support loading client secrets from Kubernetes Secret Resource

.gitignore

@@ -3,5 +3,5 @@ bin/
 .makerc
 .vimrc
 logs/
-cluster/kubeconfig
+**/cluster/kubeconfig
 certs/

cmd/main.go

@@ -37,6 +37,7 @@ func main() {
 		envoyAuthz  = server.NewExtAuthZFilter(&configFile.Config, jwks, sessions)
 		authzServer = server.New(&configFile.Config, envoyAuthz.Register)
 		healthz     = server.NewHealthServer(&configFile.Config)
+		secrets     = internal.NewSecretLoader(&configFile.Config)
 	)
 
 	configLog := run.NewPreRunner("config-log", func() error {
@@ -52,6 +53,7 @@ func main() {
 	g.Register(
 		configFile,        // load the configuration
 		logging,           // set up the logging system
+		secrets,           // load the secrets and update the configuration
 		configLog,         // log the configuration
 		jwks,              // start the JWKS provider
 		sessions,          // start the session store

config/v1/oidc/config.proto

@@ -132,10 +132,30 @@ message OIDCConfig {
   // Required.
   string client_id = 5 [(validate.rules).string.min_len = 1];
 
-  // The OIDC client secret assigned to the filter to be used in the
-  // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
-  // Required.
-  string client_secret = 6 [(validate.rules).string.min_len = 1];
+  // This message defines a reference to a Kubernetes Secret resource.
+  message SecretReference {
+    // The namespace of the referenced Secret, if not set, default to "default" namespace.
+    string namespace = 1;
+
+    // The name of the referenced Secret.
+    string name = 2 [(validate.rules).string.min_len = 1];
+  }
+
+  oneof client_secret_config {
+    option(validate.required) = true;
+    // The OIDC client secret assigned to the filter to be used in the
+    // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+    // This field keeps the client secret in plain text. Recommend to use `client_secret_ref` instead
+    // when running in a Kubernetes cluster.
+    string client_secret = 6;
+
+    // The Kubernetes secret that contains the OIDC client secret assigned to the filter to be used in the
+    // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
+    //
+    // This is an Opaque secret. The client secret should be stored in the key "client-secret".
+    // This filed is only valid when running in a Kubernetes cluster.
+    SecretReference client_secret_ref = 21;
+  }
 
   // Additional scopes passed to the OIDC Provider in the
   // [Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
@@ -229,4 +249,3 @@ message OIDCConfig {
   // Optional.
   google.protobuf.Value skip_verify_peer_cert = 18; // keep this field out from the trusted_ca_config one of for backward compatibility.
 }
-

e2e/istio/cluster/manifests/authservice.yaml

@@ -94,6 +94,39 @@ spec:
           configMap:
             name: authservice-config
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: authservice-secrets
+  namespace: authservice
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: authservice-secrets
+  namespace: authservice
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: authservice-secrets
+subjects:
+  - kind: ServiceAccount
+    name: authservice
+    namespace: authservice
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: client-secret
+  namespace: authservice
+type: Opaque
+stringData:
+  client-secret: "authservice-secret"
+---
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -116,7 +149,10 @@ data:
                 "configuration_uri": "http://keycloak.keycloak:8080/realms/master/.well-known/openid-configuration",
                 "callback_uri": "https://http-echo.authservice.internal/callback",
                 "client_id": "authservice",
-                "client_secret": "authservice-secret",
+                "client_secret_ref": {
+                  "namespace": "authservice",
+                  "name": "client-secret"
+                },
                 "cookie_name_prefix": "authservice",
                 "id_token": {
                   "preamble": "Bearer",

go.mod

@@ -20,6 +20,7 @@ require (
 	k8s.io/api v0.29.2
 	k8s.io/apimachinery v0.29.2
 	k8s.io/client-go v0.29.2
+	sigs.k8s.io/controller-runtime v0.17.2
 )
 
 require (
@@ -32,7 +33,9 @@ require (
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.8.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -74,5 +77,5 @@ require (
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )