/
auth.go
172 lines (155 loc) · 6.22 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
package v1alpha1
// ModeType is the authentication/authorization mode in which Tempo Gateway
// will be configured.
//
// +kubebuilder:validation:Enum=static;openshift
type ModeType string
const (
// ModeStatic mode asserts the Authorization Spec's Roles and RoleBindings
// using an in-process OpenPolicyAgent Rego authorizer.
ModeStatic ModeType = "static"
// ModeOpenShift mode uses TokenReview API for authentication and subject access review for authorization.
ModeOpenShift ModeType = "openshift"
)
// TenantsSpec defines the mode, authentication and authorization
// configuration of the tempo gateway component.
type TenantsSpec struct {
// Mode defines the multitenancy mode.
//
// +required
// +kubebuilder:validation:Required
// +kubebuilder:default:=static
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:select:static","urn:alm:descriptor:com.tectonic.ui:select:openshift"},displayName="Mode"
Mode ModeType `json:"mode"`
// Authentication defines the tempo-gateway component authentication configuration spec per tenant.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authentication"
Authentication []AuthenticationSpec `json:"authentication,omitempty"`
// Authorization defines the tempo-gateway component authorization configuration spec per tenant.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Authorization"
Authorization *AuthorizationSpec `json:"authorization,omitempty"`
}
// SubjectKind is a kind of Tempo Gateway RBAC subject.
//
// +kubebuilder:validation:Enum=user;group
type SubjectKind string
const (
// User represents a subject that is a user.
User SubjectKind = "user"
// Group represents a subject that is a group.
Group SubjectKind = "group"
)
// Subject represents a subject that has been bound to a role.
type Subject struct {
Name string `json:"name"`
Kind SubjectKind `json:"kind"`
}
// RoleBindingsSpec binds a set of roles to a set of subjects.
type RoleBindingsSpec struct {
Name string `json:"name"`
Subjects []Subject `json:"subjects"`
Roles []string `json:"roles"`
}
// AuthorizationSpec defines the opa, role bindings and roles
// configuration per tenant for tempo Gateway component.
type AuthorizationSpec struct {
// Roles defines a set of permissions to interact with a tenant.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Static Roles"
Roles []RoleSpec `json:"roles"`
// RoleBindings defines configuration to bind a set of roles to a set of subjects.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Static Role Bindings"
RoleBindings []RoleBindingsSpec `json:"roleBindings"`
}
// PermissionType is a Tempo Gateway RBAC permission.
//
// +kubebuilder:validation:Enum=read;write
type PermissionType string
const (
// Write gives access to write data to a tenant.
Write PermissionType = "write"
// Read gives access to read data from a tenant.
Read PermissionType = "read"
)
// RoleSpec describes a set of permissions to interact with a tenant.
type RoleSpec struct {
Name string `json:"name"`
Resources []string `json:"resources"`
Tenants []string `json:"tenants"`
Permissions []PermissionType `json:"permissions"`
}
// TenantSecretSpec is a secret reference containing name only
// for a secret living in the same namespace as the (Tempo) TempoStack custom resource.
type TenantSecretSpec struct {
// Name of a secret in the namespace configured for tenant secrets.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:io.kubernetes:Secret",displayName="Tenant Secret Name"
Name string `json:"name"`
}
// AuthenticationSpec defines the oidc configuration per tenant for tempo Gateway component.
type AuthenticationSpec struct {
// TenantName defines a human readable, unique name of the tenant.
// The value of this field must be specified in the X-Scope-OrgID header and in the resources field of a ClusterRole to identify the tenant.
//
// +required
// +kubebuilder:validation:Required
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tenant Name"
TenantName string `json:"tenantName"`
// TenantID defines a universally unique identifier of the tenant.
// Unlike the tenantName, which must be unique at a given time, the tenantId must be unique over the entire lifetime of the Tempo deployment.
// Tempo uses this ID to prefix objects in the object storage.
//
// +required
// +kubebuilder:validation:Required
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tenant ID"
TenantID string `json:"tenantId"`
// OIDC defines the spec for the OIDC tenant's authentication.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="OIDC Configuration"
OIDC *OIDCSpec `json:"oidc,omitempty"`
}
// OIDCSpec defines the oidc configuration spec for Tempo Gateway component.
type OIDCSpec struct {
// Secret defines the spec for the clientID, clientSecret and issuerCAPath for tenant's authentication.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Tenant Secret"
Secret *TenantSecretSpec `json:"secret"`
// IssuerURL defines the URL for issuer.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Issuer URL"
IssuerURL string `json:"issuerURL"`
// RedirectURL defines the URL for redirect.
//
// +optional
// +kubebuilder:validation:Optional
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redirect URL"
RedirectURL string `json:"redirectURL,omitempty"`
// Group claim field from ID Token
//
// +optional
// +kubebuilder:validation:Optional
GroupClaim string `json:"groupClaim,omitempty"`
// User claim field from ID Token
//
// +optional
// +kubebuilder:validation:Optional
UsernameClaim string `json:"usernameClaim,omitempty"`
}