OIDC feature (#423)

* feat: adding oidc features to cluster-api

* added webhook for oidc feature and corrected conversion

corrected image path

* Fixed webhook and added webhook tests.

* revert changes to manager_image_patch file

* removed unecessary formatting changes

* added OIDC doc

* corrected formatt

* added unit test for compareSpecs

---------

Co-authored-by: Tyler Horvath <tyler.horvath@gmail.com>

Author: dranicu

api/v1beta1/conversion.go

@@ -142,3 +142,8 @@ func Convert_v1beta1_OCIManagedClusterStatus_To_v1beta2_OCIManagedClusterStatus(
 func Convert_v1beta2_OCIManagedClusterSpec_To_v1beta1_OCIManagedClusterSpec(in *v1beta2.OCIManagedClusterSpec, out *OCIManagedClusterSpec, s conversion.Scope) error {
 	return autoConvert_v1beta2_OCIManagedClusterSpec_To_v1beta1_OCIManagedClusterSpec(in, out, s)
 }
+
+// Convert_v1beta2_ClusterOptions_To_v1beta1_ClusterOptions converts v1beta2 ClusterOptions to v1beta1 ClusterOptions
+func Convert_v1beta2_ClusterOptions_To_v1beta1_ClusterOptions(in *v1beta2.ClusterOptions, out *ClusterOptions, s conversion.Scope) error {
+	return autoConvert_v1beta2_ClusterOptions_To_v1beta1_ClusterOptions(in, out, s)
+}

api/v1beta1/ocimanagedcontrolplane_conversion.go

@@ -36,6 +36,26 @@ func (src *OCIManagedControlPlane) ConvertTo(dstRaw conversion.Hub) error {
 	dst.Spec.ClusterType = restored.Spec.ClusterType
 	dst.Spec.Addons = restored.Spec.Addons
 	dst.Status.AddonStatus = restored.Status.AddonStatus
+
+	// Handle ClusterOption conversion
+	// Copy OpenIdConnectDiscovery if present
+	if restored.Spec.ClusterOption.OpenIdConnectDiscovery != nil {
+		if dst.Spec.ClusterOption.OpenIdConnectDiscovery == nil {
+			dst.Spec.ClusterOption.OpenIdConnectDiscovery = &v1beta2.OpenIDConnectDiscovery{}
+		}
+		dst.Spec.ClusterOption.OpenIdConnectDiscovery.IsOpenIdConnectDiscoveryEnabled =
+			restored.Spec.ClusterOption.OpenIdConnectDiscovery.IsOpenIdConnectDiscoveryEnabled
+	}
+
+	// Copy OpenIdConnectTokenAuthenticationConfig if present
+	if restored.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig != nil {
+		if dst.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig == nil {
+			dst.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig = &v1beta2.OpenIDConnectTokenAuthenticationConfig{}
+		}
+		*dst.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig =
+			*restored.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig
+	}
+
 	return nil
 }
 

api/v1beta1/zz_generated.conversion.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta2
 
 import (
+	"github.com/oracle/oci-go-sdk/v65/containerengine"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
@@ -122,8 +123,66 @@ type ClusterOptions struct {
 	// AdmissionControllerOptions defines the properties that define supported admission controllers.
 	// +optional
 	AdmissionControllerOptions *AdmissionControllerOptions `json:"admissionControllerOptions,omitempty"`
+
+	// OpenIDConnectDiscovery specifies OIDC discovery settings
+	// +optional
+	OpenIdConnectDiscovery *OpenIDConnectDiscovery `json:"openIdConnectDiscovery,omitempty"`
+
+	//OpenIDConnectTokenAuthenticationConfig
+	// +optional
+	OpenIdConnectTokenAuthenticationConfig *OpenIDConnectTokenAuthenticationConfig `json:"openIdConnectTokenAuthenticationConfig,omitempty"`
+}
+
+type OpenIDConnectDiscovery struct {
+	// IsOpenIDConnectDiscoveryEnabled defines whether or not to enable the OIDC discovery.
+	// +optional
+	IsOpenIdConnectDiscoveryEnabled *bool `json:"isOpenIdConnectDiscoveryEnabled,omitempty"`
+}
+
+type OpenIDConnectTokenAuthenticationConfig struct {
+	// A Base64 encoded public RSA or ECDSA certificates used to sign your identity provider's web certificate.
+	// +optional
+	CaCertificate *string `json:"caCertificate,omitempty"`
+
+	// A client id that all tokens must be issued for.
+	// +optional
+	ClientId *string `json:"clientId,omitempty"`
+
+	// JWT claim to use as the user's group. If the claim is present it must be an array of strings.
+	// +optional
+	GroupsClaim *string `json:"groupsClaim,omitempty"`
+
+	// Prefix prepended to group claims to prevent clashes with existing names (such as system:groups).
+	// +optional
+	GroupsPrefix *string `json:"groupsPrefix,omitempty"`
+
+	// IsOpenIdConnectAuthEnabled defines whether or not to enable the OIDC authentication.
+	IsOpenIdConnectAuthEnabled bool `json:"isOpenIdConnectAuthEnabled"`
+
+	// URL of the provider that allows the API server to discover public signing keys. Only URLs that use the https:// scheme are accepted. This is typically the provider's discovery URL, changed to have an empty path.
+	// +optional
+	IssuerUrl *string `json:"issuerUrl,omitempty"`
+
+	// A key=value pair that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value. Repeat this flag to specify multiple claims.
+	// +optional
+	RequiredClaims []KeyValue `json:"requiredClaims,omitempty"`
+
+	// The signing algorithms accepted. Default is ["RS256"].
+	// +optional
+	SigningAlgorithms []string `json:"signingAlgorithms,omitempty"`
+
+	// JWT claim to use as the user name. By default sub, which is expected to be a unique identifier of the end user. Admins can choose other claims, such as email or name, depending on their provider. However, claims other than email will be prefixed with the issuer URL to prevent naming clashes with other plugins.
+	// +optional
+	UsernameClaim *string `json:"usernameClaim,omitempty"`
+
+	// Prefix prepended to username claims to prevent clashes with existing names (such as system:users). For example, the value oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and --oidc-username-claim is a value other than email the prefix defaults to ( Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value - can be used to disable all prefixing.
+	// +optional
+	UsernamePrefix *string `json:"usernamePrefix,omitempty"`
 }
 
+// KeyValue defines the properties that define a key value pair. This is alias to containerengine.KeyValue, to support the sdk type
+type KeyValue containerengine.KeyValue
+
 // AddOnOptions defines the properties that define options for supported add-ons.
 type AddOnOptions struct {
 	// IsKubernetesDashboardEnabled defines whether or not to enable the Kubernetes Dashboard add-on.

api/v1beta2/ocimanagedcontrolplane_types.go

@@ -56,6 +56,18 @@ func (c *OCIManagedControlPlane) ValidateCreate() (admission.Warnings, error) {
 	if len(c.Name) > 31 {
 		allErrs = append(allErrs, field.Invalid(field.NewPath("Name"), c.Name, "Name cannot be more than 31 characters"))
 	}
+
+	if c.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig != nil && c.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig.IsOpenIdConnectAuthEnabled {
+		if c.Spec.ClusterType != EnhancedClusterType {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("ClusterType"), c.Spec.ClusterType, "ClusterType needs to be set to ENHANCED_CLUSTER for OpenIdConnectTokenAuthenticationConfig to be enabled."))
+		}
+		if c.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig.ClientId == nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("ClientId"), c.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig.ClientId, "ClientId cannot be empty when OpenIdConnectAuth is enabled."))
+		}
+		if c.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig.IssuerUrl == nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("IssuerUrl "), c.Spec.ClusterOption.OpenIdConnectTokenAuthenticationConfig.IssuerUrl, "IssuerUrl cannot be empty when OpenIdConnectAuth is enabled."))
+		}
+	}
 	if len(allErrs) == 0 {
 		return nil, nil
 	}

api/v1beta2/ocimanagedcontrolplane_webhook.go

@@ -20,6 +20,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/oracle/oci-go-sdk/v65/common"
+
 	"github.com/onsi/gomega"
 	. "github.com/onsi/gomega"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -79,6 +81,85 @@ func TestOCIManagedControlPlane_ValidateCreate(t *testing.T) {
 			},
 			expectErr: false,
 		},
+		{
+			name: "OpenIdConnectAuthEnabledWithValidConfig",
+			c: &OCIManagedControlPlane{
+				Spec: OCIManagedControlPlaneSpec{
+					ClusterType: EnhancedClusterType,
+					ClusterOption: ClusterOptions{
+						OpenIdConnectTokenAuthenticationConfig: &OpenIDConnectTokenAuthenticationConfig{
+							IsOpenIdConnectAuthEnabled: *common.Bool(true),
+							ClientId:                   common.String("client-id"),
+							IssuerUrl:                  common.String("issuer-url"),
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
+		{
+			name: "OpenIdConnectAuthEnabledWithInvalidClusterType",
+			c: &OCIManagedControlPlane{
+				Spec: OCIManagedControlPlaneSpec{
+					ClusterType: BasicClusterType,
+					ClusterOption: ClusterOptions{
+						OpenIdConnectTokenAuthenticationConfig: &OpenIDConnectTokenAuthenticationConfig{
+							IsOpenIdConnectAuthEnabled: *common.Bool(true),
+							ClientId:                   common.String("client-id"),
+							IssuerUrl:                  common.String("issuer-url"),
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "ClusterType needs to be set to ENHANCED_CLUSTER for OpenIdConnectTokenAuthenticationConfig to be enabled.",
+			expectErr:             true,
+		},
+		{
+			name: "OpenIdConnectAuthEnabledWithMissingClientId",
+			c: &OCIManagedControlPlane{
+				Spec: OCIManagedControlPlaneSpec{
+					ClusterType: EnhancedClusterType,
+					ClusterOption: ClusterOptions{
+						OpenIdConnectTokenAuthenticationConfig: &OpenIDConnectTokenAuthenticationConfig{
+							IsOpenIdConnectAuthEnabled: *common.Bool(true),
+							IssuerUrl:                  common.String("issuer-url"),
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "ClientId cannot be empty when OpenIdConnectAuth is enabled.",
+			expectErr:             true,
+		},
+		{
+			name: "OpenIdConnectAuthEnabledWithMissingIssuerUrl",
+			c: &OCIManagedControlPlane{
+				Spec: OCIManagedControlPlaneSpec{
+					ClusterType: EnhancedClusterType,
+					ClusterOption: ClusterOptions{
+						OpenIdConnectTokenAuthenticationConfig: &OpenIDConnectTokenAuthenticationConfig{
+							IsOpenIdConnectAuthEnabled: *common.Bool(true),
+							ClientId:                   common.String("client-id"),
+						},
+					},
+				},
+			},
+			errorMgsShouldContain: "IssuerUrl cannot be empty when OpenIdConnectAuth is enabled.",
+			expectErr:             true,
+		},
+		{
+			name: "OpenIdConnectAuthDisabled",
+			c: &OCIManagedControlPlane{
+				Spec: OCIManagedControlPlaneSpec{
+					ClusterType: BasicClusterType,
+					ClusterOption: ClusterOptions{
+						OpenIdConnectTokenAuthenticationConfig: &OpenIDConnectTokenAuthenticationConfig{
+							IsOpenIdConnectAuthEnabled: *common.Bool(false),
+						},
+					},
+				},
+			},
+			expectErr: false,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {