refactor(api): refactor auth spec and add inline connection to s3buck…

…et (#138) * refactor(api): refactor auth spec and add inline connection to s3bucket * refactor(api-auth): set tls secret field required * fix(typo): fix some words typo
zncdatadev · Sep 3, 2024 · 22b22f3 · 22b22f3
1 parent d03477f
commit 22b22f3
Show file tree

Hide file tree

Showing 7 changed files with 245 additions and 190 deletions.
diff --git a/pkg/apis/authentication/v1alpha1/authentication_types.go b/pkg/apis/authentication/v1alpha1/authentication_types.go
@@ -40,7 +40,7 @@ type AuthenticationProvider struct {
  OIDC *OIDCProvider `json:"oidc,omitempty"`
 
  // +kubebuilder:validation:Optional
- TLS *TLSPrivider `json:"tls,omitempty"`
+ TLS *TLSProvider `json:"tls,omitempty"`
 
  // +kubebuilder:validation:Optional
  Static *StaticProvider `json:"static,omitempty"`
@@ -61,7 +61,7 @@ type OIDCProvider struct {
 
  // +kubebuilder:validation:Required
  // +kubebuilder:validation:Enum=oidc;keycloak;dexidp;authentik
- ProviderHint string `json:"providerHint"`
+ Provisioner string `json:"provisioner"`
 
  // +kubebuilder:validation:Optional
  RootPath string `json:"rootPath,omitempty"`
@@ -70,21 +70,32 @@ type OIDCProvider struct {
  Scopes []string `json:"scopes,omitempty"`
 
  // +kubebuilder:validation:Optional
- TLS *TLS `json:"tls,omitempty"`
+ TLS *OIDCTls `json:"tls,omitempty"`
 }
 
-type TLSPrivider struct {
- // +kubebuilder:validation:Optional
- SecretClass string `json:"secretClass,omitempty"`
+type OIDCTls struct {
+ // +kubebuilder:validation
+ Verification *commonsv1alpha1.TLSVerificationSpec `json:"verification"`
+}
+
+type TLSProvider struct {
+ // +kubebuilder:validation:Required
+ ClientCertSecretClass string `json:"clientCertSecretClass"`
 }
 
 type StaticProvider struct {
- CerdentialSecret string `json:"credential"`
+ // +kubebuilder:validation:Required
+ UserCredentialsSecret *StaticCredentialsSecret `json:"userCredentialsSecret"`
+}
+
+type StaticCredentialsSecret struct {
+ // +kubebuilder:validation:Required
+ Name string `json:"name"`
 }
 
 type LDAPProvider struct {
  // +kubebuilder:validation:Required
- Credential *LDAPCredential `json:"credential"`
+ BindCredentials *commonsv1alpha1.Credentials `json:"bindCredentials"`
 
  // +kubebuilder:validation:Required
  Hostname string `json:"hostname"`
@@ -95,40 +106,21 @@ type LDAPProvider struct {
  // +kubebuilder:validation:Optional
  LDAPFieldNames *LDAPFieldNames `json:"ldapFieldNames,omitempty"`
 
- // LDAP search base, for example: ou=users,dc=example,dc=org.
+ // LDAP search base, for example: ou=users,dc=example,dc=com.
  // +kubebuilder:validation:Optional
  SearchBase string `json:"searchBase,omitempty"`
 
- // LDAP search filter, for example: (uid=%s).
+ // LDAP search filter, for example: (ou=teams,dc=example,dc=com).
  // +kubebuilder:validation:Optional
  SearchFilter string `json:"searchFilter,omitempty"`
 
  // +kubebuilder:validation:Optional
- TLS *TLS `json:"tls,omitempty"`
-}
-
-type TLS struct {
- // +kubebuilder:validation:Optional
- Verification *commonsv1alpha1.TLSVerificationSpec `json:"verification,omitempty"`
+ TLS *LDAPTLS `json:"tls,omitempty"`
 }
 
-type LDAPCredential struct {
- // +kubebuilder:validation:Optional
- Scopes *CrendentialScope `json:"scopes,omitempty"`
-
+type LDAPTLS struct {
  // +kubebuilder:validation:Required
- SecretClass string `json:"secretClass"`
-}
-
-type CrendentialScope struct {
- // +kubebuilder:validation:Optional
- Node string `json:"node,omitempty"`
-
- // +kubebuilder:validation:Optional
- Pod string `json:"pod,omitempty"`
-
- // +kubebuilder:validation:Optional
- Services []string `json:"services,omitempty"`
+ Verification *commonsv1alpha1.TLSVerificationSpec `json:"verification"`
 }
 
 type LDAPFieldNames struct {

diff --git a/pkg/apis/authentication/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/authentication/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/commons/v1alpha1/credentials.go b/pkg/apis/commons/v1alpha1/credentials.go
@@ -0,0 +1,23 @@
+package v1alpha1
+
+type Credentials struct {
+
+ // SecretClass scope
+ // +kubebuilder:validation:Optional
+ Scope *CredentialsScope `json:"scope,omitempty"`
+
+ // +kubebuilder:validation:Required
+ SecretClass string `json:"secretClass"`
+}
+
+type CredentialsScope struct {
+
+ // +kubebuilder:validation:Optional
+ Node bool `json:"node,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ Pod bool `json:"pod,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ Services []string `json:"services,omitempty"`
+}
diff --git a/pkg/apis/commons/v1alpha1/tls.go b/pkg/apis/commons/v1alpha1/tls.go
@@ -1,12 +1,22 @@
 package v1alpha1
 
+// TLSPrivider defines the TLS provider for authentication.
+// You can specify the none or server or mutual verification.
 type TLSVerificationSpec struct {
 
  // +kubebuilder:validation:Optional
  None *NoneVerification `json:"none,omitempty"`
 
  // +kubebuilder:validation:Optional
  Server *ServerVerification `json:"server,omitempty"`
+
+ // +kubebuilder:validation:Optional
+ Mutual *MutualVerification `json:"mutual,omitempty"`
+}
+
+type MutualVerification struct {
+ // +kubebuilder:validation:Required
+ CertSecretClass string `json:"certSecretClass"`
 }
 
 type NoneVerification struct {
@@ -17,9 +27,15 @@ type ServerVerification struct {
  CACert *CACert `json:"caCert"`
 }
 
+// CACert is the CA certificate for server verification.
+// You can specify the secret class or the webPki.
 type CACert struct {
  // +kubebuilder:validation:Optional
  SecretClass string `json:"secretClass,omitempty"`
 
- WebPIK *string `json:"webPIK,omitempty"`
+ // +kubebuilder:validation:Optional
+ WebPki *WebPki `json:"webPki,omitempty"`
+}
+
+type WebPki struct {
 }