operator: Allow reduced tenant OIDC authentication requirements (#6362)

operator/CHANGELOG.md

@@ -1,5 +1,6 @@
 ## Main
 
+- [6362](https://github.com/grafana/loki/pull/6362) **periklis**: Allow reduced tenant OIDC authentication requirements
 - [6288](https://github.com/grafana/loki/pull/6288) **aminesnow**: Expose only an HTTPS gateway when in openshift mode
 - [6195](https://github.com/grafana/loki/pull/6195) **periklis**: Add ruler config support
 - [6198](https://github.com/grafana/loki/pull/6198) **periklis**: Add support for custom S3 CA

operator/api/v1beta1/lokistack_types.go

@@ -159,12 +159,20 @@ type OIDCSpec struct {
 	IssuerURL string `json:"issuerURL"`
 	// RedirectURL defines the URL for redirect.
 	//
-	// +required
-	// +kubebuilder:validation:Required
+	// +optional
+	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redirect URL"
-	RedirectURL   string `json:"redirectURL"`
-	GroupClaim    string `json:"groupClaim"`
-	UsernameClaim string `json:"usernameClaim"`
+	RedirectURL string `json:"redirectURL,omitempty"`
+	// Group claim field from ID Token
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	GroupClaim string `json:"groupClaim,omitempty"`
+	// User claim field from ID Token
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	UsernameClaim string `json:"usernameClaim,omitempty"`
 }
 
 // AuthenticationSpec defines the oidc configuration per tenant for lokiStack Gateway component.

operator/bundle/manifests/loki.grafana.com_lokistacks.yaml

@@ -838,6 +838,7 @@ spec:
                             authentication.
                           properties:
                             groupClaim:
+                              description: Group claim field from ID Token
                               type: string
                             issuerURL:
                               description: IssuerURL defines the URL for issuer.
@@ -857,13 +858,11 @@ spec:
                               - name
                               type: object
                             usernameClaim:
+                              description: User claim field from ID Token
                               type: string
                           required:
-                          - groupClaim
                           - issuerURL
-                          - redirectURL
                           - secret
-                          - usernameClaim
                           type: object
                         tenantId:
                           description: TenantID defines the id of the tenant.

operator/config/crd/bases/loki.grafana.com_lokistacks.yaml

@@ -833,6 +833,7 @@ spec:
                             authentication.
                           properties:
                             groupClaim:
+                              description: Group claim field from ID Token
                               type: string
                             issuerURL:
                               description: IssuerURL defines the URL for issuer.
@@ -852,13 +853,11 @@ spec:
                               - name
                               type: object
                             usernameClaim:
+                              description: User claim field from ID Token
                               type: string
                           required:
-                          - groupClaim
                           - issuerURL
-                          - redirectURL
                           - secret
-                          - usernameClaim
                           type: object
                         tenantId:
                           description: TenantID defines the id of the tenant.

operator/internal/handlers/internal/gateway/tenant_secrets.go

@@ -69,13 +69,7 @@ func extractSecret(s *corev1.Secret, tenantName string) (*manifests.TenantSecret
 		return nil, kverrors.New("missing clientID field", "field", "clientID")
 	}
 	clientSecret := s.Data["clientSecret"]
-	if len(clientSecret) == 0 {
-		return nil, kverrors.New("missing clientSecret field", "field", "clientSecret")
-	}
 	issuerCAPath := s.Data["issuerCAPath"]
-	if len(issuerCAPath) == 0 {
-		return nil, kverrors.New("missing issuerCAPath field", "field", "issuerCAPath")
-	}
 
 	return &manifests.TenantSecrets{
 		TenantName:   tenantName,

operator/internal/handlers/internal/gateway/tenant_secrets_test.go

@@ -157,27 +157,6 @@ func TestExtractSecret(t *testing.T) {
 			secret:     &corev1.Secret{},
 			wantErr:    true,
 		},
-		{
-			name:       "missing clientSecret",
-			tenantName: "tenant-a",
-			secret: &corev1.Secret{
-				Data: map[string][]byte{
-					"clientID": []byte("test"),
-				},
-			},
-			wantErr: true,
-		},
-		{
-			name:       "missing issuerCAPath",
-			tenantName: "tenant-a",
-			secret: &corev1.Secret{
-				Data: map[string][]byte{
-					"clientID":     []byte("test"),
-					"clientSecret": []byte("test"),
-				},
-			},
-			wantErr: true,
-		},
 		{
 			name:       "all set",
 			tenantName: "tenant-a",

operator/internal/manifests/internal/gateway/gateway-tenants.yaml

@@ -19,7 +19,9 @@ tenants:
     {{- end -}}
     {{- end }}
     issuerURL: {{ $spec.OIDC.IssuerURL }}
+    {{ if $spec.OIDC.RedirectURL }}
     redirectURL: {{ $spec.OIDC.RedirectURL }}
+    {{- end -}}
     {{ if $spec.OIDC.UsernameClaim }}
     usernameClaim: {{ $spec.OIDC.UsernameClaim }}
     {{- end -}}