Skip to content

Commit

Permalink
Replaced property useAzureIdentity with Credentials enum to be expand…
Browse files Browse the repository at this point in the history 
…able
  • Loading branch information
@satr
satr committed Feb 19, 2025
1 parent 3b7d9e5 commit 4d0855a
Show file tree
Hide file tree
Showing 8 changed files with 71 additions and 43 deletions.
28 changes: 18 additions & 10 deletions charts/radix-operator/templates/radixapplication.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,15 @@ spec:
Cookie.Refresh must be 0, and both SetXAuthRequestHeaders and SetAuthorizationHeader must be false if this setting is true.
type: boolean
type: object
credentials:
default: secret
description: Credentials defines credentials type for
authenticating. Default is a Secret, which represents
a client secret.
enum:
- secret
- azureWorkloadIdentity
type: string
loginUrl:
description: |-
Defines the authentication endpoint of the identity provider.
Expand Down Expand Up @@ -243,11 +252,6 @@ spec:
X-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.
The access token is passed in the X-Auth-Request-Access-Token header.
type: boolean
useAzureIdentity:
description: UseAzureIdentity defines that credentials
for authenticating using Azure Workload Identity instead
of using a ClientSecret.
type: boolean
type: object
type: object
dockerfileName:
Expand Down Expand Up @@ -340,6 +344,15 @@ spec:
Cookie.Refresh must be 0, and both SetXAuthRequestHeaders and SetAuthorizationHeader must be false if this setting is true.
type: boolean
type: object
credentials:
default: secret
description: Credentials defines credentials type
for authenticating. Default is a Secret, which
represents a client secret.
enum:
- secret
- azureWorkloadIdentity
type: string
loginUrl:
description: |-
Defines the authentication endpoint of the identity provider.
Expand Down Expand Up @@ -407,11 +420,6 @@ spec:
X-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.
The access token is passed in the X-Auth-Request-Access-Token header.
type: boolean
useAzureIdentity:
description: UseAzureIdentity defines that credentials
for authenticating using Azure Workload Identity
instead of using a ClientSecret.
type: boolean
type: object
type: object
dockerfileName:
Expand Down
14 changes: 9 additions & 5 deletions charts/radix-operator/templates/radixdeployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,15 @@ spec:
Cookie.Refresh must be 0, and both SetXAuthRequestHeaders and SetAuthorizationHeader must be false if this setting is true.
type: boolean
type: object
credentials:
default: secret
description: Credentials defines credentials type for
authenticating. Default is a Secret, which represents
a client secret.
enum:
- secret
- azureWorkloadIdentity
type: string
loginUrl:
description: |-
Defines the authentication endpoint of the identity provider.
Expand Down Expand Up @@ -203,11 +212,6 @@ spec:
X-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.
The access token is passed in the X-Auth-Request-Access-Token header.
type: boolean
useAzureIdentity:
description: UseAzureIdentity defines that credentials
for authenticating using Azure Workload Identity instead
of using a ClientSecret.
type: boolean
type: object
type: object
dnsAppAlias:
Expand Down
26 changes: 18 additions & 8 deletions json-schema/radixapplication.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,15 @@
},
"type": "object"
},
"credentials": {
"default": "secret",
"description": "Credentials defines credentials type for authenticating. Default is a Secret, which represents a client secret.",
"enum": [
"secret",
"azureWorkloadIdentity"
],
"type": "string"
},
"loginUrl": {
"description": "Defines the authentication endpoint of the identity provider.\nMust be set if OIDC.SkipDiscovery is true",
"type": "string"
Expand Down Expand Up @@ -219,10 +228,6 @@
"setXAuthRequestHeaders": {
"description": "Defines if claims from the access token is added to the X-Auth-Request-User, X-Auth-Request-Groups,\nX-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.\nThe access token is passed in the X-Auth-Request-Access-Token header.",
"type": "boolean"
},
"useAzureIdentity": {
"description": "UseAzureIdentity defines that credentials for authenticating using Azure Workload Identity instead of using a ClientSecret.",
"type": "boolean"
}
},
"type": "object"
Expand Down Expand Up @@ -315,6 +320,15 @@
},
"type": "object"
},
"credentials": {
"default": "secret",
"description": "Credentials defines credentials type for authenticating. Default is a Secret, which represents a client secret.",
"enum": [
"secret",
"azureWorkloadIdentity"
],
"type": "string"
},
"loginUrl": {
"description": "Defines the authentication endpoint of the identity provider.\nMust be set if OIDC.SkipDiscovery is true",
"type": "string"
Expand Down Expand Up @@ -382,10 +396,6 @@
"setXAuthRequestHeaders": {
"description": "Defines if claims from the access token is added to the X-Auth-Request-User, X-Auth-Request-Groups,\nX-Auth-Request-Email and X-Auth-Request-Preferred-Username request headers.\nThe access token is passed in the X-Auth-Request-Access-Token header.",
"type": "boolean"
},
"useAzureIdentity": {
"description": "UseAzureIdentity defines that credentials for authenticating using Azure Workload Identity instead of using a ClientSecret.",
"type": "boolean"
}
},
"type": "object"
Expand Down
4 changes: 2 additions & 2 deletions pkg/apis/deployment/oauthproxyresourcemanager_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ func (s *OAuthProxyResourceManagerTestSuite) Test_Sync_UseClientSecretOrIdentity
},
{name: "Created the service account with Authentication, OAuth2, true useAzureIdentity", rd: utils.NewDeploymentBuilder().WithAppName(appName).WithEnvironment(envName).
WithComponent(utils.NewDeployComponentBuilder().WithName(componentName1).WithPublicPort("http").WithIdentity(identity).
WithAuthentication(&v1.Authentication{OAuth2: &v1.OAuth2{ClientID: oauth2ClientId, UseAzureIdentity: pointers.Ptr(true)}})).BuildRD(),
WithAuthentication(&v1.Authentication{OAuth2: &v1.OAuth2{ClientID: oauth2ClientId, Credentials: v1.AzureWorkloadIdentity}})).BuildRD(),
expectedAuxOauthDeployCount: 1,
expectedSa: auxOAuthServiceAccount,
},
Expand All @@ -221,7 +221,7 @@ func (s *OAuthProxyResourceManagerTestSuite) Test_Sync_UseClientSecretOrIdentity
},
{name: "Not overridden the existing service account with Authentication, OAuth2, true useAzureIdentity", rd: utils.NewDeploymentBuilder().WithAppName(appName).WithEnvironment(envName).
WithComponent(utils.NewDeployComponentBuilder().WithName(componentName1).WithPublicPort("http").WithIdentity(identity).
WithAuthentication(&v1.Authentication{OAuth2: &v1.OAuth2{ClientID: oauth2ClientId, UseAzureIdentity: pointers.Ptr(true)}})).BuildRD(),
WithAuthentication(&v1.Authentication{OAuth2: &v1.OAuth2{ClientID: oauth2ClientId, Credentials: v1.AzureWorkloadIdentity}})).BuildRD(),
expectedAuxOauthDeployCount: 1,
existingSa: auxOAuthServiceAccount,
expectedSa: auxOAuthServiceAccount,
Expand Down
6 changes: 3 additions & 3 deletions pkg/apis/deployment/secretrefs_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -346,15 +346,15 @@ func Test_GetRadixComponentsForEnv_AzureKeyVaultUseIAzureIdentity(t *testing.T)
{name: "empty when commonConfig is empty and environmentConfig is empty", commonConfig: nil, configureEnvironment: true, environmentConfig: nil, expected: nil},
{name: "empty when commonConfig is empty and environmentConfig is not set", commonConfig: nil, configureEnvironment: false, environmentConfig: nil, expected: nil},
{name: "use commonConfig when environmentConfig is empty", commonConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(true), Items: createRadixAzureKeyVaultItem()}}, configureEnvironment: true, environmentConfig: nil, expected: pointers.Ptr(true)},
{name: "use commonConfig when environmentConfig.UseAzureIdentity is empty", commonConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(true), Items: createRadixAzureKeyVaultItem()}}, configureEnvironment: true, environmentConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: nil, Items: []v1.RadixAzureKeyVaultItem{}}}, expected: pointers.Ptr(true)},
{name: "override non-empty commonConfig with environmentConfig.UseAzureIdentity",
{name: "use commonConfig when environmentConfig.Credentials is empty", commonConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(true), Items: createRadixAzureKeyVaultItem()}}, configureEnvironment: true, environmentConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: nil, Items: []v1.RadixAzureKeyVaultItem{}}}, expected: pointers.Ptr(true)},
{name: "override non-empty commonConfig with environmentConfig.Credentials",
commonConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(false), Items: createRadixAzureKeyVaultItem()}},
configureEnvironment: true, environmentConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(true), Items: createRadixAzureKeyVaultItem()}},
expected: pointers.Ptr(true)},
{name: "override empty commonConfig with environmentConfig", commonConfig: nil, configureEnvironment: true,
environmentConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(true), Items: createRadixAzureKeyVaultItem()}},
expected: pointers.Ptr(true)},
{name: "override empty commonConfig.UseAzureIdentity with environmentConfig", commonConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: nil, Items: []v1.RadixAzureKeyVaultItem{}}},
{name: "override empty commonConfig.Credentials with environmentConfig", commonConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: nil, Items: []v1.RadixAzureKeyVaultItem{}}},
configureEnvironment: true, environmentConfig: []v1.RadixAzureKeyVault{{Name: "key-vault-1", UseAzureIdentity: pointers.Ptr(true), Items: createRadixAzureKeyVaultItem()}},
expected: pointers.Ptr(true)},
}
Expand Down
18 changes: 15 additions & 3 deletions pkg/apis/radix/v1/radixapptypes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,6 +917,16 @@ type RadixPrivateImageHubCredential struct {
Email string `json:"email"`
}

// CredentialsType defines the type of credentials
type CredentialsType string

const (
// Secret defines the client secret as a type of credentials
Secret CredentialsType = "secret"
// AzureWorkloadIdentity defines the Azure workload identity as a type of credentials
AzureWorkloadIdentity CredentialsType = "azureWorkloadIdentity"
)

// RadixVolumeMount defines an external storage resource.
type RadixVolumeMount struct {
// Deprecated: use BlobFuse2 instead.
Expand Down Expand Up @@ -1379,9 +1389,11 @@ type OAuth2 struct {
// +optional
RedisStore *OAuth2RedisStore `json:"redisStore,omitempty"`

// UseAzureIdentity defines that credentials for authenticating using Azure Workload Identity instead of using a ClientSecret.
// Credentials defines credentials type for authenticating. Default is a Secret, which represents a client secret.
// +kubebuilder:validation:Enum=secret;azureWorkloadIdentity
// +kubebuilder:default:=secret
// +optional
UseAzureIdentity *bool `json:"useAzureIdentity,omitempty"`
Credentials CredentialsType `json:"credentials,omitempty"`
}

// OAuth2Cookie defines properties for the oauth cookie.
Expand Down Expand Up @@ -1903,7 +1915,7 @@ func (oauth2 *OAuth2) GetUseAzureIdentity() bool {
if oauth2 == nil {
return false
}
return oauth2.UseAzureIdentity != nil && *oauth2.UseAzureIdentity
return oauth2.Credentials == AzureWorkloadIdentity
}

// GetSessionStoreType Returns the session store type
Expand Down
5 changes: 0 additions & 5 deletions pkg/apis/radix/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 6 additions & 7 deletions pkg/apis/utils/labels/labels_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,8 @@ package labels
import (
"testing"

"github.com/equinor/radix-common/utils/pointers"
"github.com/equinor/radix-operator/pkg/apis/kube"
v1 "github.com/equinor/radix-operator/pkg/apis/radix/v1"
"github.com/equinor/radix-operator/pkg/apis/radix/v1"
"github.com/stretchr/testify/assert"
kubelabels "k8s.io/apimachinery/pkg/labels"
)
Expand Down Expand Up @@ -60,14 +59,14 @@ func Test_ForOAuthProxyServiceAccountWithWorkloadIdentity(t *testing.T) {
assert.Equal(t, kubelabels.Set(nil), actual, "Not expected labels when there is no OAuth2")

actual = ForOauthProxyServiceAccountWithRadixIdentity(&v1.OAuth2{})
assert.Equal(t, kubelabels.Set(nil), actual, "Not expected labels when there is no UseAzureIdentity")
assert.Equal(t, kubelabels.Set(nil), actual, "Not expected labels when there is no Credentials")

actual = ForOauthProxyServiceAccountWithRadixIdentity(&v1.OAuth2{UseAzureIdentity: pointers.Ptr(false), ClientID: "any-client-id"})
assert.Equal(t, kubelabels.Set(nil), actual, "Not expected labels when UseAzureIdentity is false")
actual = ForOauthProxyServiceAccountWithRadixIdentity(&v1.OAuth2{Credentials: v1.Secret, ClientID: "any-client-id"})
assert.Equal(t, kubelabels.Set(nil), actual, "Not expected labels when Credentials is Secret")

actual = ForOauthProxyServiceAccountWithRadixIdentity(&v1.OAuth2{UseAzureIdentity: pointers.Ptr(true), ClientID: "any-client-id"})
actual = ForOauthProxyServiceAccountWithRadixIdentity(&v1.OAuth2{Credentials: v1.AzureWorkloadIdentity, ClientID: "any-client-id"})
expected := kubelabels.Set{"azure.workload.identity/use": "true"}
assert.Equal(t, expected, actual, "Expected labels when UseAzureIdentity is true")
assert.Equal(t, expected, actual, "Expected labels when Credentials is AzureWorkloadIdentity")
}

func Test_ForPodWithRadixIdentity(t *testing.T) {
Expand Down

0 comments on commit 4d0855a

Please sign in to comment.