Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OIDC Federation Settings #479

Open
wants to merge 14 commits into
base: main
Choose a base branch
from
+515 −28
Open

Add OIDC Federation Settings #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
5f7551f
Add OIDC Federation Settings
d34dh0r53 Oct 9, 2024
ea56a81
Rebase temp commit
d34dh0r53 Dec 2, 2024
5404ccf
Fix formatting
d34dh0r53 Dec 3, 2024
113bf35
Change settings to optional
d34dh0r53 Dec 6, 2024
ed85d5b
Remove oidcMemcacheServers param
d34dh0r53 Dec 9, 2024
e53f4aa
Update api go.mod to match main
d34dh0r53 Dec 9, 2024
065c0c8
Update go.mod to match main
d34dh0r53 Dec 9, 2024
1af3f65
Rebase fixups
d34dh0r53 Dec 9, 2024
f89b3a9
Remove old fernet key loop
d34dh0r53 Dec 9, 2024
f313487
Fix nil pointer dereference
d34dh0r53 Dec 10, 2024
695fd14
Update password names
d34dh0r53 Dec 17, 2024
60d6883
Update test
d34dh0r53 Dec 19, 2024
44bd8f7
Add public endpoint simulation
d34dh0r53 Jan 7, 2025
48d040f
Fix go mods
d34dh0r53 Jan 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 68 additions & 2 deletions api/bases/keystone.openstack.org_keystoneapis.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,59 @@ spec:
description: NodeSelector to target subset of worker nodes running
this service
type: object
oidcFederation:
description: KeystoneFederationSpec to provide the configuration values
for OIDC Federation
properties:
keystoneFederationIdentityProviderName:
default: ""
description: KeystoneFederationIdentityProviderName
type: string
oidcCacheType:
default: memcache
description: OIDCCacheType
type: string
oidcClaimDelimiter:
default: ;
description: OIDCClaimDelimiter
type: string
oidcClaimPrefix:
default: OIDC-
description: OIDCClaimPrefix
type: string
oidcClientID:
default: ""
description: OIDCClientID
type: string
oidcIntrospectionEndpoint:
default: ""
description: OIDCIntrospectionEndpoint
type: string
oidcPassClaimsAs:
default: both
description: OIDCPassClaimsAs
type: string
oidcPassUserInfoAs:
default: claims
description: OIDCPassUserInfoAs
type: string
oidcProviderMetadataURL:
default: ""
description: OIDCProviderMetadataURL
type: string
oidcResponseType:
default: id_token
description: OIDCResponseType
type: string
oidcScope:
default: openid email profile
description: OIDCScope
type: string
remoteIDAttribute:
default: HTTP_OIDC_ISS
description: RemoteIDAttribute
type: string
type: object
override:
description: Override, provides the ability to override the generated
manifest of several child resources.
Expand Down Expand Up @@ -295,14 +348,27 @@ spec:
passwordSelectors:
default:
admin: AdminPassword
description: PasswordSelectors - Selectors to identify the AdminUser
password from the Secret
keystoneOIDCClientSecret: KeystoneOIDCClientSecret
keystoneOIDCCryptoPassphrase: KeystoneOIDCCryptoPassphrase
description: PasswordSelectors - Selectors to identify the AdminUser,
KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from
the Secret
properties:
admin:
default: AdminPassword
description: Admin - Selector to get the keystone Admin password
from the Secret
type: string
keystoneOIDCClientSecret:
default: KeystoneOIDCClientSecret
description: OIDCClientSecret - Selector to get the IdP client
secret from the Secret
type: string
keystoneOIDCCryptoPassphrase:
default: KeystoneOIDCCryptoPassphrase
description: OIDCCryptoPassphrase - Selector to get the OIDC crypto
passphrase from the Secret
type: string
type: object
preserveJobs:
default: false
Expand Down
83 changes: 80 additions & 3 deletions api/v1beta1/keystoneapi_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,8 +132,8 @@ type KeystoneAPISpecCore struct {
FernetMaxActiveKeys *int32 `json:"fernetMaxActiveKeys"`

// +kubebuilder:validation:Optional
// +kubebuilder:default={admin: AdminPassword}
// PasswordSelectors - Selectors to identify the AdminUser password from the Secret
// +kubebuilder:default={admin: AdminPassword, keystoneOIDCClientSecret: KeystoneOIDCClientSecret, keystoneOIDCCryptoPassphrase: KeystoneOIDCCryptoPassphrase}
// PasswordSelectors - Selectors to identify the AdminUser, KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from the Secret
PasswordSelectors PasswordSelector `json:"passwordSelectors"`

// +kubebuilder:validation:Optional
Expand Down Expand Up @@ -184,6 +184,10 @@ type KeystoneAPISpecCore struct {
// +operator-sdk:csv:customresourcedefinitions:type=spec
// TLS - Parameters related to the TLS
TLS tls.API `json:"tls,omitempty"`

d34dh0r53 marked this conversation as resolved.
Show resolved Hide resolved
// +kubebuilder:validation:Optional
// +OIDCFederation - parameters to configure keystone for OIDC federation
OIDCFederation *KeystoneFederationSpec `json:"oidcFederation,omitempty"`
}

// APIOverrideSpec to override the generated manifest of several child resources.
Expand All @@ -199,6 +203,79 @@ type PasswordSelector struct {
// +kubebuilder:default="AdminPassword"
// Admin - Selector to get the keystone Admin password from the Secret
Admin string `json:"admin"`

d34dh0r53 marked this conversation as resolved.
Show resolved Hide resolved
// +kubebuilder:validation:Optional
// +kubebuilder:default="KeystoneOIDCClientSecret"
// OIDCClientSecret - Selector to get the IdP client secret from the Secret
KeystoneOIDCClientSecret string `json:"keystoneOIDCClientSecret"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="KeystoneOIDCCryptoPassphrase"
// OIDCCryptoPassphrase - Selector to get the OIDC crypto passphrase from the Secret
KeystoneOIDCCryptoPassphrase string `json:"keystoneOIDCCryptoPassphrase"`
}

// KeystoneFederationSpec to provide the configuration values for OIDC Federation
type KeystoneFederationSpec struct {
// +kubebuilder:validation:Optional
// +kubebuilder:default="OIDC-"
// OIDCClaimPrefix
OIDCClaimPrefix string `json:"oidcClaimPrefix"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="id_token"
// OIDCResponseType
OIDCResponseType string `json:"oidcResponseType"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="openid email profile"
// OIDCScope
OIDCScope string `json:"oidcScope"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=""
// OIDCProviderMetadataURL
OIDCProviderMetadataURL string `json:"oidcProviderMetadataURL"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=""
// OIDCIntrospectionEndpoint
OIDCIntrospectionEndpoint string `json:"oidcIntrospectionEndpoint"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=""
// OIDCClientID
OIDCClientID string `json:"oidcClientID"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=";"
// OIDCClaimDelimiter
OIDCClaimDelimiter string `json:"oidcClaimDelimiter"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="claims"
// OIDCPassUserInfoAs
OIDCPassUserInfoAs string `json:"oidcPassUserInfoAs"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="both"
// OIDCPassClaimsAs
OIDCPassClaimsAs string `json:"oidcPassClaimsAs"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="memcache"
// OIDCCacheType
OIDCCacheType string `json:"oidcCacheType"`

// +kubebuilder:validation:Optional
// +kubebuilder:default="HTTP_OIDC_ISS"
// RemoteIDAttribute
RemoteIDAttribute string `json:"remoteIDAttribute"`

// +kubebuilder:validation:Optional
// +kubebuilder:default=""
// KeystoneFederationIdentityProviderName
KeystoneFederationIdentityProviderName string `json:"keystoneFederationIdentityProviderName"`
}
Comment on lines +219 to 279
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we probably should think of a generic config customizion interface for httpd, like we have with customServiceConfig to not require most of these parameters. but right now we do not have it.


// HttpdCustomization - customize the httpd service
Expand Down Expand Up @@ -233,7 +310,7 @@ type KeystoneAPIStatus struct {
// TransportURLSecret - Secret containing RabbitMQ transportURL
TransportURLSecret string `json:"transportURLSecret,omitempty"`

//ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
// ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

Expand Down
20 changes: 20 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

70 changes: 68 additions & 2 deletions config/crd/bases/keystone.openstack.org_keystoneapis.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,6 +134,59 @@ spec:
description: NodeSelector to target subset of worker nodes running
this service
type: object
oidcFederation:
description: KeystoneFederationSpec to provide the configuration values
for OIDC Federation
properties:
keystoneFederationIdentityProviderName:
default: ""
description: KeystoneFederationIdentityProviderName
type: string
oidcCacheType:
default: memcache
description: OIDCCacheType
type: string
oidcClaimDelimiter:
default: ;
description: OIDCClaimDelimiter
type: string
oidcClaimPrefix:
default: OIDC-
description: OIDCClaimPrefix
type: string
oidcClientID:
default: ""
description: OIDCClientID
type: string
oidcIntrospectionEndpoint:
default: ""
description: OIDCIntrospectionEndpoint
type: string
oidcPassClaimsAs:
default: both
description: OIDCPassClaimsAs
type: string
oidcPassUserInfoAs:
default: claims
description: OIDCPassUserInfoAs
type: string
oidcProviderMetadataURL:
default: ""
description: OIDCProviderMetadataURL
type: string
oidcResponseType:
default: id_token
description: OIDCResponseType
type: string
oidcScope:
default: openid email profile
description: OIDCScope
type: string
remoteIDAttribute:
default: HTTP_OIDC_ISS
description: RemoteIDAttribute
type: string
type: object
override:
description: Override, provides the ability to override the generated
manifest of several child resources.
Expand Down Expand Up @@ -295,14 +348,27 @@ spec:
passwordSelectors:
default:
admin: AdminPassword
description: PasswordSelectors - Selectors to identify the AdminUser
password from the Secret
keystoneOIDCClientSecret: KeystoneOIDCClientSecret
keystoneOIDCCryptoPassphrase: KeystoneOIDCCryptoPassphrase
description: PasswordSelectors - Selectors to identify the AdminUser,
KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from
the Secret
properties:
admin:
default: AdminPassword
description: Admin - Selector to get the keystone Admin password
from the Secret
type: string
keystoneOIDCClientSecret:
default: KeystoneOIDCClientSecret
description: OIDCClientSecret - Selector to get the IdP client
secret from the Secret
type: string
keystoneOIDCCryptoPassphrase:
default: KeystoneOIDCCryptoPassphrase
description: OIDCCryptoPassphrase - Selector to get the OIDC crypto
passphrase from the Secret
type: string
type: object
preserveJobs:
default: false
Expand Down
43 changes: 43 additions & 0 deletions config/samples/keystone_v1beta1_keystoneapi_tls_federation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
apiVersion: keystone.openstack.org/v1beta1
kind: KeystoneAPI
metadata:
name: keystone
spec:
adminProject: admin
adminUser: admin
customServiceConfig: |
[DEFAULT]
debug = true
databaseInstance: openstack
databaseAccount: keystone
preserveJobs: false
region: regionOne
secret: osp-secret
resources:
requests:
memory: "500Mi"
cpu: "1.0"
tls:
api:
# secret holding tls.crt and tls.key for the APIs internal k8s service
internal:
secretName: cert-keystone-internal-svc
# secret holding tls.crt and tls.key for the APIs public k8s service
public:
secretName: cert-keystone-public-svc
# secret holding the tls-ca-bundle.pem to be used as a deploymend env CA bundle
caBundleSecretName: combined-ca-bundle
oidcFederation:
keystoneFederationIdentityProviderName: my_federation_provider_name
oidcCacheType: memcache
oidcClaimDelimiter: ;
oidcClaimPrefix: OIDC-
oidcClientID: my_federation_client_id
oidcIntrospectionEndpoint: my_federation_introspection_endpoint
oidcMemCacheServers: ""
oidcPassClaimsAs: both
oidcPassUserInfoAs: claims
oidcProviderMetadataURL: my_federation_provider_metadata_url
oidcResponseType: id_token
oidcScope: openid email profile
remoteIDAttribute: HTTP_OIDC_ISS
Loading
Loading