envoyproxy/gateway

Allow OIDC application information from secret

Open

#7.997 geöffnet am 20. Jan. 2026

Auf GitHub ansehen
 (10 Kommentare) (1 Reaktion) (0 zugewiesene Personen)Go (802 Forks)auto 404
help wantedkind/feature

Repository-Metriken

Stars
 (2.871 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Currently non-private OIDC configuration must be supplied plain-text in SecurityPolicy. I would like to be able to reference this information from a secret, because we have automation in place that creates OIDC applications in the IDP and creates secrets in the cluster with the required information to use the application. We also use gitops with argocd for configuration and deployment of applications. For example in azure the issuer contains the tenant-id, which we don't want to have to supply in config since we can determine it dynamically in our automation. The client-id is only available after creating the application. Currently this is a two-step process where we first have to deploy the application that needs authentication through envoy-gateway so the automation creates the application in the azure tenant, then we have to grab the client-id from azure and update the gitops repo with the client-id. In other applications we can simply reference the secret in the cluster, which contains all of this information, requiring no two-step process.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

   oidc:
     provider:
       issuer: https://sts.windows.net/<tenant-id>/
     clientID: <client-id>

Contributor Guide