feat(dashboard): PoC Oauth2 auth

2025-02-03 09:57:05 +01:00 · 2025-02-03 09:57:05 +01:00 · 0fccef973f
commit 0fccef973f
parent 89b682935b
53 changed files with 1914 additions and 331 deletions
--- a/api/v1alpha1/apigateway_types.go
+++ b/api/v1alpha1/apigateway_types.go
@ -46,14 +46,111 @@ type EnvoySpec struct {
 	ControlPlane *ControlPlaneSpec `json:"controlPlane"`
 	// WorkloadTemplate - customize the Envoy deployment
 	WorkloadTemplate *WorkloadTemplate `json:"workloadTemplate,omitempty"`
+	// DisableIPv6 - disable IPv6 for the Envoy instance
+	// this will force Envoy to use IPv4 for upstream hosts (mostly for the OAuth2 token endpoint)
+	DisableIPv6 bool `json:"disableIPv6,omitempty"`
+}
+
+type TlsCertRef struct {
+	SecretName string `json:"secretName"`
+	// ServerCertKey - key in the secret that contains the server certificate
+	// +kubebuilder:default="tls.crt"
+	ServerCertKey string `json:"serverCertKey"`
+	// ServerKeyKey - key in the secret that contains the server private key
+	// +kubebuilder:default="tls.key"
+	ServerKeyKey string `json:"serverKeyKey"`
+	// CaCertKey - key in the secret that contains the CA certificate
+	// +kubebuilder:default="ca.crt"
+	CaCertKey string `json:"caCertKey,omitempty"`
+}
+
+type EndpointTlsSpec struct {
+	Cert *TlsCertRef `json:"cert"`
 }

 type ApiEndpointSpec struct {
 	// JWKSSelector - selector where the JWKS can be retrieved from to enable the API gateway to validate JWTs
 	JWKSSelector *corev1.SecretKeySelector `json:"jwks"`
+	// TLS - enable and configure TLS for the API endpoint
+	TLS *EndpointTlsSpec `json:"tls,omitempty"`
 }

-type DashboardEndpointSpec struct{}
+func (s *ApiEndpointSpec) TLSSpec() *EndpointTlsSpec {
+	if s == nil {
+		return nil
+	}
+
+	return s.TLS
+}
+
+type DashboardAuthType string
+
+const (
+	DashboardAuthTypeNone   DashboardAuthType = "none"
+	DashboardAuthTypeOAuth2 DashboardAuthType = "oauth2"
+	DashboardAuthTypeBasic  DashboardAuthType = "basic"
+)
+
+type DashboardOAuth2Spec struct {
+	// TokenEndpoint - endpoint where Envoy will retrieve the OAuth2 access and identity token from
+	TokenEndpoint string `json:"tokenEndpoint"`
+	// AuthorizationEndpoint - endpoint where the user will be redirected to authenticate
+	AuthorizationEndpoint string `json:"authorizationEndpoint"`
+	// ClientID - client ID to authenticate with the OAuth2 provider
+	ClientID string `json:"clientId"`
+	// Scopes - scopes to request from the OAuth2 provider (e.g. "openid", "profile", ...) - optional
+	Scopes []string `json:"scopes,omitempty"`
+	// Resources - resources to request from the OAuth2 provider (e.g. "user", "email", ...) - optional
+	Resources []string `json:"resources,omitempty"`
+	// ClientSecretRef - reference to the secret that contains the client secret
+	ClientSecretRef *corev1.SecretKeySelector `json:"clientSecretRef"`
+}
+
+type DashboardBasicAuthSpec struct{}
+
+type DashboardAuthSpec struct {
+	OAuth2 *DashboardOAuth2Spec    `json:"oauth2,omitempty"`
+	Basic  *DashboardBasicAuthSpec `json:"basic,omitempty"`
+}
+
+type DashboardEndpointSpec struct {
+	// Auth - configure authentication for the dashboard endpoint
+	Auth *DashboardAuthSpec `json:"auth,omitempty"`
+	// TLS - enable and configure TLS for the Dashboard endpoint
+	TLS *EndpointTlsSpec `json:"tls,omitempty"`
+}
+
+func (s *DashboardEndpointSpec) TLSSpec() *EndpointTlsSpec {
+	if s == nil {
+		return nil
+	}
+
+	return s.TLS
+}
+
+func (s *DashboardEndpointSpec) AuthType() DashboardAuthType {
+	if s == nil || s.Auth == nil {
+		return DashboardAuthTypeNone
+	}
+
+	if s.Auth.OAuth2 != nil {
+		return DashboardAuthTypeOAuth2
+	}
+
+	if s.Auth.Basic != nil {
+		return DashboardAuthTypeBasic
+	}
+
+	return DashboardAuthTypeNone
+}
+
+func (s *DashboardEndpointSpec) OAuth2() *DashboardOAuth2Spec {
+	if s == nil || s.Auth == nil {
+		return nil
+	}
+
+	return s.Auth.OAuth2
+}

 // APIGatewaySpec defines the desired state of APIGateway.
 type APIGatewaySpec struct {
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -21,7 +21,7 @@ limitations under the License.
 package v1alpha1

 import (
-	v1 "k8s.io/api/core/v1"
+	"k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
@ -101,7 +101,7 @@ func (in *APIGatewaySpec) DeepCopyInto(out *APIGatewaySpec) {
 	if in.DashboardEndpoint != nil {
 		in, out := &in.DashboardEndpoint, &out.DashboardEndpoint
 		*out = new(DashboardEndpointSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.ServiceSelector != nil {
 		in, out := &in.ServiceSelector, &out.ServiceSelector
@ -160,6 +160,11 @@ func (in *ApiEndpointSpec) DeepCopyInto(out *ApiEndpointSpec) {
 		*out = new(v1.SecretKeySelector)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(EndpointTlsSpec)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApiEndpointSpec.
@ -490,6 +495,46 @@ func (in *Dashboard) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DashboardAuthSpec) DeepCopyInto(out *DashboardAuthSpec) {
+	*out = *in
+	if in.OAuth2 != nil {
+		in, out := &in.OAuth2, &out.OAuth2
+		*out = new(DashboardOAuth2Spec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Basic != nil {
+		in, out := &in.Basic, &out.Basic
+		*out = new(DashboardBasicAuthSpec)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardAuthSpec.
+func (in *DashboardAuthSpec) DeepCopy() *DashboardAuthSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DashboardAuthSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DashboardBasicAuthSpec) DeepCopyInto(out *DashboardBasicAuthSpec) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardBasicAuthSpec.
+func (in *DashboardBasicAuthSpec) DeepCopy() *DashboardBasicAuthSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(DashboardBasicAuthSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DashboardDbSpec) DeepCopyInto(out *DashboardDbSpec) {
 	*out = *in
@ -513,6 +558,16 @@ func (in *DashboardDbSpec) DeepCopy() *DashboardDbSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DashboardEndpointSpec) DeepCopyInto(out *DashboardEndpointSpec) {
 	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(DashboardAuthSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(EndpointTlsSpec)
+		(*in).DeepCopyInto(*out)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardEndpointSpec.
@ -557,6 +612,36 @@ func (in *DashboardList) DeepCopyObject() runtime.Object {
 	return nil
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DashboardOAuth2Spec) DeepCopyInto(out *DashboardOAuth2Spec) {
+	*out = *in
+	if in.Scopes != nil {
+		in, out := &in.Scopes, &out.Scopes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClientSecretRef != nil {
+		in, out := &in.ClientSecretRef, &out.ClientSecretRef
+		*out = new(v1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardOAuth2Spec.
+func (in *DashboardOAuth2Spec) DeepCopy() *DashboardOAuth2Spec {
+	if in == nil {
+		return nil
+	}
+	out := new(DashboardOAuth2Spec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DashboardSpec) DeepCopyInto(out *DashboardSpec) {
 	*out = *in
@ -768,6 +853,26 @@ func (in *EmailAuthSmtpSpec) DeepCopy() *EmailAuthSmtpSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EndpointTlsSpec) DeepCopyInto(out *EndpointTlsSpec) {
+	*out = *in
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(TlsCertRef)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointTlsSpec.
+func (in *EndpointTlsSpec) DeepCopy() *EndpointTlsSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(EndpointTlsSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvoySpec) DeepCopyInto(out *EnvoySpec) {
 	*out = *in
@ -1261,6 +1366,21 @@ func (in *StudioSpec) DeepCopy() *StudioSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TlsCertRef) DeepCopyInto(out *TlsCertRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TlsCertRef.
+func (in *TlsCertRef) DeepCopy() *TlsCertRef {
+	if in == nil {
+		return nil
+	}
+	out := new(TlsCertRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UploadTempSpec) DeepCopyInto(out *UploadTempSpec) {
 	*out = *in