Add OIDC Federation Settings

This templates the OIDC federation settings needed to configure Keystone to perform federation authentication.
openstack-k8s-operators · Nov 18, 2024 · e39d541 · e39d541
1 parent 2e94eb1
commit e39d541
Show file tree

Hide file tree

Showing 8 changed files with 395 additions and 23 deletions.
diff --git a/api/bases/keystone.openstack.org_keystoneapis.yaml b/api/bases/keystone.openstack.org_keystoneapis.yaml
@@ -84,6 +84,10 @@ spec:
                   files. Those get added to the service config dir in /etc/<service>
                   . TODO: -> implement'
                 type: object
+              enableFederation:
+                default: false
+                description: Enablement of Federation configuration
+                type: boolean
               enableSecureRBAC:
                 default: true
                 description: EnableSecureRBAC - Enable Consistent and Secure RBAC
@@ -119,6 +123,76 @@ spec:
                 description: NodeSelector to target subset of worker nodes running
                   this service
                 type: object
+              oidcFederation:
+                description: KeystoneFederationSpec to provide the configuration values
+                  for OIDC Federation
+                properties:
+                  keystoneFederationIdentityProviderName:
+                    default: ""
+                    description: KeystoneFederationIdentityProviderName
+                    type: string
+                  oidcCacheType:
+                    default: memcache
+                    description: OIDCCacheType
+                    type: string
+                  oidcClaimDelimiter:
+                    default: ;
+                    description: OIDCClaimDelimiter
+                    type: string
+                  oidcClaimPrefix:
+                    default: OIDC-
+                    description: OIDCClaimPrefix
+                    type: string
+                  oidcClientID:
+                    default: ""
+                    description: OIDCClientID
+                    type: string
+                  oidcIntrospectionEndpoint:
+                    default: ""
+                    description: OIDCIntrospectionEndpoint
+                    type: string
+                  oidcMemCacheServers:
+                    description: OIDCMemCacheServers
+                    type: string
+                  oidcPassClaimsAs:
+                    default: both
+                    description: OIDCPassClaimsAs
+                    type: string
+                  oidcPassUserInfoAs:
+                    default: claims
+                    description: OIDCPassUserInfoAs
+                    type: string
+                  oidcProviderMetadataURL:
+                    default: ""
+                    description: OIDCProviderMetadataURL
+                    type: string
+                  oidcResponseType:
+                    default: id_token
+                    description: OIDCResponseType
+                    type: string
+                  oidcScope:
+                    default: openid email profile
+                    description: OIDCScope
+                    type: string
+                  remoteIDAttribute:
+                    default: HTTP_OIDC_ISS
+                    description: RemoteIDAttribute
+                    type: string
+                required:
+                - keystoneFederationIdentityProviderName
+                - oidcCacheType
+                - oidcClaimDelimiter
+                - oidcClaimPrefix
+                - oidcClientID
+                - oidcIntrospectionEndpoint
+                - oidcMemCacheServers
+                - oidcPassClaimsAs
+                - oidcPassUserInfoAs
+                - oidcProviderMetadataURL
+                - oidcResponseType
+                - oidcScope
+                - remoteIDAttribute
+                type: object
               override:
                 description: Override, provides the ability to override the generated
                   manifest of several child resources.
@@ -296,14 +370,27 @@ spec:
               passwordSelectors:
                 default:
                   admin: AdminPassword
-                description: PasswordSelectors - Selectors to identify the AdminUser
-                  password from the Secret
+                  keystoneOIDCClientSecret: KeystoneClientSecret
+                  keystoneOIDCCryptoPassphrase: KeystoneCryptoPassphrase
+                description: PasswordSelectors - Selectors to identify the AdminUser,
+                  KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from
+                  the Secret
                 properties:
                   admin:
                     default: AdminPassword
                     description: Admin - Selector to get the keystone Admin password
                       from the Secret
                     type: string
+                  keystoneOIDCClientSecret:
+                    default: KeystoneClientSecret
+                    description: OIDCClientSecret - Selector to get the IdP client
+                      secret from the Secret
+                    type: string
+                  keystoneOIDCCryptoPassphrase:
+                    default: KeystoneCryptoPassphrase
+                    description: OIDCCryptoPassphrase - Selector to get the OIDC crypto
+                      passphrase from the Secret
+                    type: string
                 type: object
               preserveJobs:
                 default: false
@@ -426,6 +513,7 @@ spec:
             required:
             - containerImage
             - databaseInstance
+            - enableFederation
             - memcachedInstance
             - rabbitMqClusterName
             - secret

diff --git a/api/v1beta1/keystoneapi_types.go b/api/v1beta1/keystoneapi_types.go
@@ -132,8 +132,8 @@ type KeystoneAPISpecCore struct {
 	FernetMaxActiveKeys *int32 `json:"fernetMaxActiveKeys"`
 
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:default={admin: AdminPassword}
-	// PasswordSelectors - Selectors to identify the AdminUser password from the Secret
+	// +kubebuilder:default={admin: AdminPassword, keystoneOIDCClientSecret: KeystoneClientSecret, keystoneOIDCCryptoPassphrase: KeystoneCryptoPassphrase}
+	// PasswordSelectors - Selectors to identify the AdminUser, KeystoneOIDCClient, and KeystoneOIDCCryptoPassphrase passwords from the Secret
 	PasswordSelectors PasswordSelector `json:"passwordSelectors"`
 
 	// +kubebuilder:validation:Optional
@@ -180,6 +180,15 @@ type KeystoneAPISpecCore struct {
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// TLS - Parameters related to the TLS
 	TLS tls.API `json:"tls,omitempty"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=false
+	// Enablement of Federation configuration
+	EnableFederation bool `json:"enableFederation"`
+
+	// +kubebuilder:validation:Optional
+	// +OIDCFederation - parameters to configure keystone for OIDC federation
+	OIDCFederation KeystoneFederationSpec `json:"oidcFederation,omitempty"`
 }
 
 // APIOverrideSpec to override the generated manifest of several child resources.
@@ -195,6 +204,83 @@ type PasswordSelector struct {
 	// +kubebuilder:default="AdminPassword"
 	// Admin - Selector to get the keystone Admin password from the Secret
 	Admin string `json:"admin"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="KeystoneClientSecret"
+	// OIDCClientSecret - Selector to get the IdP client secret from the Secret
+	KeystoneOIDCClientSecret string `json:"keystoneOIDCClientSecret"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="KeystoneCryptoPassphrase"
+	// OIDCCryptoPassphrase - Selector to get the OIDC crypto passphrase from the Secret
+	KeystoneOIDCCryptoPassphrase string `json:"keystoneOIDCCryptoPassphrase"`
+}
+
+// KeystoneFederationSpec to provide the configuration values for OIDC Federation
+type KeystoneFederationSpec struct {
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="OIDC-"
+	// OIDCClaimPrefix
+	OIDCClaimPrefix string `json:"oidcClaimPrefix"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="id_token"
+	// OIDCResponseType
+	OIDCResponseType string `json:"oidcResponseType"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="openid email profile"
+	// OIDCScope
+	OIDCScope string `json:"oidcScope"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=""
+	// OIDCProviderMetadataURL
+	OIDCProviderMetadataURL string `json:"oidcProviderMetadataURL"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=""
+	// OIDCIntrospectionEndpoint
+	OIDCIntrospectionEndpoint string `json:"oidcIntrospectionEndpoint"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=""
+	// OIDCClientID
+	OIDCClientID string `json:"oidcClientID"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=";"
+	// OIDCClaimDelimiter
+	OIDCClaimDelimiter string `json:"oidcClaimDelimiter"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="claims"
+	// OIDCPassUserInfoAs
+	OIDCPassUserInfoAs string `json:"oidcPassUserInfoAs"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="both"
+	// OIDCPassClaimsAs
+	OIDCPassClaimsAs string `json:"oidcPassClaimsAs"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="memcache"
+	// OIDCCacheType
+	OIDCCacheType string `json:"oidcCacheType"`
+
+	// +kubebuilder:validaton:Required
+	// OIDCMemCacheServers
+	OIDCMemCacheServers string `json:"oidcMemCacheServers"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default="HTTP_OIDC_ISS"
+	// RemoteIDAttribute
+	RemoteIDAttribute string `json:"remoteIDAttribute"`
+
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default=""
+	// KeystoneFederationIdentityProviderName
+	KeystoneFederationIdentityProviderName string `json:"keystoneFederationIdentityProviderName"`
 }
 
 // KeystoneAPIStatus defines the observed state of KeystoneAPI
@@ -220,7 +306,7 @@ type KeystoneAPIStatus struct {
 	// TransportURLSecret - Secret containing RabbitMQ transportURL
 	TransportURLSecret string `json:"transportURLSecret,omitempty"`
 
-	//ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
+	// ObservedGeneration - the most recent generation observed for this service. If the observed generation is less than the spec generation, then the controller has not processed the latest changes.
 	ObservedGeneration int64 `json:"observedGeneration,omitempty"`
 }
 

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go