Merge branch 'main' into feat/support-foreign-upstreams

Author: AlexFenlon

build/Dockerfile

@@ -17,11 +17,11 @@ ARG PACKAGE_REPO=pkgs.nginx.com
 
 ############################################# Base images containing libs for FIPS #############################################
 FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi8@sha256:8ee0f40f1ab500ecfe2e85c1703bd04c79405b9c1c2c0b7e8171aa181a40f7d2 AS ubi8-packages
-FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:aa995580fb47e3ec63d824186cab175d61109edf6a77f5f1de4e3339154df46a AS ubi9-packages
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:68964f6fa5ddd8e736139e9301cebb59e4c44fc1c4df71cb308599352bdc17da AS ubi9-packages
 FROM ghcr.io/nginx/alpine-fips:0.4.0-alpine3.19@sha256:0b400b81b5f403d69535a54839296ae35ced374eb1bb04db5b4282f380fef09a AS alpine-fips-3.19
 FROM ghcr.io/nginx/alpine-fips:0.4.0-alpine3.22@sha256:61ed75f252bde7da1e6db33d2709456e87478280dfae3d11084f94c361e9f329 AS alpine-fips-3.22
 FROM redhat/ubi9-minimal:9.6-1760515502@sha256:34880b64c07f28f64d95737f82f891516de9a3b43583f39970f7bf8e4cfa48b7 AS ubi-minimal
-FROM golang:1.25-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34 AS golang-builder
+FROM golang:1.25-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS golang-builder
 
 ############################################# NGINX files #############################################
 FROM scratch AS nginx-files

go.mod

@@ -1,6 +1,6 @@
 module github.com/nginx/kubernetes-ingress
 
-go 1.25.3
+go 1.25.4
 
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.31.17

internal/configs/config_params.go

@@ -68,6 +68,7 @@ type ConfigParams struct {
 	MainAppProtectDosLogFormat             []string
 	MainAppProtectDosLogFormatEscaping     string
 	MainAppProtectDosArbFqdn               string
+	OIDC                                   OIDC
 	ProxyBuffering                         bool
 	ProxyBuffers                           string
 	ProxyBufferSize                        string
@@ -192,6 +193,15 @@ type ZoneSync struct {
 	ResolverIPV6      *bool
 }
 
+// OIDC holds OIDC configuration parameters.
+type OIDC struct {
+	PKCETimeout    string
+	IDTokenTimeout string
+	AccessTimeout  string
+	RefreshTimeout string
+	SIDSTimeout    string
+}
+
 // MGMTSecrets holds mgmt block secret names
 type MGMTSecrets struct {
 	License     string
@@ -258,6 +268,13 @@ func NewDefaultConfigParams(ctx context.Context, isPlus bool) *ConfigParams {
 		LimitReqZoneSize:              "10m",
 		LimitReqLogLevel:              "error",
 		LimitReqRejectCode:            429,
+		OIDC: OIDC{
+			PKCETimeout:    "90s",
+			IDTokenTimeout: "1h",
+			AccessTimeout:  "1h",
+			RefreshTimeout: "8h",
+			SIDSTimeout:    "8h",
+		},
 	}
 }
 

internal/configs/configmaps.go

@@ -459,6 +459,11 @@ func ParseConfigMap(ctx context.Context, cfgm *v1.ConfigMap, nginxPlus bool, has
 		configOk = false
 	}
 
+	err = parseConfigMapOIDC(l, cfgm, cfgParams, eventLog)
+	if err != nil {
+		configOk = false
+	}
+
 	if upstreamZoneSize, exists := cfgm.Data["upstream-zone-size"]; exists {
 		cfgParams.UpstreamZoneSize = upstreamZoneSize
 	}
@@ -694,6 +699,61 @@ func ParseConfigMap(ctx context.Context, cfgm *v1.ConfigMap, nginxPlus bool, has
 	return cfgParams, configOk
 }
 
+// parseConfigMapOIDC parses OIDC timeout configuration from ConfigMap.
+func parseConfigMapOIDC(l *slog.Logger, cfgm *v1.ConfigMap, cfgParams *ConfigParams, eventLog record.EventRecorder) error {
+	if oidcPKCETimeout, exists := cfgm.Data["oidc-pkce-timeout"]; exists {
+		pkceTimeout, err := ParseTime(oidcPKCETimeout)
+		if err != nil {
+			errorText := fmt.Sprintf("ConfigMap %s/%s: invalid value for 'oidc-pkce-timeout': %q, must be a valid nginx time (e.g. '90s', '5m', '1h')", cfgm.Namespace, cfgm.Name, oidcPKCETimeout)
+			nl.Warn(l, errorText)
+			eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, errorText)
+			return err
+		}
+		cfgParams.OIDC.PKCETimeout = pkceTimeout
+	}
+	if oidcIDTokensTimeout, exists := cfgm.Data["oidc-id-tokens-timeout"]; exists {
+		idTokensTimeout, err := ParseTime(oidcIDTokensTimeout)
+		if err != nil {
+			errorText := fmt.Sprintf("ConfigMap %s/%s: invalid value for 'oidc-id-tokens-timeout': %q, must be a valid nginx time (e.g. '1h', '30m', '2h')", cfgm.Namespace, cfgm.Name, oidcIDTokensTimeout)
+			nl.Warn(l, errorText)
+			eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, errorText)
+			return err
+		}
+		cfgParams.OIDC.IDTokenTimeout = idTokensTimeout
+	}
+	if oidcAccessTokensTimeout, exists := cfgm.Data["oidc-access-tokens-timeout"]; exists {
+		accessTokensTimeout, err := ParseTime(oidcAccessTokensTimeout)
+		if err != nil {
+			errorText := fmt.Sprintf("ConfigMap %s/%s: invalid value for 'oidc-access-tokens-timeout': %q, must be a valid nginx time (e.g. '1h', '30m', '2h')", cfgm.Namespace, cfgm.Name, oidcAccessTokensTimeout)
+			nl.Warn(l, errorText)
+			eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, errorText)
+			return err
+		}
+		cfgParams.OIDC.AccessTimeout = accessTokensTimeout
+	}
+	if oidcRefreshTokensTimeout, exists := cfgm.Data["oidc-refresh-tokens-timeout"]; exists {
+		refreshTokensTimeout, err := ParseTime(oidcRefreshTokensTimeout)
+		if err != nil {
+			errorText := fmt.Sprintf("ConfigMap %s/%s: invalid value for 'oidc-refresh-tokens-timeout': %q, must be a valid nginx time (e.g. '8h', '12h', '24h')", cfgm.Namespace, cfgm.Name, oidcRefreshTokensTimeout)
+			nl.Warn(l, errorText)
+			eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, errorText)
+			return err
+		}
+		cfgParams.OIDC.RefreshTimeout = refreshTokensTimeout
+	}
+	if oidcSIDSTimeout, exists := cfgm.Data["oidc-sids-timeout"]; exists {
+		sidsTimeout, err := ParseTime(oidcSIDSTimeout)
+		if err != nil {
+			errorText := fmt.Sprintf("ConfigMap %s/%s: invalid value for 'oidc-sids-timeout': %q, must be a valid nginx time (e.g. '8h', '12h', '24h')", cfgm.Namespace, cfgm.Name, oidcSIDSTimeout)
+			nl.Warn(l, errorText)
+			eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, errorText)
+			return err
+		}
+		cfgParams.OIDC.SIDSTimeout = sidsTimeout
+	}
+	return nil
+}
+
 //nolint:gocyclo
 func parseConfigMapZoneSync(l *slog.Logger, cfgm *v1.ConfigMap, cfgParams *ConfigParams, eventLog record.EventRecorder, nginxPlus bool) (*ZoneSync, error) {
 	if zoneSync, exists, err := GetMapKeyAsBool(cfgm.Data, "zone-sync", cfgm); exists {
@@ -1121,11 +1181,18 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		InternalRouteServer:                staticCfgParams.EnableInternalRoutes,
 		InternalRouteServerName:            staticCfgParams.InternalRouteServerName,
 		LatencyMetrics:                     staticCfgParams.EnableLatencyMetrics,
-		OIDC:                               staticCfgParams.EnableOIDC,
-		ZoneSyncConfig:                     zoneSyncConfig,
-		DynamicSSLReloadEnabled:            staticCfgParams.DynamicSSLReload,
-		StaticSSLPath:                      staticCfgParams.StaticSSLPath,
-		NginxVersion:                       staticCfgParams.NginxVersion,
+		OIDC: version1.OIDCConfig{
+			Enable:         staticCfgParams.EnableOIDC,
+			PKCETimeout:    config.OIDC.PKCETimeout,
+			IDTokenTimeout: config.OIDC.IDTokenTimeout,
+			AccessTimeout:  config.OIDC.AccessTimeout,
+			RefreshTimeout: config.OIDC.RefreshTimeout,
+			SIDSTimeout:    config.OIDC.SIDSTimeout,
+		},
+		ZoneSyncConfig:          zoneSyncConfig,
+		DynamicSSLReloadEnabled: staticCfgParams.DynamicSSLReload,
+		StaticSSLPath:           staticCfgParams.StaticSSLPath,
+		NginxVersion:            staticCfgParams.NginxVersion,
 	}
 	return nginxCfg
 }