Merge pull request #1716 from stlaz/authn_type

AUTH-439: authentication: use CRD validation for the 'type' field

config/v1/0000_10_config-operator_01_authentication.crd-CustomNoUpgrade.yaml

@@ -216,6 +216,11 @@ spec:
                 type:
                   description: type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.
                   type: string
+                  enum:
+                    - ""
+                    - None
+                    - IntegratedOAuth
+                    - OIDC
                 webhookTokenAuthenticator:
                   description: "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. \n Can only be set if \"Type\" is set to \"None\"."
                   type: object

config/v1/0000_10_config-operator_01_authentication.crd-TechPreviewNoUpgrade.yaml

@@ -216,6 +216,11 @@ spec:
                 type:
                   description: type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.
                   type: string
+                  enum:
+                    - ""
+                    - None
+                    - IntegratedOAuth
+                    - OIDC
                 webhookTokenAuthenticator:
                   description: "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. \n Can only be set if \"Type\" is set to \"None\"."
                   type: object

config/v1/0000_10_config-operator_01_authentication.crd.yaml

@@ -52,6 +52,10 @@ spec:
                 type:
                   description: type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.
                   type: string
+                  enum:
+                    - ""
+                    - None
+                    - IntegratedOAuth
                 webhookTokenAuthenticator:
                   description: "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. \n Can only be set if \"Type\" is set to \"None\"."
                   type: object

config/v1/custom.authentication.testsuite.yaml

@@ -12,6 +12,17 @@ tests:
       apiVersion: config.openshift.io/v1
       kind: Authentication
       spec: {}
+  - name: Should be able to use the OIDC type
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: Authentication
+      spec:
+        type: OIDC
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: Authentication
+      spec:
+        type: OIDC
   - name: Cannot set username claim prefix with policy NoPrefix
     initial: |
       apiVersion: config.openshift.io/v1

config/v1/stable.authentication.testsuite.yaml

@@ -12,3 +12,10 @@ tests:
       apiVersion: config.openshift.io/v1
       kind: Authentication
       spec: {}
+  - name: Shouldn't be able to use the OIDC type in a stable version of the resource
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: Authentication
+      spec:
+        type: OIDC
+    expectedError: "spec.type: Unsupported value: \"OIDC\": supported values: \"\", \"None\", \"IntegratedOAuth\""

config/v1/techpreview.authentication.testsuite.yaml

@@ -12,6 +12,17 @@ tests:
       apiVersion: config.openshift.io/v1
       kind: Authentication
       spec: {}
+  - name: Should be able to use the OIDC type
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: Authentication
+      spec:
+        type: OIDC
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: Authentication
+      spec:
+        type: OIDC
   - name: Cannot set username claim prefix with policy NoPrefix
     initial: |
       apiVersion: config.openshift.io/v1
@@ -284,4 +295,4 @@ tests:
           componentName: name2
         - componentNamespace: namespace2
           componentName: name3
-    expected: *removeFromStatus
+    expected: *removeFromStatus

config/v1/types_authentication.go

@@ -130,6 +130,8 @@ type AuthenticationList struct {
 	Items []Authentication `json:"items"`
 }
 
+// +openshift:validation:FeatureSetAwareEnum:featureSet=Default,enum="";None;IntegratedOAuth
+// +openshift:validation:FeatureSetAwareEnum:featureSet=CustomNoUpgrade;TechPreviewNoUpgrade,enum="";None;IntegratedOAuth;OIDC
 type AuthenticationType string
 
 const (

payload-manifests/crds/0000_10_config-operator_01_authentication.crd-CustomNoUpgrade.yaml

@@ -216,6 +216,11 @@ spec:
                 type:
                   description: type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.
                   type: string
+                  enum:
+                    - ""
+                    - None
+                    - IntegratedOAuth
+                    - OIDC
                 webhookTokenAuthenticator:
                   description: "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. \n Can only be set if \"Type\" is set to \"None\"."
                   type: object

payload-manifests/crds/0000_10_config-operator_01_authentication.crd-TechPreviewNoUpgrade.yaml

@@ -216,6 +216,11 @@ spec:
                 type:
                   description: type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.
                   type: string
+                  enum:
+                    - ""
+                    - None
+                    - IntegratedOAuth
+                    - OIDC
                 webhookTokenAuthenticator:
                   description: "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. \n Can only be set if \"Type\" is set to \"None\"."
                   type: object

payload-manifests/crds/0000_10_config-operator_01_authentication.crd.yaml

@@ -52,6 +52,10 @@ spec:
                 type:
                   description: type identifies the cluster managed, user facing authentication mode in use. Specifically, it manages the component that responds to login attempts. The default is IntegratedOAuth.
                   type: string
+                  enum:
+                    - ""
+                    - None
+                    - IntegratedOAuth
                 webhookTokenAuthenticator:
                   description: "webhookTokenAuthenticator configures a remote token reviewer. These remote authentication webhooks can be used to verify bearer tokens via the tokenreviews.authentication.k8s.io REST API. This is required to honor bearer tokens that are provisioned by an external authentication service. \n Can only be set if \"Type\" is set to \"None\"."
                   type: object