Merge pull request #1760 from liouk/oidc-config-structured-auth

AUTH-541: OIDC structured auth config
openshift · Feb 28, 2025 · dafd2d1 · dafd2d1
2 parents 34af639 + 4d75af9
commit dafd2d1
Show file tree

Hide file tree

Showing 8 changed files with 1,120 additions and 52 deletions.
diff --git a/pkg/operator/configobservation/auth/auth_metadata.go b/pkg/operator/configobservation/auth/auth_metadata.go
@@ -8,6 +8,7 @@ import (
 
 	configv1 "github.com/openshift/api/config/v1"
 	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation"
+	"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/operatorclient"
 	"github.com/openshift/library-go/pkg/operator/configobserver"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resourcesynccontroller"
@@ -20,14 +21,21 @@ const (
 	managedNamespace      = "openshift-config-managed"
 )
 
+var (
+	topLevelMetadataFilePath = []string{"authConfig", "oauthMetadataFile"}
+)
+
 // ObserveAuthMetadata fills in authConfig.OauthMetadataFile with the path for a configMap referenced by the authentication
 // config.
-func ObserveAuthMetadata(genericListers configobserver.Listers, recorder events.Recorder, existingConfig map[string]interface{}) (map[string]interface{}, []error) {
+func ObserveAuthMetadata(genericListers configobserver.Listers, recorder events.Recorder, existingConfig map[string]interface{}) (ret map[string]interface{}, _ []error) {
+	defer func() {
+		ret = configobserver.Pruned(ret, topLevelMetadataFilePath)
+	}()
+
 	listers := genericListers.(configobservation.Listers)
 	errs := []error{}
 	prevObservedConfig := map[string]interface{}{}
 
-	topLevelMetadataFilePath := []string{"authConfig", "oauthMetadataFile"}
 	currentMetadataFilePath, _, err := unstructured.NestedString(existingConfig, topLevelMetadataFilePath...)
 	if err != nil {
 		errs = append(errs, err)
@@ -39,8 +47,9 @@ func ObserveAuthMetadata(genericListers configobserver.Listers, recorder events.
 	}
 
 	observedConfig := map[string]interface{}{}
-	authConfigNoDefaults, err := listers.AuthConfigLister.Get("cluster")
+	authConfig, err := listers.AuthConfigLister.Get("cluster")
 	if errors.IsNotFound(err) {
+		recorder.Eventf("ObserveAuthMetadataConfigMap", "authentications.config.openshift.io/cluster: not found")
 		klog.Warningf("authentications.config.openshift.io/cluster: not found")
 		return observedConfig, errs
 	}
@@ -49,34 +58,45 @@ func ObserveAuthMetadata(genericListers configobserver.Listers, recorder events.
 		return prevObservedConfig, errs
 	}
 
-	authConfig := defaultAuthConfig(authConfigNoDefaults)
-
 	var (
 		sourceNamespace string
 		sourceConfigMap string
-		statusConfigMap string
 	)
 
-	specConfigMap := authConfig.Spec.OAuthMetadata.Name
+	switch authConfig.Spec.Type {
+	case configv1.AuthenticationTypeIntegratedOAuth, "":
+		specConfigMap := authConfig.Spec.OAuthMetadata.Name
+		statusConfigMap := authConfig.Status.IntegratedOAuthMetadata.Name
+		if len(statusConfigMap) == 0 {
+			klog.V(5).Infof("no integrated oauth metadata configmap observed from status")
+		}
 
-	// TODO: Add a case here for the KeyCloak type.
-	switch {
-	case len(authConfig.Status.IntegratedOAuthMetadata.Name) > 0 && authConfig.Spec.Type == configv1.AuthenticationTypeIntegratedOAuth:
-		statusConfigMap = authConfig.Status.IntegratedOAuthMetadata.Name
-	default:
-		klog.V(5).Infof("no integrated oauth metadata configmap observed from status")
-	}
+		// Spec configMap takes precedence over Status.
+		switch {
+		case len(specConfigMap) > 0:
+			sourceConfigMap = specConfigMap
+			sourceNamespace = configNamespace
+		case len(statusConfigMap) > 0:
+			sourceConfigMap = statusConfigMap
+			sourceNamespace = managedNamespace
+		default:
+			klog.V(5).Infof("no authentication config metadata specified")
+		}
+
+	case configv1.AuthenticationTypeNone:
+		// no oauth metadata is served; do not set anything as source
+		// in order to delete the configmap and unset oauthMetadataFile
 
-	// Spec configMap takes precedence over Status.
-	switch {
-	case len(specConfigMap) > 0:
-		sourceConfigMap = specConfigMap
-		sourceNamespace = configNamespace
-	case len(statusConfigMap) > 0:
-		sourceConfigMap = statusConfigMap
-		sourceNamespace = managedNamespace
-	default:
-		klog.V(5).Infof("no authentication config metadata specified")
+	case configv1.AuthenticationTypeOIDC:
+		if _, err := listers.ConfigmapLister_.ConfigMaps(operatorclient.TargetNamespace).Get(AuthConfigCMName); errors.IsNotFound(err) {
+			// auth-config does not exist in target namespace yet; do not remove oauth metadata until it's there
+			return prevObservedConfig, errs
+		} else if err != nil {
+			return prevObservedConfig, append(errs, err)
+		}
+
+		// no oauth metadata is served; do not set anything as source
+		// in order to delete the configmap and unset oauthMetadataFile
 	}
 
 	// Sync the user or status-specified configMap to the well-known resting place that corresponds to the oauthMetadataFile path.
@@ -109,13 +129,3 @@ func ObserveAuthMetadata(genericListers configobserver.Listers, recorder events.
 
 	return observedConfig, errs
 }
-
-func defaultAuthConfig(authConfig *configv1.Authentication) *configv1.Authentication {
-	out := authConfig.DeepCopy() // do not mutate informer cache
-
-	if len(out.Spec.Type) == 0 {
-		out.Spec.Type = configv1.AuthenticationTypeIntegratedOAuth
-	}
-
-	return out
-}