Add OIDC policy

Co-authored-by: Dean Coakley <[email protected]>
Co-authored-by: Michael Pleshakov <[email protected]>
Co-authored-by: Mike Stephen <[email protected]>

build/DockerfileForPlus

@@ -6,6 +6,7 @@ FROM debian:buster-slim AS base
 LABEL maintainer="NGINX Docker Maintainers <[email protected]>"
 
 ENV NGINX_PLUS_VERSION 23-1~buster
+ENV NGINX_NJS_VERSION 23+0.5.0-1~buster
 ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
@@ -36,7 +37,7 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	&& echo "Acquire::https::plus-pkgs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90nginx \
 	&& echo "Acquire::https::plus-pkgs.nginx.com::User-Agent  \"k8s-ic-$IC_VERSION-apt\";" >> /etc/apt/apt.conf.d/90nginx \
 	&& printf "deb https://plus-pkgs.nginx.com/debian buster nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
-	&& apt-get update && apt-get install -y nginx-plus=${NGINX_PLUS_VERSION} \
+	&& apt-get update && apt-get install -y nginx-plus=${NGINX_PLUS_VERSION} nginx-plus-module-njs=${NGINX_NJS_VERSION} \
 	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
 	          'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& apt-get remove --purge --auto-remove -y gnupg1 \
@@ -54,9 +55,10 @@ RUN ln -sf /proc/1/fd/1 /var/log/nginx/access.log \
 RUN mkdir -p /var/lib/nginx \
 		/etc/nginx/secrets \
 		/etc/nginx/stream-conf.d \
+		/etc/nginx/oidc \
 	&& chown -R nginx:0 /etc/nginx \
-			    /var/cache/nginx \
-			    /var/lib/nginx/ \
+				/var/cache/nginx \
+				/var/lib/nginx/ \
 	&& apt-get remove --purge -y libcap2-bin \
 	&& rm /etc/nginx/conf.d/*
 
@@ -67,6 +69,8 @@ COPY internal/configs/version1/nginx-plus.ingress.tmpl \
 	internal/configs/version2/nginx-plus.virtualserver.tmpl \
 	internal/configs/version2/nginx-plus.transportserver.tmpl /
 
+COPY internal/configs/oidc/* /etc/nginx/oidc/
+
 # Uncomment the line below if you would like to add the default.pem to the image
 # and use it as a certificate and key for the default server
 # ADD default.pem /etc/nginx/secrets/default

build/DockerfileWithOpentracingForPlus

@@ -14,6 +14,7 @@ FROM debian:buster-slim AS base
 LABEL maintainer="NGINX Docker Maintainers <[email protected]>"
 
 ENV NGINX_PLUS_VERSION 23-1~buster
+ENV NGINX_NJS_VERSION 23+0.5.0-1~buster
 ENV NGINX_OPENTRACING_MODULE_VERSION 23+0.9.0-1~buster
 
 ARG IC_VERSION
@@ -47,7 +48,7 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	&& echo "Acquire::https::plus-pkgs.nginx.com::User-Agent  \"k8s-ic-$IC_VERSION-apt\";" >> /etc/apt/apt.conf.d/90nginx \
 	&& printf "deb https://plus-pkgs.nginx.com/debian buster nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \
 	&& apt-get update && apt-get install -y \
-	nginx-plus=${NGINX_PLUS_VERSION} \
+	nginx-plus=${NGINX_PLUS_VERSION} nginx-plus-module-njs=${NGINX_NJS_VERSION} \
 	# Install OpenTracing module
 	nginx-plus-module-opentracing=${NGINX_OPENTRACING_MODULE_VERSION} \
 	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
@@ -70,9 +71,10 @@ COPY --from=tracer-downloader /usr/local/lib/libjaegertracing_plugin.so /usr/loc
 RUN mkdir -p /var/lib/nginx \
 		/etc/nginx/secrets \
 		/etc/nginx/stream-conf.d \
+		/etc/nginx/oidc \
 	&& chown -R nginx:0 /etc/nginx \
-			    /var/cache/nginx \
-			    /var/lib/nginx/ \
+				/var/cache/nginx \
+				/var/lib/nginx/ \
 	&& apt-get remove --purge -y libcap2-bin \
 	&& rm /etc/nginx/conf.d/*
 
@@ -83,6 +85,8 @@ COPY internal/configs/version1/nginx-plus.ingress.tmpl \
 	internal/configs/version2/nginx-plus.virtualserver.tmpl \
 	internal/configs/version2/nginx-plus.transportserver.tmpl /
 
+COPY internal/configs/oidc/* /etc/nginx/oidc/
+
 # Uncomment the line below if you would like to add the default.pem to the image
 # and use it as a certificate and key for the default server
 # ADD default.pem /etc/nginx/secrets/default

build/appprotect/DockerfileWithAppProtectForPlus

@@ -13,6 +13,7 @@ ENV APPPROTECT_SIG_VERSION 2020.12.30-1~buster
 ENV APPPROTECT_THREAT_CAMPAIGNS_VERSION 2021.01.03-1~buster
 ENV NGINX_PLUS_VERSION 23-1~buster
 ENV NGINX_PLUS_RELEASE R23
+ENV NGINX_NJS_VERSION 23+0.5.0-1~buster
 ARG IC_VERSION
 
 # Download certificate and key from the customer portal (https://cs.nginx.com)
@@ -49,7 +50,7 @@ RUN --mount=type=secret,id=nginx-repo.crt \
 	&& echo "Acquire::https::app-protect-sigs.nginx.com::Verify-Host \"true\";" >> /etc/apt/apt.conf.d/90app-protect-sigs \
 	&& echo "Acquire::https::app-protect-sigs.nginx.com::SslCert     \"/etc/ssl/nginx/nginx-repo.crt\";" >> /etc/apt/apt.conf.d/90app-protect-sigs \
 	&& echo "Acquire::https::app-protect-sigs.nginx.com::SslKey      \"/etc/ssl/nginx/nginx-repo.key\";" >> /etc/apt/apt.conf.d/90app-protect-sigs \
-	&& apt-get update && apt-get install -y nginx-plus=$NGINX_PLUS_VERSION \
+	&& apt-get update && apt-get install -y nginx-plus=$NGINX_PLUS_VERSION nginx-plus-module-njs=${NGINX_NJS_VERSION} \
 	    nginx-plus-module-appprotect=$APPPROTECT_MODULE_VERSION \
 	    app-protect-plugin=$APPPROTECT_PLUGIN_VERSION \
 	    app-protect-engine=$APPPROTECT_ENGINE_VERSION \
@@ -83,6 +84,7 @@ RUN mkdir -p /var/lib/nginx \
 				/etc/nginx/waf/nac-usersigs \
 				/var/log/app_protect \
 				/opt/app_protect \
+				/etc/nginx/oidc \
 	&& touch /etc/nginx/waf/nac-usersigs/index.conf \
 	&& chown -R nginx:0 /etc/app_protect \
 						/usr/share/ts \
@@ -106,7 +108,7 @@ RUN printf "MODULE = ALL;\nLOG_LEVEL = TS_CRIT;\nFILE = 2;\n" > /etc/app_protect
 	; do sed -i "/\[$v/a log_level=fatal" "/etc/app_protect/tools/asm_logging.conf" \
 	; done
 
-COPY --chown=nginx:0 build/appprotect/log-default.json /etc/nginx  
+COPY --chown=nginx:0 build/appprotect/log-default.json /etc/nginx
 
 EXPOSE 80 443
 
@@ -115,6 +117,8 @@ COPY internal/configs/version1/nginx-plus.ingress.tmpl \
 	internal/configs/version2/nginx-plus.virtualserver.tmpl \
 	internal/configs/version2/nginx-plus.transportserver.tmpl /
 
+COPY internal/configs/oidc/* /etc/nginx/oidc/
+
 # Uncomment the line below if you would like to add the default.pem to the image
 # and use it as a certificate and key for the default server
 # ADD default.pem /etc/nginx/secrets/default

cmd/nginx-ingress/main.go

@@ -80,7 +80,7 @@ var (
 	- i.e have the annotation "kubernetes.io/ingress.class" equal to the class.
 	Additionally, the Ingress Controller processes resources that do not have the class set,
 	which can be disabled by setting the "-use-ingress-class-only" flag
-	
+
 	The Ingress Controller processes all the VirtualServer/VirtualServerRoute resources that do not have the "ingressClassName" field for all versions of kubernetes.`)
 
 	useIngressClassOnly = flag.Bool("use-ingress-class-only", false,
@@ -112,7 +112,7 @@ var (
 	(default for NGINX "nginx.transportserver.tmpl"; default for NGINX Plus "nginx-plus.transportserver.tmpl")`)
 
 	externalService = flag.String("external-service", "",
-		`Specifies the name of the service with the type LoadBalancer through which the Ingress controller pods are exposed externally. 
+		`Specifies the name of the service with the type LoadBalancer through which the Ingress controller pods are exposed externally.
 	The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. For Ingress resources only: Requires -report-ingress-status.`)
 
 	nginxCisConnector = flag.String("nginx-cis-connector", "",
@@ -165,7 +165,7 @@ var (
 
 	globalConfiguration = flag.String("global-configuration", "",
 		`A GlobalConfiguration resource for global configuration of the Ingress Controller. Requires -enable-custom-resources. If the flag is set,
-		but the Ingress controller is not able to fetch the corresponding resource from Kubernetes API, the Ingress Controller 
+		but the Ingress controller is not able to fetch the corresponding resource from Kubernetes API, the Ingress Controller
 		will fail to start. Format: <namespace>/<name>`)
 
 	enableTLSPassthrough = flag.Bool("enable-tls-passthrough", false,
@@ -521,6 +521,7 @@ func main() {
 		NginxServiceMesh:               *spireAgentAddress != "",
 		MainAppProtectLoadModule:       *appProtect,
 		EnableLatencyMetrics:           *enableLatencyMetrics,
+		EnablePreviewPolicies:          *enablePreviewPolicies,
 	}
 
 	ngxConfig := configs.GenerateNginxMainConfig(staticCfgParams, cfgParams)
@@ -790,8 +791,10 @@ func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string)
 	return secret, nil
 }
 
-const locationFmt = `/[^\s{};]*`
-const locationErrMsg = "must start with / and must not include any whitespace character, `{`, `}` or `;`"
+const (
+	locationFmt    = `/[^\s{};]*`
+	locationErrMsg = "must start with / and must not include any whitespace character, `{`, `}` or `;`"
+)
 
 var locationRegexp = regexp.MustCompile("^" + locationFmt + "$")
 

deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml

@@ -87,6 +87,24 @@ spec:
                   type: string
                 token:
                   type: string
+            oidc:
+              description: OIDC defines an Open ID Connect policy.
+              type: object
+              properties:
+                authEndpoint:
+                  type: string
+                clientID:
+                  type: string
+                clientSecret:
+                  type: string
+                jwksURI:
+                  type: string
+                redirectURI:
+                  type: string
+                scope:
+                  type: string
+                tokenEndpoint:
+                  type: string
             rateLimit:
               description: 'RateLimit defines a rate limit policy. policy status: preview'
               type: object

deployments/common/crds/k8s.nginx.org_policies.yaml

@@ -88,6 +88,24 @@ spec:
                       type: string
                     token:
                       type: string
+                oidc:
+                  description: OIDC defines an Open ID Connect policy.
+                  type: object
+                  properties:
+                    authEndpoint:
+                      type: string
+                    clientID:
+                      type: string
+                    clientSecret:
+                      type: string
+                    jwksURI:
+                      type: string
+                    redirectURI:
+                      type: string
+                    scope:
+                      type: string
+                    tokenEndpoint:
+                      type: string
                 rateLimit:
                   description: 'RateLimit defines a rate limit policy. policy status: preview'
                   type: object

deployments/helm-chart/crds/k8s.nginx.org_policies.yaml

@@ -87,6 +87,24 @@ spec:
                   type: string
                 token:
                   type: string
+            oidc:
+              description: OIDC defines an Open ID Connect policy.
+              type: object
+              properties:
+                authEndpoint:
+                  type: string
+                clientID:
+                  type: string
+                clientSecret:
+                  type: string
+                jwksURI:
+                  type: string
+                redirectURI:
+                  type: string
+                scope:
+                  type: string
+                tokenEndpoint:
+                  type: string
             rateLimit:
               description: 'RateLimit defines a rate limit policy. policy status: preview'
               type: object

examples-of-custom-resources/oidc/README.md

@@ -0,0 +1,98 @@
+# OIDC
+
+In this example, we deploy keycloak and a web application configure load balancing for it via a VirtualServer, and apply an OpenID Connect policy.
+
+## Prerequisites
+
+1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
+1. Save the public IP address of the Ingress Controller into `/etc/hosts`:
+    ```
+    ...
+
+    XXX.YYY.ZZZ.III webapp.example.com
+    XXX.YYY.ZZZ.III keycloak.example.com
+    ```
+
+## Step 1 - Deploy a Web Application
+
+Create the application deployment and service:
+```
+$ kubectl apply -f webapp.yaml
+```
+
+## Step 2 - Deploy Keycloak
+
+1. Create keycloak deployment and service:
+```
+$ kubectl apply -f keycloak.yaml
+```
+1. Create a VirtualServer resource for Keycloak:
+    ```
+    $ kubectl apply -f virtual-server-idp.yaml
+    ```
+
+To set up Keycloak, you can either follow the steps in the "Configuring Keycloak" section of the documentation [here](https://docs.nginx.com/nginx/deployment-guides/single-sign-on/keycloak/#configuring-keycloak) or execute the commands [here](./keycloak_setup.md).
+
+
+## Step 3 - Deploy the Client Secret
+
+1. Edit `client-secret.yaml` with your secret.
+
+1. Create a secret with the name `oidc-secret` that will be used for OIDC validation:
+```
+$ kubectl apply -f client-secret.yaml
+```
+
+## Step 4 - Deploy the OIDC Policy
+
+1. Modify the URL `authEndpoint` in `oidc.yaml` with the public IP address or DNS of keycloak.
+
+1. Create a policy with the name `oidc-policy` that references the secret from the previous step:
+```
+$ kubectl apply -f oidc.yaml
+```
+
+## Step 5 - Deploy the Service for the Ingress Controller and update ConfigMap
+1. Deploy the service for Ingress Controller.
+    ```
+    $ kubectl apply -f service/nodeport.yaml
+    ```
+1. Update the ConfigMap with the config required for OIDC.
+    ```yaml
+    kind: ConfigMap
+    apiVersion: v1
+    metadata:
+    name: nginx-config
+    namespace: nginx-ingress
+    data:
+        stream-snippets: |
+            resolver 10.96.0.10 valid=5s;
+            server {
+                listen 12345;
+                zone_sync;
+                zone_sync_server nginx-ingress.nginx-ingress.svc.cluster.local:12345 resolve;
+            }
+        resolver: 10.96.0.10
+        resolver-valid: 5s
+    ```
+1. Apply the ConfigMap.
+   ```
+   $ kubectl apply -f common/nginx-config.yaml
+   ```
+
+## Step 6 - Configure Load Balancing and TLS Termination
+1. Create the secret with the TLS certificate and key:
+    ```
+    $ kubectl create -f tls-secret.yaml
+    ```
+
+2. Create a VirtualServer resource for the web application:
+    ```
+    $ kubectl apply -f virtual-server.yaml
+    ```
+
+Note that the VirtualServer references the policy `oidc-policy` created in Step 4.
+
+## Step 5 - Test the Configuration
+
+Open a web browser and navigate to the URL of the Ingress Controller

examples-of-custom-resources/oidc/client-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oidc-secret
+type: nginx.org/oidc
+data:
+  client-secret: c3VwZXItc2VjcmV0IQo