Skip to content

Commit

Permalink
THREESCALE-10518- Operator crash - OpenAPI CR doesn't create correct …
Browse files Browse the repository at this point in the history 
…backend ...
  • Loading branch information
@valerymo
valerymo committed Dec 21, 2023
1 parent de8195f commit f007f1b
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 8 deletions.
6 changes: 6 additions & 0 deletions controllers/capabilities/openapi_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -420,5 +420,11 @@ func (r *OpenAPIReconciler) validateOIDCSettingsInCR(openapiCR *capabilitiesv1be
}
}

if openapiCR.Spec.OIDC != nil &&
(openapiCR.Spec.OIDC.IssuerEndpoint == "" && openapiCR.Spec.OIDC.IssuerEndpointRef == nil) {
logger.Info("OIDC issuer endpoint definition is missing, as no IssuerEndpoint nor IssuerEndpointRef found in CR.")
r.EventRecorder().Eventf(openapiCR, corev1.EventTypeWarning, "OIDC issuer endpoint definition is missing in CR", "%v", "No IssuerEndpoint nor IssuerEndpointRef found in OIDC spec in CR; please set it to fix the problem.")
}

return nil
}
4 changes: 4 additions & 0 deletions controllers/capabilities/proxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,10 @@ func (t *ProductThreescaleReconciler) syncProxyOIDC(params threescaleapi.Params,
// If plain value is not nil - use plain value as precedence over secret
issuerEndpoint := oidcSpec.IssuerEndpoint
if issuerEndpoint == "" {
if oidcSpec.IssuerEndpointRef == nil {
// If missing both IssuerEndpoint and IssuerEndpointRef in OpenApi CR - Product will fail SyncProxy
return fmt.Errorf("missing IssuerEndpoint definition in OIDC spec in openapi CR. Product OpenID Connect Issuer will not be set.")
}
secretSource := helper.NewSecretSource(t.Client(), t.resource.Namespace)
val, err := secretSource.RequiredFieldValueFromRequiredSecret(oidcSpec.IssuerEndpointRef.Name, "issuerEndpoint")
if err != nil {
Expand Down
18 changes: 10 additions & 8 deletions doc/openapi-user-guide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -147,23 +147,25 @@ spec:
serviceAccountsEnabled: true
directAccessGrantsEnabled: true
```
- **oidc** is optional field in OpenAPI CR, Only for OIDC.
- **issuerEndpointRef** - Secret, that contains **issuerEndpoint**

- **oidc** is optional field in OpenAPI CR
- Only for OIDC:

| **Field** | **Required** | **Description** |
| --- | --- | --- |
| --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| issuerType | no | Valid values: [keycloak, rest]. Defaults to `rest` |
| issuerEndpoint | no | issuerEndpoint can be defined in `issuerEndpointRef` or as plain value (please see CR example and notes below). The format of this endpoint is determined on your OpenID Provider setup. For RHSSO: https://<client_id>:<client_secret>@<host>:<port>/auth/realms/<realm_name> |
| issuerEndpoint | no | Issuer endpoint. It can be defined in `issuerEndpointRef` or as plain value (please see CR example and notes below). The format of this endpoint is determined on your OpenID Provider setup. For RHSSO: https://<client_id>:<client_secret>@<host>:<port>/auth/realms/<realm_name> |
| issuerEndpointRef | no | The secret that contains `issuerEndpoint` |
| jwtClaimWithClientID | no | JSON Web Token (JWT) Claim with ClientID that contains the clientID. Defaults to 'azp'. |
| jwtClaimWithClientIDType | no | JwtClaimWithClientIDType sets to process the ClientID Token Claim value as a string or as a liquid template. Valid values: plain, liquid. Defaults to 'plain' |
| authenticationFlow | no | flows object. When the sec scheme is oauth2, the flows are provided by the OpenAPI doc. However, for openIdConnect security scheme, the OpenAPI doc does not provide the flows. In that case, the OpenAPI CR can provide those. There are 4 flows parameters (for OIDC only): `standardFlowEnabled`, `implicitFlowEnabled`, `serviceAccountsEnabled`, `directAccessGrantsEnabled`. See [3scale product reference](product-reference.md) for more info |


- **issuerEndpoint** - The format of this endpoint is determined on your OpenID Provider setup.
- **One of IssuerEndpointRef or IssuerEndpoint must be defined in OIDC Spec** (both fields can be defined, see next note).
- **If issuerEndpoint plain value is defined in CR - it will be used as precedence over issuerEndpointRef secret**.
- The format of issuerEndpoint is determined on your OpenID Provider setup;
see in 3scale portal - `Product/Integration/Settings/AUTHENTICATION SETTINGS/OpenID Connect Issuer`.
- **If issuerEndpoint plain value is defined in CR - it will be used as precedence over secret**.



OpenAPI CR example where issuerEndpoint defined both as plain value and in secret (plain value will be used):
```yaml
apiVersion: capabilities.3scale.net/v1beta1
Expand Down
3 changes: 3 additions & 0 deletions doc/product-reference.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ Specifies product OIDC authentication mode
| Security | `security` | object | See [SecuritySpec](#SecuritySpec) | No |
| GatewayResponse | `gatewayResponse` | object | See [GatewayResponseSpec](#GatewayResponseSpec) | No |

- **One of IssuerEndpointRef or IssuerEndpoint must be defined in OIDC Spec** (both fields can be defined, see next note).
- **If issuerEndpoint plain value is defined in CR - it will be used as precedence over issuerEndpointRef secret**.

##### IssuerEndpointRef
- Example of definition of IssuerEndpointRef in OIDCSpec
```yaml
Expand Down

0 comments on commit f007f1b

Please sign in to comment.