Skip to content

Add proxy_ssl_verify and related nginx directives to OIDC configuration #8538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add proxy_ssl_verify and related nginx directives to OIDC configuration #8538

wants to merge 1 commit into from

Conversation

@pdabelf5
Copy link
Collaborator

@pdabelf5 pdabelf5 commented Nov 14, 2025
edited
Loading

Proposed changes

Sync commit nginxinc/nginx-openid-connect@c866e23 from upstream repo. This adds the upstream TLS verification directives to the called IDP endpoint.

Upgrade testing completed with v5.2.1 and examples/custom-resources/oidc. Adding self-signed TLS to upstream IDP without also having the self-signed cert CA added to the pod CA list causes authentication to fail.

Note, this change is debian specific, users of Alpine or UBI images will need to mount a CA bundle to /etc/ssl/certs/ca-certificates.crt

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@github-actions github-actions bot added the enhancement Pull requests for new features/feature enhancements label Nov 14, 2025
@codecov
Copy link

codecov bot commented Nov 14, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.75%. Comparing base (d627376) to head (b61dc8f).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8538      +/-   ##
==========================================
- Coverage   53.76%   53.75%   -0.02%     
==========================================
  Files          91       91              
  Lines       18342    18342              
==========================================
- Hits         9862     9860       -2     
- Misses       7965     7967       +2     
  Partials      515      515

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025

Package Report

gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx, 1.29.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 3.3.2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx, 1.29.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-module-njs, 1.29.1+0.9.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-module-otel, 1.29.1+0.1.2-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 3.3.2~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 3.3.2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus, 35-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-njs, 35+0.9.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-otel, 35+0.1.2-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-fips-check, 35+0.1-1~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 3.3.2~bookworm, arm64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-attack-signatures, 2025.11.05-2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-threat-campaigns, 2025.11.11-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 2.44.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-module-plus, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-plugin, 6.23.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 2.44.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-dos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus, 35-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-njs, 35+0.9.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-otel, 35+0.1.2-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-fips-check, 35+0.1-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-appprotect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect, 35+5.527.0-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-attack-signatures, 2025.11.05-2~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-threat-campaigns, 2025.11.11-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-plus-module-appprotectdos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, app-protect-dos, 35+4.7.3-1~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574, nginx-agent, 2.44.0~bookworm, amd64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx, 1.29.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx, 1.29.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-module-njs, 1.29.1.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-module-otel, 1.29.1.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus, 35-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus-module-njs, 35.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus-module-otel, 35.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-plus-module-fips-check, 35.0.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-agent, 3.3.2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus, 35-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-agent, 3.3.2, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-agent, 2.44.0, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-appprotect, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, app-protect, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, app-protect-attack-signatures, 2025.11.05-r2, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, app-protect-threat-campaigns, 2025.11.11-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus, 35-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-njs, 35.0.9.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-otel, 35.0.1.2-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-fips-check, 35.0.1-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-agent, 2.44.0, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, nginx-plus-module-appprotect, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, app-protect-module-plus, 35.5.527.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-alpine-fips, app-protect-plugin, 6.23.0-r1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx, 1.29.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 3.3.2-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx, 1.29.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-module-njs, 1.29.1+0.9.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-module-otel, 1.29.1+0.1.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 3.3.2-1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 3.3.2-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus, 35-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 3.3.2-1, aarch64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-attack-signatures, 2025.11.05-2.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-threat-campaigns, 2025.11.11-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-module-plus, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-plugin, 6.23.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus, 35-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-appprotect, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, app-protect, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, app-protect-attack-signatures, 2025.11.05-2.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, app-protect-threat-campaigns, 2025.11.11-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus, 35-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-njs, 35+0.9.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-otel, 35+0.1.2-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-fips-check, 35+0.1-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, nginx-plus-module-appprotect, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, app-protect-module-plus, 35+5.527.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi8, app-protect-plugin, 6.23.0-1.el8.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus, 35-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-njs, 35+0.9.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-otel, 35+0.1.2-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-fips-check, 35+0.1-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-appprotect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-plus-module-appprotectdos, 35+4.7.3-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, nginx-agent, 2.44.0-1, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect, 35+5.527.0-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-attack-signatures, 2025.11.05-2.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-threat-campaigns, 2025.11.11-1.el9.ngx, x86_64
gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress:t-c741e9814d5c729949d07ff5933c5574-ubi, app-protect-dos, 35+4.7.3-1.el9.ngx, x86_64

@pdabelf5 pdabelf5 marked this pull request as ready for review November 17, 2025 14:17
@pdabelf5 pdabelf5 requested a review from a team as a code owner November 17, 2025 14:17
Copilot AI review requested due to automatic review settings November 17, 2025 14:17
Copilot AI reviewed Nov 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR synchronizes OIDC configuration with upstream nginx-openid-connect repository by adding TLS certificate verification directives for IdP endpoint connections. The changes enhance security by enforcing TLS verification when communicating with identity providers.

Key Changes:

  • Added proxy_ssl_verify directive to enforce TLS certificate verification for IdP connections
  • Configured proxy_ssl_verify_depth and proxy_ssl_trusted_certificate for certificate validation
  • Applied these security enhancements consistently across all three proxy locations in the OIDC configuration

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

internal/configs/oidc/oidc.conf
proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle
Copy link

Copilot AI Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hardcoded path /etc/ssl/certs/ca-certificates.crt assumes a Debian/Ubuntu-based system. This path may not exist on other Linux distributions (e.g., RHEL/CentOS uses /etc/pki/tls/certs/ca-bundle.crt, Alpine uses /etc/ssl/cert.pem). Consider making this configurable or documenting the platform requirement.

Copilot uses AI. Check for mistakes.
@pdabelf5 pdabelf5 marked this pull request as draft November 19, 2025 10:31
@pdabelf5 pdabelf5 closed this Nov 21, 2025
@pdabelf5 pdabelf5 deleted the feat/oidc-cert-validation branch November 21, 2025 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@javorszky javorszky javorszky approved these changes

@AlexFenlon AlexFenlon AlexFenlon approved these changes

Assignees

No one assigned

Labels

enhancement Pull requests for new features/feature enhancements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pdabelf5 @javorszky @AlexFenlon