Add OIDC Federation Settings #479
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: d34dh0r53 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
d34dh0r53
force-pushed
the
template_federation
branch
2 times, most recently
from
dbbfca9
to
1eaa22e
Compare
|
Maybe I missed it, but I didn't see any kuttl or functional tests . Just the removal of a bunch of empty lines in keystoneapi_controller_test.go. Is that coming in a separate PR? |
|
Yeah, KUTTL and functional testing is coming in a follow-on patch that I'm working on now. |
d34dh0r53
force-pushed
the
template_federation
branch
from
1eaa22e
to
03276e7
Compare
This templates the OIDC federation settings needed to configure Keystone to perform federation authentication.
d34dh0r53
force-pushed
the
template_federation
branch
from
03276e7
to
e39d541
Compare
| // +kubebuilder:validation:Required | ||
| // +kubebuilder:default=false | ||
| // Enablement of Federation configuration | ||
| EnableFederation bool `json:"enableFederation"` |
There was a problem hiding this comment.
this can not be a required field, or we need a new API version so that a conversion webhook could introduce it. for now it should be optional with default to false. see recent discussions on slack.
There was a problem hiding this comment.
best to test this pr using a previous version and update to have this change
There was a problem hiding this comment.
It doesn't have to be required, I'll change it to optional
There was a problem hiding this comment.
do we even need this field? If you change the federationConfig object to a pointer, you can check for null-ness
|
|
||
| if instance.Spec.EnableFederation { | ||
| federationParameters := map[string]interface{}{ | ||
| "federationTrustedDashboard": fmt.Sprintf("https://%s-%s.%s.svc/dashboard/auth/websso/", |
There was a problem hiding this comment.
can we expect this to be only enabled for tlse and always have https?
There was a problem hiding this comment.
as the public endpoint, should this be the route endpoint, or the k8s service? wondering if this could be instance.GetEndpoint(endpoint.EndpointPublic), which is either the k8s service, if no route, or the routes endpoint name.
|
|
||
| // +kubebuilder:validation:Optional | ||
| // +OIDCFederation - parameters to configure keystone for OIDC federation | ||
| OIDCFederation KeystoneFederationSpec `json:"oidcFederation,omitempty"` |
There was a problem hiding this comment.
might want to do this a ptr so that it won't show up with all the empty values?
apiVersion: keystone.openstack.org/v1beta1
kind: KeystoneAPI
metadata:
creationTimestamp: "2024-11-18T19:38:57Z"
finalizers:
- openstack.org/keystoneapi
- openstack.org/keystoneservice-nova
- openstack.org/keystoneservice-glance
- openstack.org/keystoneservice-ceilometer
- openstack.org/keystoneservice-swift
- openstack.org/keystoneendpoint-glance-default-external
- openstack.org/keystoneendpoint-glance-default-internal
- openstack.org/keystoneendpoint-swift
- openstack.org/keystoneservice-barbican
- openstack.org/keystoneservice-cinderv3
- openstack.org/keystoneendpoint-barbican-api
- openstack.org/keystoneendpoint-cinderv3
- openstack.org/keystoneservice-neutron
- openstack.org/keystoneservice-placement
- openstack.org/keystoneendpoint-neutron
- openstack.org/keystoneendpoint-placement
- openstack.org/keystoneendpoint-nova
generation: 2
name: keystone
namespace: openstack
ownerReferences:
- apiVersion: core.openstack.org/v1beta1
blockOwnerDeletion: true
controller: true
kind: OpenStackControlPlane
name: openstack-galera
uid: 54409ae3-a561-43b7-9251-603437046eb3
resourceVersion: "70386"
uid: fbc4eab5-72b6-485e-b9b9-6536919d4c4b
spec:
adminProject: admin
adminUser: admin
containerImage: quay.io/podified-antelope-centos9/openstack-keystone@sha256:198eb79012e1b824b4092e4907f0565051f8514a7ca0d4606e9ce7a3d8439895
databaseAccount: keystone
databaseInstance: openstack
enableFederation: false
enableSecureRBAC: true
fernetMaxActiveKeys: 5
fernetRotationDays: 1
memcachedInstance: memcached
oidcFederation:
keystoneFederationIdentityProviderName: ""
oidcCacheType: ""
oidcClaimDelimiter: ""
oidcClaimPrefix: ""
oidcClientID: ""
oidcIntrospectionEndpoint: ""
oidcMemCacheServers: ""
oidcPassClaimsAs: ""
oidcPassUserInfoAs: ""
oidcProviderMetadataURL: ""
oidcResponseType: ""
oidcScope: ""
remoteIDAttribute: ""
There was a problem hiding this comment.
That sounds like it's the solution to my problem, I couldn't figure out why the values were empty when I was specifying defaults. Do you know of any examples of how to do this with a pointer?
There was a problem hiding this comment.
just change it to
OIDCFederation *KeystoneFederationSpec `json:"oidcFederation,omitempty"`
probably needs some check for it bein nil where you right now just use it.
There was a problem hiding this comment.
You can see how I'm doing it with the PKCS11 settings in barbican in openstack-k8s-operators/barbican-operator#168
This templates the OIDC federation settings needed to configure Keystone to perform federation authentication.