Merge pull request #666 from stlaz/webhook_authenticators

config.authentication: deprecate webhook authenticators in favour of a single authenticator

config/v1/0000_10_config-operator_01_authentication.crd.yaml

@@ -71,16 +71,40 @@ spec:
                 mode in use. Specifically, it manages the component that responds
                 to login attempts. The default is IntegratedOAuth.
               type: string
-            webhookTokenAuthenticators:
-              description: webhookTokenAuthenticators configures remote token reviewers.
+            webhookTokenAuthenticator:
+              description: webhookTokenAuthenticator configures a remote token reviewer.
                 These remote authentication webhooks can be used to verify bearer
-                tokens via the tokenreviews.authentication.k8s.io REST API.  This
-                is required to honor bearer tokens that are provisioned by an external
-                authentication service. The namespace for these secrets is openshift-config.
+                tokens via the tokenreviews.authentication.k8s.io REST API. This is
+                required to honor bearer tokens that are provisioned by an external
+                authentication service.
+              type: object
+              required:
+              - kubeConfig
+              properties:
+                kubeConfig:
+                  description: "kubeConfig references a secret that contains kube
+                    config file data which describes how to access the remote webhook
+                    service. The namespace for the referenced secret is openshift-config.
+                    \n For further details, see: \n https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+                    \n The key \"kubeConfig\" is used to locate the data. If the secret
+                    or expected key is not found, the webhook is not honored. If the
+                    specified kube config data is not valid, the webhook is not honored."
+                  type: object
+                  required:
+                  - name
+                  properties:
+                    name:
+                      description: name is the metadata.name of the referenced secret
+                      type: string
+            webhookTokenAuthenticators:
+              description: webhookTokenAuthenticators is DEPRECATED, setting it has
+                no effect.
               type: array
               items:
-                description: webhookTokenAuthenticator holds the necessary configuration
-                  options for a remote token authenticator
+                description: deprecatedWebhookTokenAuthenticator holds the necessary
+                  configuration options for a remote token authenticator. It's the
+                  same as WebhookTokenAuthenticator but it's missing the 'required'
+                  validation on KubeConfig field.
                 type: object
                 properties:
                   kubeConfig:

config/v1/types_authentication.go

@@ -43,13 +43,15 @@ type AuthenticationSpec struct {
 	// +optional
 	OAuthMetadata ConfigMapNameReference `json:"oauthMetadata"`
 
-	// webhookTokenAuthenticators configures remote token reviewers.
+	// webhookTokenAuthenticators is DEPRECATED, setting it has no effect.
+	WebhookTokenAuthenticators []DeprecatedWebhookTokenAuthenticator `json:"webhookTokenAuthenticators,omitempty"`
+
+	// webhookTokenAuthenticator configures a remote token reviewer.
 	// These remote authentication webhooks can be used to verify bearer tokens
-	// via the tokenreviews.authentication.k8s.io REST API.  This is required to
+	// via the tokenreviews.authentication.k8s.io REST API. This is required to
 	// honor bearer tokens that are provisioned by an external authentication service.
-	// The namespace for these secrets is openshift-config.
 	// +optional
-	WebhookTokenAuthenticators []WebhookTokenAuthenticator `json:"webhookTokenAuthenticators,omitempty"`
+	WebhookTokenAuthenticator *WebhookTokenAuthenticator `json:"webhookTokenAuthenticator,omitempty"`
 
 	// serviceAccountIssuer is the identifier of the bound service account token
 	// issuer.
@@ -103,8 +105,9 @@ const (
 	// AuthenticationTypeKeycloak AuthenticationType = "Keycloak"
 )
 
-// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator
-type WebhookTokenAuthenticator struct {
+// deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator.
+// It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field.
+type DeprecatedWebhookTokenAuthenticator struct {
 	// kubeConfig contains kube config file data which describes how to access the remote webhook service.
 	// For further details, see:
 	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
@@ -115,6 +118,24 @@ type WebhookTokenAuthenticator struct {
 	KubeConfig SecretNameReference `json:"kubeConfig"`
 }
 
+// webhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator
+type WebhookTokenAuthenticator struct {
+	// kubeConfig references a secret that contains kube config file data which
+	// describes how to access the remote webhook service.
+	// The namespace for the referenced secret is openshift-config.
+	//
+	// For further details, see:
+	//
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
+	//
+	// The key "kubeConfig" is used to locate the data.
+	// If the secret or expected key is not found, the webhook is not honored.
+	// If the specified kube config data is not valid, the webhook is not honored.
+	// +kubebuilder:validation:Required
+	// +required
+	KubeConfig SecretNameReference `json:"kubeConfig"`
+}
+
 const (
 	// OAuthMetadataKey is the key for the oauth authorization server metadata
 	OAuthMetadataKey = "oauthMetadata"