feat(apigateay): add OIDC and basic auth support

- when setting an OIDC issuer URL the defaulter will fetch and set authorization and token endpoints - basic auth allows to use either inline hashed credentials or plaintext credentials from a secret that are automatically hashed - finish TLS support for API & dashboard listeners
2025-02-05 20:47:02 +01:00 · 2025-02-05 20:47:02 +01:00 · 3c13eb0d6b
commit 3c13eb0d6b
parent e9302c51be
21 changed files with 721 additions and 276 deletions
--- a/api/v1alpha1/apigateway_types.go
+++ b/api/v1alpha1/apigateway_types.go
@ -128,10 +128,13 @@ const (
 )

 type DashboardOAuth2Spec struct {
+	// OpenIDIssuer - if set the defaulter will fetch the discovery document and fill
+	// TokenEndpoint and AuthorizationEndpoint based on the discovery document
+	OpenIDIssuer string `json:"openIdIssuer,omitempty"`
 	// TokenEndpoint - endpoint where Envoy will retrieve the OAuth2 access and identity token from
-	TokenEndpoint string `json:"tokenEndpoint"`
+	TokenEndpoint string `json:"tokenEndpoint,omitempty"`
 	// AuthorizationEndpoint - endpoint where the user will be redirected to authenticate
-	AuthorizationEndpoint string `json:"authorizationEndpoint"`
+	AuthorizationEndpoint string `json:"authorizationEndpoint,omitempty"`
 	// ClientID - client ID to authenticate with the OAuth2 provider
 	ClientID string `json:"clientId"`
 	// Scopes - scopes to request from the OAuth2 provider (e.g. "openid", "profile", ...) - optional
@ -142,11 +145,24 @@ type DashboardOAuth2Spec struct {
 	ClientSecretRef *corev1.SecretKeySelector `json:"clientSecretRef"`
 }

-type DashboardBasicAuthSpec struct{}
+type DashboardBasicAuthSpec struct {
+	// UsersInline - [htpasswd format](https://httpd.apache.org/docs/2.4/programs/htpasswd.html)
+	// +kubebuilder:validation:items:Pattern="^[\\w_.]+:\\{SHA\\}[A-z0-9]+=*$"
+	UsersInline []string `json:"usersInline,omitempty"`
+	// PlaintextUsersSecretRef - name of a secret that contains plaintext credentials in key-value form
+	// if not empty, credentials will be merged with inline users
+	PlaintextUsersSecretRef string `json:"plaintextUsersSecretRef,omitempty"`
+}

 type DashboardAuthSpec struct {
-	OAuth2 *DashboardOAuth2Spec    `json:"oauth2,omitempty"`
-	Basic  *DashboardBasicAuthSpec `json:"basic,omitempty"`
+	// OAuth2 - configure oauth2 authentication for the dashhboard listener
+	// if configured, will be preferred over Basic authentication configuration
+	// effectively disabling basic auth
+	OAuth2 *DashboardOAuth2Spec `json:"oauth2,omitempty"`
+	// Basic - HTTP basic auth configuration, this should only be used in exceptions
+	// e.g. during evaluations or for local development
+	// only used if no other authentication is configured
+	Basic *DashboardBasicAuthSpec `json:"basic,omitempty"`
 }

 type DashboardEndpointSpec struct {
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@ -21,7 +21,7 @@ limitations under the License.
 package v1alpha1

 import (
-	"k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
@ -506,7 +506,7 @@ func (in *DashboardAuthSpec) DeepCopyInto(out *DashboardAuthSpec) {
 	if in.Basic != nil {
 		in, out := &in.Basic, &out.Basic
 		*out = new(DashboardBasicAuthSpec)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 }

@ -523,6 +523,11 @@ func (in *DashboardAuthSpec) DeepCopy() *DashboardAuthSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DashboardBasicAuthSpec) DeepCopyInto(out *DashboardBasicAuthSpec) {
 	*out = *in
+	if in.UsersInline != nil {
+		in, out := &in.UsersInline, &out.UsersInline
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }

 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DashboardBasicAuthSpec.