diff --git a/api/v1beta1/metricsconfig_types.go b/api/v1beta1/metricsconfig_types.go index ae6949dcd..7ab26f5b4 100644 --- a/api/v1beta1/metricsconfig_types.go +++ b/api/v1beta1/metricsconfig_types.go @@ -98,10 +98,10 @@ type EmbeddedPersistentVolumeClaim struct { // AuthenticationSpec defines the desired state of Authentication object in the KokuMetricsConfigSpec. type AuthenticationSpec struct { - // AuthType is a field of KokuMetricsConfig to represent the authentication type to be used basic or token. + // AuthType is a field of KokuMetricsConfig to represent the authentication type to be used basic, service-account or token. // Valid values are: // - "basic" : Enables authentication using user and password from authentication secret. - // - "service-account" : Enables authentication using client-id and client-secret from the secret containing service account information. + // - "service-account" : Enables authentication using client_id and client_secret from the secret containing service account information. // - "token" (default): Uses cluster token for authentication. // +kubebuilder:default="token" AuthType AuthenticationType `json:"type"` @@ -114,7 +114,7 @@ type AuthenticationSpec struct { // TokenURL is a field of KokuMetricsConfig to represent the endpoint used to obtain the service account token. // The default is `https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token`. // +kubebuilder:default=`https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token` - TokenURL string `json:"token_url"` + TokenURL string `json:"token_url,omitempty"` } // PackagingSpec defines the desired state of the Packaging object in the KokuMetricsConfigSpec. @@ -270,7 +270,7 @@ type KokuMetricsConfigSpec struct { // AuthenticationStatus defines the desired state of Authentication object in the KokuMetricsConfigStatus. type AuthenticationStatus struct { - // AuthType is a field of KokuMetricsConfig to represent the authentication type to be used basic or token. + // AuthType is a field of KokuMetricsConfig to represent the authentication type to be used basic, service-account or token. AuthType AuthenticationType `json:"type,omitempty"` // AuthenticationSecretName is a field of KokuMetricsConfig to represent the secret with the user and password used for uploads. diff --git a/config/crd/bases/koku-metrics-cfg.openshift.io_kokumetricsconfigs.yaml b/config/crd/bases/koku-metrics-cfg.openshift.io_kokumetricsconfigs.yaml index d6e75c038..ce13bbf92 100644 --- a/config/crd/bases/koku-metrics-cfg.openshift.io_kokumetricsconfigs.yaml +++ b/config/crd/bases/koku-metrics-cfg.openshift.io_kokumetricsconfigs.yaml @@ -58,19 +58,18 @@ spec: type: default: token description: 'AuthType is a field of KokuMetricsConfig to represent - the authentication type to be used basic or token. Valid values - are: - "basic" : Enables authentication using user and password - from authentication secret. - "service-account" : Enables authentication - using client-id and client-secret from the secret containing - service account information. - "token" (default): Uses cluster - token for authentication.' + the authentication type to be used basic, service-account or + token. Valid values are: - "basic" : Enables authentication + using user and password from authentication secret. - "service-account" + : Enables authentication using client_id and client_secret from + the secret containing service account information. - "token" + (default): Uses cluster token for authentication.' enum: - token - basic - service-account type: string required: - - token_url - type type: object clusterID: @@ -532,7 +531,8 @@ spec: type: string type: description: AuthType is a field of KokuMetricsConfig to represent - the authentication type to be used basic or token. + the authentication type to be used basic, service-account or + token. enum: - token - basic diff --git a/controllers/kokumetricsconfig_controller.go b/controllers/kokumetricsconfig_controller.go index 9703808f5..dcfa67ec4 100644 --- a/controllers/kokumetricsconfig_controller.go +++ b/controllers/kokumetricsconfig_controller.go @@ -395,7 +395,7 @@ func (r *MetricsConfigReconciler) setAuthentication(ctx context.Context, authCon if cr.Spec.Authentication.AuthenticationSecretName == "" { // No authentication secret name set when using basic or service-account auth cr.Status.Authentication.AuthenticationCredentialsFound = &falseDef - err := fmt.Errorf("no authentication secret name set when using basic or service-account auth") + err := fmt.Errorf("no authentication secret name set when using %s auth", cr.Status.Authentication.AuthType) cr.Status.Authentication.AuthErrorMessage = err.Error() cr.Status.Authentication.ValidBasicAuth = &falseDef return err diff --git a/controllers/kokumetricsconfig_controller_test.go b/controllers/kokumetricsconfig_controller_test.go index 9994f233a..799e35a8b 100644 --- a/controllers/kokumetricsconfig_controller_test.go +++ b/controllers/kokumetricsconfig_controller_test.go @@ -615,7 +615,7 @@ var _ = Describe("MetricsConfigController - CRD Handling", Ordered, func() { Expect(*fetched.Status.Authentication.AuthenticationCredentialsFound).To(BeFalse()) Expect(fetched.Status.Authentication.AuthenticationSecretName).To(BeEmpty()) Expect(fetched.Status.Authentication.AuthErrorMessage).ToNot(BeEmpty()) - Expect(fetched.Status.Authentication.AuthErrorMessage).To(ContainSubstring("no authentication secret name set when using basic or service-account auth")) + Expect(fetched.Status.Authentication.AuthErrorMessage).To(ContainSubstring("no authentication secret name set when using service-account auth")) }) It("should handle missing required fields in service account auth creds", func() { diff --git a/docs/csv-description.md b/docs/csv-description.md index ff9480bab..ab7b6cd0a 100644 --- a/docs/csv-description.md +++ b/docs/csv-description.md @@ -60,8 +60,8 @@ If these assumptions are not met, the operator will not deploy correctly. In the ## Configurable parameters: * `authentication`: - * `type: token` -> The authentication method for connecting to `console.redhat.com`. The default and preferred method is `token`. `basic` is used when the openshift-config pull-secret does not contain a token for `console.redhat.com`. - * `secret_name` -> The Secret used by the operator when the authentication type is `basic`. This parameter is required **only if** the authentication type is `basic`. + * `type: token` -> The authentication method for connecting to `console.redhat.com`. The default and preferred method is `token`. `basic` and `service-account` authentication methods are used when the openshift-config pull-secret does not contain a token for `console.redhat.com`. + * `secret_name` -> The Secret used by the operator when the authentication type is `basic` or `service-account`. This parameter is required **only if** the authentication type is `basic` or `service-account`. * `packaging`: * `max_reports_to_store: 30` -> The number of reports to store when configured in air-gapped mode. The default is 30, with a minimum of 1 and no maximum. When the operator is not configured in air-gapped mode, this parameter has no effect. Reports are removed as soon as they are uploaded. * `max_size: 100` -> The maximum size for packaged files in Megabytes prior to compression. The default is 100, with a minimum of 1 and maximum of 100. @@ -85,20 +85,31 @@ If these assumptions are not met, the operator will not deploy correctly. In the ##### Configure authentication The default authentication for the operator is `token`. No further steps are required to configure token authentication. If `basic` is the preferred authentication method, a Secret must be created which holds username and password credentials: 1. On the left navigation pane, select `Workloads` -> `Secrets` -> select Project: `koku-metrics-operator` -> `Create` -> `Key/Value Secret` -2. Give the Secret a name and add 2 keys: `username` and `password` (all lowercase). The values for these keys correspond to console.redhat.com credentials. +2. Give the Secret a name and add 2 keys (all lowercase) for the respective authentication type. The values for these keys correspond to console.redhat.com credentials: + * basic auth: `username` and `password` + * service-account auth: `client_id` and `client_secret` + 3. Select `Create`. ##### Create the KokuMetricsConfig Configure the koku-metrics-operator by creating a `KokuMetricsConfig`. 1. On the left navigation pane, select `Operators` -> `Installed Operators` -> `koku-metrics-operator` -> `KokuMetricsConfig` -> `Create Instance`. -2. For `basic` authentication, edit the following values in the spec: - * Replace `authentication: type:` with `basic`. +2. For `basic` or `service-account` authentication, edit the following values in the spec: + * Replace `authentication: type:` with `basic` or `service-account`. * Add the `secret_name` field under `authentication`, and set it equal to the name of the authentication Secret that was created above. The spec should look similar to the following: + * for basic auth type ``` authentication: secret_name: SECRET-NAME type: basic ``` + + * for service-account auth type + ``` + authentication: + secret_name: SECRET-NAME + type: service-account + ``` 3. To configure the koku-metrics-operator to create a cost management integration, edit the following values in the `source` field: * Replace the `name` field value with the preferred name of the integration to be created.