feat(apigateay): add OIDC and basic auth support

- when setting an OIDC issuer URL the defaulter will fetch and set authorization and token endpoints - basic auth allows to use either inline hashed credentials or plaintext credentials from a secret that are automatically hashed - finish TLS support for API & dashboard listeners
2025-02-05 20:47:02 +01:00 · 2025-02-05 20:47:02 +01:00 · 3c13eb0d6b
commit 3c13eb0d6b
parent e9302c51be
21 changed files with 721 additions and 276 deletions
--- a/internal/webhook/v1alpha1/apigateway_webhook_defaulter.go
+++ b/internal/webhook/v1alpha1/apigateway_webhook_defaulter.go
@ -23,9 +23,11 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"

 	supabasev1alpha1 "code.icb4dc0.de/prskr/supabase-operator/api/v1alpha1"
+	"code.icb4dc0.de/prskr/supabase-operator/internal/oidc"
 	"code.icb4dc0.de/prskr/supabase-operator/internal/supabase"
 )

@ -49,6 +51,7 @@ func (d *APIGatewayCustomDefaulter) Default(ctx context.Context, obj runtime.Obj
 		defaultManagerNamespace = "supabase-system"
 	)

+	logger := log.FromContext(ctx)
 	apiGateway, ok := obj.(*supabasev1alpha1.APIGateway)

 	if !ok {
@ -106,5 +109,18 @@ func (d *APIGatewayCustomDefaulter) Default(ctx context.Context, obj runtime.Obj
 		}
 	}

+	if oauth2Spec := apiGateway.Spec.DashboardEndpoint.OAuth2(); oauth2Spec != nil {
+		if oauth2Spec.OpenIDIssuer != "" {
+			logger.Info("Fetching OIDC discovery document", "discovery_url", oauth2Spec.OpenIDIssuer)
+			discoveryDoc, err := oidc.IssuerConfiguration(ctx, oauth2Spec.OpenIDIssuer)
+			if err != nil {
+				return fmt.Errorf("failed to fetch OIDC configuration: %w", err)
+			}
+
+			oauth2Spec.TokenEndpoint = discoveryDoc.TokenEndpoint
+			oauth2Spec.AuthorizationEndpoint = discoveryDoc.AuthorizationEndpoint
+		}
+	}
+
 	return nil
 }