Skip to content

Add OIDC Policy IDP TLS validation #8556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Add OIDC Policy IDP TLS validation #8556

wants to merge 19 commits into from
+1,571 −141

Conversation

@pdabelf5
Copy link
Collaborator

@pdabelf5 pdabelf5 commented Nov 21, 2025
edited
Loading

Proposed changes

Extend to the OIDC Policy to include parameters to allow the user to configure TLS validation for calls to the IDP server.

Spec:

spec:
  oidc:
    sslVerify: true
    sslVerifyDepth: 2
    trustedCertSecret: keycloak-ca

To maintain backwards compatibility, sslVerify defaults to false.

When sslVerify is set to true, calls to the IDP server from NGINX will validate the IDP's TLS certificate. sslVerifyDepth will default to the same depth as NGINX, 1. If trustedCertSecret is unset, NGINX will use the default TLS CA Bundle for the image type it is running on. If trustedCertSecret is set, an nginx.org/ca type secret in the same namespace as the Policy will be used.

Examples

  • Extended the standard OIDC example to include a HTTPS Keycloak instance with a self signed certificate, including certificate validation enabled in the OIDC Policy.
  • Update the PKCE example to be clearer when applying the Policy

Testing

  • added unit tests for GenerateVirtualServerConfig
  • added template tests
  • extended the OIDC/PKCE test to include a HTTPS Keycloak instance with a self signed certificate
  • upgrade testing completed.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@github-actions github-actions bot added enhancement Pull requests for new features/feature enhancements go Pull requests that update Go code python Pull requests that update Python code docker Pull requests that update Docker code labels Nov 21, 2025
@codecov
Copy link

codecov bot commented Nov 21, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 30.23256% with 90 lines in your changes missing coverage. Please review.
✅ Project coverage is 53.65%. Comparing base (9badeb3) to head (cbb9a8e).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
internal/k8s/controller.go 0.00% 18 Missing and 1 partial ⚠️
internal/nginx/manager.go 33.33% 18 Missing ⚠️
internal/configs/configurator.go 0.00% 15 Missing ⚠️
internal/configs/virtualserver.go 61.11% 10 Missing and 4 partials ⚠️
internal/nginx/fake_manager.go 0.00% 9 Missing ⚠️
cmd/nginx-ingress/main.go 0.00% 7 Missing ⚠️
internal/configs/version2/template_executor.go 66.66% 2 Missing and 2 partials ⚠️
pkg/apis/configuration/validation/policy.go 0.00% 3 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8556      +/-   ##
==========================================
- Coverage   53.75%   53.65%   -0.11%     
==========================================
  Files          91       91              
  Lines       18342    18479     +137     
==========================================
+ Hits         9860     9914      +54     
- Misses       7967     8044      +77     
- Partials      515      521       +6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 21, 2025
edited
Loading

Package Report

gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx, 1.29.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 3.3.2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx, 1.29.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 3.3.2~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 3.3.2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus, 35-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-njs, 35+0.9.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-otel, 35+0.1.2-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-fips-check, 35+0.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 3.3.2~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-attack-signatures, 2025.11.20-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-threat-campaigns, 2025.11.24-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 2.44.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-module-plus, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-plugin, 6.23.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 2.44.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-dos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-attack-signatures, 2025.11.20-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-threat-campaigns, 2025.11.24-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, app-protect-dos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905, nginx-agent, 2.44.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx, 1.29.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx, 1.29.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus, 35-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus-module-njs, 35.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus-module-otel, 35.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-plus-module-fips-check, 35.0.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus, 35-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-agent, 2.44.0, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-appprotect, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, app-protect, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, app-protect-attack-signatures, 2025.11.20-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, app-protect-threat-campaigns, 2025.11.24-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-agent, 2.44.0, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, nginx-plus-module-appprotect, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, app-protect-module-plus, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-alpine-fips, app-protect-plugin, 6.23.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx, 1.29.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 3.3.2-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx, 1.29.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 3.3.2-1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 3.3.2-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus, 35-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 3.3.2-1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-attack-signatures, 2025.11.20-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-threat-campaigns, 2025.11.24-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-module-plus, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-plugin, 6.23.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus, 35-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-appprotect, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, app-protect, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, app-protect-attack-signatures, 2025.11.20-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, app-protect-threat-campaigns, 2025.11.24-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus, 35-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, nginx-plus-module-appprotect, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, app-protect-module-plus, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi8, app-protect-plugin, 6.23.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-attack-signatures, 2025.11.20-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-threat-campaigns, 2025.11.24-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-df5fa801e6d61f864ff7f691935a6905-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64

pdabelf5
pdabelf5 commented Nov 21, 2025
View reviewed changes
@pdabelf5 pdabelf5 marked this pull request as ready for review November 24, 2025 09:50
@pdabelf5 pdabelf5 requested a review from a team as a code owner November 24, 2025 09:50
Copilot AI review requested due to automatic review settings November 24, 2025 09:50
Copilot AI reviewed Nov 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR extends the OIDC Policy to support TLS validation when communicating with the Identity Provider (IDP) server. It adds three new optional fields (sslVerify, sslVerifyDepth, and trustedCertSecret) to enable certificate verification for IDP connections, defaulting to disabled for backward compatibility.

  • Adds TLS validation configuration fields to the OIDC Policy CRD
  • Implements OS-specific CA bundle path detection for default certificate validation
  • Extends test suite to cover both HTTP and HTTPS Keycloak configurations with certificate validation

Reviewed changes

Copilot reviewed 43 out of 43 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/apis/configuration/v1/types.go Adds SSLVerify, TrustedCertSecret, and SSLVerifyDepth fields to OIDC type
pkg/apis/configuration/validation/policy.go Validates trustedCertSecret name and warns if sslVerify is disabled when secret is set
internal/configs/virtualserver.go Processes OIDC TLS configuration, resolving CA bundle path from secret or default
internal/configs/version2/oidc.tmpl Adds proxy_ssl_verify directives to template when TLS verification is enabled
internal/nginx/manager.go Implements OS CA bundle path detection and OIDC config file management
tests/suite/test_oidc.py Splits tests into HTTP and HTTPS classes with certificate validation scenarios
examples/custom-resources/oidc/ Updates examples to use HTTPS Keycloak with certificate validation enabled

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

pdabelf5 and others added 5 commits November 24, 2025 10:05
@pdabelf5
Ensure snap output contains valid config
3b00462
@pdabelf5
Update tests/suite/test_oidc.py
9d49e35 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
@pdabelf5
Ensure snap output contains valid config
35bf747
@pdabelf5
Merge branch 'feat/oidc-idp-template' of github.com:nginx/kubernetes-…
493294d 
…ingress into feat/oidc-idp-template
@pdabelf5
Update template test with VS name/namespace
b9827ac
AlexFenlon
AlexFenlon previously approved these changes Nov 24, 2025
View reviewed changes
@pdabelf5
Merge branch 'main' into feat/oidc-idp-template
31a94e6 
Signed-off-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
vepatel
vepatel reviewed Nov 26, 2025
View reviewed changes
pkg/apis/configuration/validation/policy.go
if oidc.TrustedCertSecret != "" {
allErrs = append(allErrs, validateSecretName(oidc.TrustedCertSecret, fieldPath.Child("trustedCertSecret"))...)
// If trustedCertSecret is set but sslVerify is false, warn user
if !oidc.SSLVerify {
Copy link
Contributor

@vepatel vepatel Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: possible to use x-kubernetes-validations in crd instead

Copy link
Collaborator Author

@pdabelf5 pdabelf5 Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking into it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vepatel vepatel vepatel approved these changes

@AlexFenlon AlexFenlon AlexFenlon approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

docker Pull requests that update Docker code enhancement Pull requests for new features/feature enhancements go Pull requests that update Go code python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pdabelf5 @vepatel @AlexFenlon