support config oauth2 for geo replication

streamnative · Aug 21, 2024 · c8643bc · c8643bc
1 parent e7c5d30
commit c8643bc
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 20 deletions.
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -64,7 +64,7 @@ type PulsarAuthenticationOAuth2 struct {
 	IssuerEndpoint string           `json:"issuerEndpoint"`
 	ClientID       string           `json:"clientID"`
 	Audience       string           `json:"audience"`
-	Key            ValueOrSecretRef `json:"key"`
+	Key            *ValueOrSecretRef `json:"key"`
 	Scope          string           `json:"scope,omitempty"`
 }
 

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -1,17 +1,3 @@
-# Copyright 2024 StreamNative
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/pkg/connection/reconcile_geo_replication.go b/pkg/connection/reconcile_geo_replication.go
@@ -16,6 +16,8 @@ package connection
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
 
 	"github.com/go-logr/logr"
@@ -271,6 +273,7 @@ func createParams(ctx context.Context, destConnection *resourcev1alpha1.PulsarCo
 		BrokerClientTrustCertsFilePath: destConnection.Spec.BrokerClientTrustCertsFilePath,
 	}
 
+	hasAuth := false
 	if auth := destConnection.Spec.Authentication; auth != nil {
 		if auth.Token != nil {
 			value, err := GetValue(ctx, client, destConnection.Namespace, auth.Token)
@@ -280,11 +283,35 @@ func createParams(ctx context.Context, destConnection *resourcev1alpha1.PulsarCo
 			if value != nil {
 				clusterParam.AuthPlugin = resourcev1alpha1.AuthPluginToken
 				clusterParam.AuthParameters = "token:" + *value
+				hasAuth = true
+			}
+		}
+		if oauth2 := auth.OAuth2; !hasAuth && oauth2 != nil {
+			var paramsJSON = utils.ClientCredentials{
+				IssuerURL: oauth2.IssuerEndpoint,
+				Audience:  oauth2.Audience,
+				Scope:     oauth2.Scope,
+				ClientID:  oauth2.ClientID,
+			}
+			if oauth2.Key != nil {
+				value, err := GetValue(ctx, client, destConnection.Namespace, oauth2.Key)
+				if err != nil {
+					return nil, err
+				}
+				if value != nil {
+					paramsJSON.PrivateKey = "data:application/json;base64," + base64.StdEncoding.EncodeToString([]byte(*value))
+					clusterParam.AuthPlugin = resourcev1alpha1.AuthPluginOAuth2
+					paramsJSONString, err := json.Marshal(paramsJSON)
+					if err != nil {
+						return nil, err
+					}
+					clusterParam.AuthParameters = string(paramsJSONString)
+					hasAuth = true
+				}
+			} else {
+				return nil, fmt.Errorf("OAuth2 key is empty")
 			}
 		}
-		// TODO support oauth2
-		// if auth.OAuth2 != nil && !hasAuth {
-		// }
 	}
 	return clusterParam, nil
 }
diff --git a/pkg/connection/reconciler.go b/pkg/connection/reconciler.go
@@ -298,7 +298,10 @@ func MakePulsarAdminConfig(ctx context.Context, connection *resourcev1alpha1.Pul
 			cfg.ClientID = oauth2.ClientID
 			cfg.Audience = oauth2.Audience
 			cfg.Scope = oauth2.Scope
-			value, err := GetValue(ctx, k8sClient, connection.Namespace, &oauth2.Key)
+			if oauth2.Key == nil {
+				return nil, fmt.Errorf("oauth2 key must not be empty")
+			}
+			value, err := GetValue(ctx, k8sClient, connection.Namespace, oauth2.Key)
 			if err != nil {
 				return nil, err
 			}

diff --git a/pkg/utils/oauth2.go b/pkg/utils/oauth2.go
@@ -0,0 +1,23 @@
+// Copyright 2023 StreamNative
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+type ClientCredentials struct {
+	IssuerURL  string `json:"issuerUrl,omitempty"`
+	Audience   string `json:"audience,omitempty"`
+	Scope      string `json:"scope,omitempty"`
+	PrivateKey string `json:"privateKey,omitempty"`
+	ClientID   string `json:"clientId,omitempty"`
+}