempty"`
 }
 
 // OAuth2Credentials specifies the Oauth2 client credentials.
@@ -100,6 +148,30 @@ type OAuth2Credentials struct {
 	ClientSecretRef corev1.LocalObjectReference `json:"clientSecretRef"`
 }
 
+// OAuth2CookieNames specifies the names of the cookies used to store the tokens.
+type OAuth2CookieNames struct {
+	// AccessToken specifies the name of the cookie used to store the access token.
+	// +optional
+	//
+	// +kubebuilder:validation:MinLength=1
+	AccessToken *string `json:"accessToken,omitempty"`
+
+	// IDToken specifies the name of the cookie used to store the ID token.
+	// +optional
+	//
+	// +kubebuilder:validation:MinLength=1
+	IDToken *string `json:"idToken,omitempty"`
+}
+
+// OAuth2DenyRedirectMatcher specifies the matcher to match requests that should be denied redirects to the authorization endpoint.
+type OAuth2DenyRedirectMatcher struct {
+	// Headers specifies the list of HTTP headers to match on requests that should be denied redirects.
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=16
+	Headers []gwv1.HTTPHeaderMatch `json:"headers,omitempty"`
+}
+
 // OAuth2Policy specifies the OAuth2 policy to apply to requests.
 type OAuth2Policy struct {
 	// ExtensionRef specifies the GatewayExtension that should be used for OAuth2.
 
@@ -1126,6 +1126,46 @@ spec:
                     - message: Must have port for Service reference
                       rule: '(size(self.group) == 0 && self.kind == ''Service'') ?
                         has(self.port) : true'
+                  cookies:
+                    description: Cookies specifies the configuration for the OAuth2
+                      cookies.
+                    properties:
+                      domain:
+                        description: |-
+                          CookieDomain specifies the domain to set on the access and ID token cookies.
+                          If set, the cookies will be set for the specified domain and all its subdomains. This is useful when requests
+                          to subdomains are not required to be re-authenticated after the user has logged into the parent domain.
+                          If not set, the cookies will default to the host of the request, not including the subdomains.
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9]))*$
+                        type: string
+                      names:
+                        description: |-
+                          Names specifies the names of the cookies used to store the tokens.
+                          If not set, the default names will be used.
+                        properties:
+                          accessToken:
+                            description: AccessToken specifies the name of the cookie
+                              used to store the access token.
+                            minLength: 1
+                            type: string
+                          idToken:
+                            description: IDToken specifies the name of the cookie
+                              used to store the ID token.
+                            minLength: 1
+                            type: string
+                        type: object
+                      sameSite:
+                        description: |-
+                          SameSite specifies the SameSite attribute for the OAuth2 cookies.
+                          If not set, the default is Lax.
+                        enum:
+                        - Lax
+                        - Strict
+                        - None
+                        type: string
+                    type: object
                   credentials:
                     description: Credentials specifies the Oauth2 client credentials
                       to use for authentication.
@@ -1157,6 +1197,71 @@ spec:
                     - clientID
                     - clientSecretRef
                     type: object
+                  denyRedirect:
+                    description: |-
+                      DenyRedirectMatcher specifies the matcher to match requests that should be denied redirects to the authorization endpoint.
+                      Matching requests will receive a 401 Unauthorized response instead of being redirected.
+                      This is useful for AJAX requests where redirects should be avoided.
+                    properties:
+                      headers:
+                        description: Headers specifies the list of HTTP headers to
+                          match on requests that should be denied redirects.
+                        items:
+                          description: |-
+                            HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request
+                            headers.
+                          properties:
+                            name:
+                              description: |-
+                                Name is the name of the HTTP Header to be matched. Name matching MUST be
+                                case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2).
+
+                                If multiple entries specify equivalent header names, only the first
+                                entry with an equivalent name MUST be considered for a match. Subsequent
+                                entries with an equivalent header name MUST be ignored. Due to the
+                                case-insensitivity of header names, "foo" and "Foo" are considered
+                                equivalent.
+
+                                When a header is repeated in an HTTP request, it is
+                                implementation-specific behavior as to how this is represented.
+                                Generally, proxies should follow the guidance from the RFC:
+                                https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding
+                                processing a repeated header, with special handling for "Set-Cookie".
+                              maxLength: 256
+                              minLength: 1
+                              pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$
+                              type: string
+                            type:
+                              default: Exact
+                              description: |-
+                                Type specifies how to match against the value of the header.
+
+                                Support: Core (Exact)
+
+                                Support: Implementation-specific (RegularExpression)
+
+                                Since RegularExpression HeaderMatchType has implementation-specific
+                                conformance, implementations can support POSIX, PCRE or any other dialects
+                                of regular expressions. Please read the implementation's documentation to
+                                determine the supported dialect.
+                              enum:
+                              - Exact
+                              - RegularExpression
+                              type: string
+                            value:
+                              description: Value is the value of HTTP Header to be
+                                matched.
+                              maxLength: 4096
+                              minLength: 1
+                              type: string
+                          required:
+                          - name
+                          - value
+                          type: object
+                        maxItems: 16
+                        minItems: 1
+                        type: array
+                    type: object
                   endSessionEndpoint:
                     description: |-
                       EndSessionEndpoint specifies the URL that redirects a user's browser to in order to initiate a single logout