Add OIDC test using keycloak as idp (#7242)

vepatel · web-flow · commit e03b216f340d · 2025-01-30T16:57:53.000Z
diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json
@@ -76,6 +76,13 @@
       "type": "plus",
       "marker": "'policies_ac or policies_jwt or policies_mtls'",
       "platforms": "linux/arm64, linux/amd64, linux/s390x"
+    },
+    {
+      "label": "OIDC-UI 1/1",
+      "image": "debian-plus",
+      "type": "plus",
+      "marker": "oidc",
+      "platforms": "linux/arm64, linux/amd64"
     }
   ],
   "k8s": []
diff --git a/pyproject.toml b/pyproject.toml
@@ -45,6 +45,7 @@ markers =[
     "hsts",
     "ingresses",
     "multi_ns",
+    "oidc",
     "policies",
     "policies_rl",
     "policies_jwt",
diff --git a/tests/Dockerfile b/tests/Dockerfile
@@ -15,6 +15,7 @@ WORKDIR /workspace/tests
 
 COPY --link tests/requirements.txt /workspace/tests/
 RUN pip install --require-hashes -r requirements.txt --no-deps
+RUN playwright install --with-deps chromium
 
 COPY --link deployments /workspace/deployments
 COPY --link config /workspace/config
diff --git a/tests/data/common/app/keycloak/app.yaml b/tests/data/common/app/keycloak/app.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+  selector:
+    app: keycloak
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+      - name: keycloak
+        image: quay.io/keycloak/keycloak:25.0.2
+        args: ["start-dev"]
+        env:
+        - name: KEYCLOAK_ADMIN
+          value: "admin"
+        - name: KEYCLOAK_ADMIN_PASSWORD
+          value: "admin"
+        - name: KC_PROXY
+          value: "edge"
+        ports:
+        - name: http
+          containerPort: 8080
+        - name: https
+          containerPort: 8443
+        readinessProbe:
+          httpGet:
+            path: /realms/master
+            port: 8080
diff --git a/tests/data/oidc/client-secret.yaml b/tests/data/oidc/client-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oidc-secret
+type: nginx.org/oidc
+data:
+  client-secret:
diff --git a/tests/data/oidc/nginx-config.yaml b/tests/data/oidc/nginx-config.yaml
@@ -0,0 +1,15 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: nginx-config
+  namespace: nginx-ingress
+data:
+  stream-snippets: |
+    server {
+        listen 12345;
+        listen [::]:12345;
+        zone_sync;
+        zone_sync_server nginx-ingress-headless.nginx-ingress.svc.cluster.local:12345 resolve;
+    }
+  resolver-addresses: kube-dns.kube-system.svc.cluster.local
+  resolver-valid: 5s
diff --git a/tests/data/oidc/nginx-ingress-headless.yaml b/tests/data/oidc/nginx-ingress-headless.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-ingress-headless
+spec:
+  clusterIP: None
+  selector:
+    app: nginx-ingress
diff --git a/tests/data/oidc/oidc.yaml b/tests/data/oidc/oidc.yaml
@@ -0,0 +1,14 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: oidc-policy
+spec:
+  oidc:
+    clientID: nginx-plus
+    clientSecret: oidc-secret
+    authEndpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/auth
+    tokenEndpoint: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/token
+    jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/master/protocol/openid-connect/certs
+    endSessionEndpoint: https://keycloak.example.com/realms/master/protocol/openid-connect/logout
+    scope: openid+profile+email
+    accessTokenEnable: true
diff --git a/tests/data/oidc/virtual-server-idp.yaml b/tests/data/oidc/virtual-server-idp.yaml
@@ -0,0 +1,18 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: keycloak
+spec:
+  host: keycloak.example.com
+  tls:
+    secret: tls-secret
+    redirect:
+      enable: true
+  upstreams:
+    - name: keycloak
+      service: keycloak
+      port: 8080
+  routes:
+    - path: /
+      action:
+        pass: keycloak
diff --git a/tests/data/oidc/virtual-server.yaml b/tests/data/oidc/virtual-server.yaml
@@ -0,0 +1,18 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: virtual-server-tls
+spec:
+  host: virtual-server-tls.example.com
+  tls:
+    secret: tls-secret
+  upstreams:
+  - name: backend1
+    service: backend1-svc
+    port: 80
+  routes:
+  - path: /
+    policies:
+    - name: oidc-policy
+    action:
+      pass: backend1
diff --git a/tests/requirements.in b/tests/requirements.in
@@ -0,0 +1,42 @@
+attrs==24.3.0
+cachetools==5.5.0
+certifi==2024.12.14
+cffi==1.17.1
+charset-normalizer==3.4.0
+cryptography==44.0.0
+durationpy==0.9
+flaky==3.8.1
+forcediphttpsadapter==1.1.0
+google-auth==2.37.0
+gprof2dot==2024.6.6
+grpcio==1.68.1
+grpcio-tools==1.68.1
+idna==3.10
+iniconfig==2.0.0
+jinja2==3.1.4
+kubernetes==31.0.0
+markupsafe==3.0.2
+mock==5.1.0
+more-itertools==10.5.0
+oauthlib==3.2.2
+packaging==24.2
+playwright==1.49.1
+pluggy==1.5.0
+protobuf==5.29.1
+py==1.11.0
+pyasn1==0.6.1
+pyasn1-modules==0.4.1
+pycparser==2.22
+pyopenssl==24.3.0
+pyparsing==3.2.0
+pytest==8.3.4
+pytest-html==4.1.1
+pytest-metadata==3.1.1
+python-dateutil==2.9.0.post0
+pyyaml==6.0.2
+requests==2.32.3
+requests-oauthlib==2.0.0
+rsa==4.9
+six==1.17.0
+urllib3==2.2.3
+websocket-client==1.8.0
diff --git a/tests/requirements.txt b/tests/requirements.txt
diff --git a/tests/suite/test_oidc.py b/tests/suite/test_oidc.py
