Support OIDC-based SSO on keystone/horizon (#145)

.github/workflows/preview-capi-setup.yaml

@@ -29,6 +29,7 @@ jobs:
         run: |
           echo "::add-mask::${{ secrets.PREVIEW_KUBECONFIG }}"
           echo "::add-mask::${{ secrets.GCLOUD_SVC_ACCOUNT_KEY_JSON }}"
+          echo "::add-mask::${{ secrets.GITLAB_TOKEN }}"
 
       - name: Auth with Google Cloud
         uses: google-github-actions/auth@v2
@@ -63,6 +64,7 @@ jobs:
           PREVIEW_KUBECONFIG: ${{ secrets.PREVIEW_KUBECONFIG }}
           GCLOUD_SVC_ACCOUNT_KEY_JSON: ${{ secrets.GCLOUD_SVC_ACCOUNT_KEY_JSON }}
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN_READ }}
+          GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
 
       - name: Post comment to PR
         uses: marocchino/sticky-pull-request-comment@v2

.github/workflows/preview-capi-teardown.yaml

@@ -29,6 +29,7 @@ jobs:
         run: |
           echo "::add-mask::${{ secrets.PREVIEW_KUBECONFIG }}"
           echo "::add-mask::${{ secrets.GCLOUD_SVC_ACCOUNT_KEY_JSON }}"
+          echo "::add-mask::${{ secrets.GITLAB_TOKEN }}"
 
       - name: Auth with Google Cloud
         uses: google-github-actions/auth@v2
@@ -56,3 +57,4 @@ jobs:
         run: ./teardown.sh
         env:
           PREVIEW_KUBECONFIG: ${{ secrets.PREVIEW_KUBECONFIG }}
+          GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}

api/v1beta1/horizon_types.go

@@ -30,6 +30,9 @@ type HorizonSpec struct {
 	// +optional
 	Server HorizonServerSpec `json:"server,omitempty"`
 
+	// +optional
+	SSO HorizonSSOSpec `json:"sso,omitempty"`
+
 	// +optional
 	Cache CacheSpec `json:"cache,omitempty"`
 }
@@ -51,6 +54,26 @@ type HorizonServerSpec struct {
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
 }
 
+type HorizonSSOSpec struct {
+	// +optional
+	Enabled bool `json:"enabled,omitempty"`
+
+	// +optional
+	KeystoneURL string `json:"keystoneURL,omitempty"`
+
+	// +optional
+	Methods []HorizonSSOMethod `json:"methods,omitempty"`
+}
+
+type HorizonSSOMethod struct {
+	Kind string `json:"kind"`
+
+	Title string `json:"title"`
+
+	// +optional
+	Default bool `json:"default,omitempty"`
+}
+
 // HorizonStatus defines the observed state of Horizon
 type HorizonStatus struct {
 	Conditions []metav1.Condition `json:"conditions"`

api/v1beta1/keystone_types.go

@@ -48,6 +48,9 @@ type KeystoneSpec struct {
 	// +optional
 	Notifications KeystoneNotificationsSpec `json:"notifications,omitempty"`
 
+	// +optional
+	OIDC KeystoneOIDCSpec `json:"oidc,omitempty"`
+
 	// +optional
 	ExtraConfig ExtraConfig `json:"extraConfig,omitempty"`
 }
@@ -74,6 +77,35 @@ type KeystoneNotificationsSpec struct {
 	Enabled bool `json:"enabled,omitempty"`
 }
 
+type KeystoneOIDCSpec struct {
+	// +optional
+	Enabled bool `json:"enabled,omitempty"`
+
+	// +optional
+	Secret string `json:"secret,omitempty"`
+
+	// +optional
+	IdentityProvider string `json:"identityProvider,omitempty"`
+
+	// +optional
+	DashboardURL string `json:"dashboardURL,omitempty"`
+
+	// +optional
+	ProviderMetadataURL string `json:"providerMetadataURL,omitempty"`
+
+	// +optional
+	RedirectURI string `json:"redirectURI,omitempty"`
+
+	// +optional
+	Scopes []string `json:"scopes,omitempty"`
+
+	// +optional
+	RequireClaims []string `json:"requireClaims,omitempty"`
+
+	// +optional
+	ExtraConfig map[string]string `json:"extraConfig,omitempty"`
+}
+
 // KeystoneStatus defines the observed state of Keystone
 type KeystoneStatus struct {
 	Conditions []metav1.Condition `json:"conditions"`

api/v1beta1/keystone_webhook.go

@@ -47,6 +47,15 @@ func (r *Keystone) Default() {
 	r.Spec.Cache = cacheDefault(r.Spec.Cache)
 	r.Spec.Database = databaseDefault(r.Spec.Database, r.Name)
 	r.Spec.API.Image = imageDefault(r.Spec.API.Image, DefaultKeystoneAPIImage)
+
+	if r.Spec.OIDC.Enabled {
+		if len(r.Spec.OIDC.Scopes) == 0 {
+			r.Spec.OIDC.Scopes = []string{"openid", "email", "profile"}
+		}
+		if r.Spec.OIDC.Secret == "" {
+			r.Spec.OIDC.Secret = "keystone-oidc"
+		}
+	}
 }
 
 // TODO(user): change verbs to "verbs=create;update;delete" if you want to enable deletion validation.

ci/preview/capi/controlplane.yaml

@@ -38,7 +38,21 @@ spec:
         vcpus: 4
         disk: 60
         isPublic: true
-  horizon: {}
+  keystone:
+    oidc:
+      enabled: true
+      identityProvider: gitlab
+      providerMetadataURL: https://gitlab.kcloud.io/.well-known/openid-configuration
+      extraConfig:
+        OIDCRemoteUserClaim: preferred_username@
+  horizon:
+    sso:
+      methods:
+      - kind: openid
+        title: GitLab
+        default: true
+      - kind: credentials
+        title: Keystone
   heat: {}
   barbican: {}
   magnum: {}

ci/preview/capi/setup.sh

@@ -121,5 +121,19 @@ fi
 log "Waiting for openstack-operator to become ready"
 kubectl -n openstack-system rollout status deploy openstack-operator-controller-manager
 
+log "Ensuring OIDC set up"
+if ! kubectl get secret keystone-oidc; then
+    oidc_redirect_uri=https://keystone.$CLUSTER_DOMAIN/v3/OS-FEDERATION/identity_providers/gitlab/protocols/openid/auth
+
+    gitlab_app=$(curl -s -H "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+        -d "name=$CLUSTER_NAME&redirect_uri=$oidc_redirect_uri&scopes=read_user openid profile email" \
+        "https://gitlab.kcloud.io/api/v4/applications")
+
+    kubectl create secret generic keystone-oidc \
+        --from-literal=KEYSTONE_OIDC_CLIENT_ID=$(echo $gitlab_app | yq -r '.application_id') \
+        --from-literal=KEYSTONE_OIDC_CLIENT_SECRET=$(echo $gitlab_app | yq -r '.secret') \
+        --from-literal=KEYSTONE_OIDC_CRYPTO_PASSPHRASE=$(python -c 'import secrets; print(secrets.token_hex(24))')
+fi
+
 log "Applying OpenStack control plane manifests"
 sed "s/\$(CLUSTER_DOMAIN)/$CLUSTER_DOMAIN/" controlplane.yaml | kubectl apply -f-

ci/preview/capi/teardown.sh

@@ -35,3 +35,9 @@ log "Cleaning up ingress wildcard DNS record"
 if gcloud dns record-sets describe "*.$CLUSTER_DOMAIN" --type=A --zone=$DNS_ZONE; then
     gcloud dns record-sets delete "*.$CLUSTER_DOMAIN" --type=A --zone=$DNS_ZONE
 fi
+
+log "Cleaning up OAuth apps"
+for app_id in $(curl -s -H "PRIVATE-TOKEN: $GITLAB_TOKEN" https://gitlab.kcloud.io/api/v4/applications | yq -r ".[]|select(.application_name==\"$CLUSTER_NAME\").application_id"); do
+    log "Deleting OAuth app $app_id"
+    curl -s -H "PRIVATE-TOKEN: $GITLAB_TOKEN" -XDELETE https://gitlab.kcloud.io/api/v4/applications/$app_id
+done

config/crd/bases/openstack.ospk8s.com_controlplanes.yaml

@@ -2463,6 +2463,27 @@ spec:
                             type: object
                         type: object
                     type: object
+                  sso:
+                    properties:
+                      enabled:
+                        type: boolean
+                      keystoneURL:
+                        type: string
+                      methods:
+                        items:
+                          properties:
+                            default:
+                              type: boolean
+                            kind:
+                              type: string
+                            title:
+                              type: string
+                          required:
+                          - kind
+                          - title
+                          type: object
+                        type: array
+                    type: object
                 type: object
               ingress:
                 properties:
@@ -2914,6 +2935,33 @@ spec:
                       enabled:
                         type: boolean
                     type: object
+                  oidc:
+                    properties:
+                      dashboardURL:
+                        type: string
+                      enabled:
+                        type: boolean
+                      extraConfig:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      identityProvider:
+                        type: string
+                      providerMetadataURL:
+                        type: string
+                      redirectURI:
+                        type: string
+                      requireClaims:
+                        items:
+                          type: string
+                        type: array
+                      scopes:
+                        items:
+                          type: string
+                        type: array
+                      secret:
+                        type: string
+                    type: object
                 type: object
               magnum:
                 description: MagnumSpec defines the desired state of Magnum

config/crd/bases/openstack.ospk8s.com_horizons.yaml

@@ -137,6 +137,27 @@ spec:
                         type: object
                     type: object
                 type: object
+              sso:
+                properties:
+                  enabled:
+                    type: boolean
+                  keystoneURL:
+                    type: string
+                  methods:
+                    items:
+                      properties:
+                        default:
+                          type: boolean
+                        kind:
+                          type: string
+                        title:
+                          type: string
+                      required:
+                      - kind
+                      - title
+                      type: object
+                    type: array
+                type: object
             type: object
           status:
             description: HorizonStatus defines the observed state of Horizon