Add support for structured authentication (#995)

* Initial support for structured-auth

Signed-off-by: Fabian Ruff <fabian.ruff@sap.com>

* add structured authenitcation configuration

This commit adds a new field “authenticationConfiguration” to the kluster spec that allowing to provide the content of the —authentication-configuration config file.
The ground controller reconciles any changes to the api and updates a configmap that is referenced in the apiserver deployment. As any changes to the configfile are automatically picked up by the apiserver this changes to the kluster spec become effective within a minute.

Signed-off-by: Fabian Ruff <fabian.ruff@sap.com>

* incorporate code-review feedback

Signed-off-by: Fabian Ruff <fabian.ruff@sap.com>

---------

Signed-off-by: Fabian Ruff <fabian.ruff@sap.com>

Author: databus23

.golangci.yaml

@@ -2,7 +2,6 @@ run:
   timeout: 5m
 linters:
   enable:
-  - copyloopvar
   - gci
   - gofmt
   disable:

charts/kube-master/templates/api.yaml

@@ -140,6 +140,14 @@ spec:
               path: config.yaml
             - key: admission-kubeconfig
               path: kubeconfig
+{{- end }}
+{{- if (semverCompare ">= 1.30" .Values.version.kubernetes) }}
+        - name: auth-config
+          configMap:
+            name: {{ include "master.fullname" . }}-auth
+            items:
+            - key: config.yaml
+              path: config.yaml
 {{- end }}
       initContainers:
         - name: etcd-wait
@@ -268,7 +276,9 @@ spec:
 {{- if .Values.api.corsAllowedOrigins }}
             - --cors-allowed-origins={{ .Values.api.corsAllowedOrigins }}
 {{- end }}
-            {{ if or .Values.dex.enabled .Values.api.oidc.issuerURL }}
+            {{ if (semverCompare ">= 1.30" .Values.version.kubernetes)}}
+            - --authentication-config=/etc/kubernetes/auth/config.yaml
+            {{ else if or .Values.dex.enabled .Values.api.oidc.issuerURL }}
             - --oidc-issuer-url={{ default  (printf "https://%s" (include "dex.url" .)) .Values.api.oidc.issuerURL }}
             - --oidc-client-id={{ .Values.api.oidc.clientID }}
             - --oidc-groups-claim={{ .Values.api.oidc.groupsClaim }}
@@ -318,6 +328,11 @@ spec:
             - mountPath: /etc/kubernetes/admission
               name: admission-config
               readOnly: true
+{{- end }}
+{{- if (semverCompare ">= 1.30" .Values.version.kubernetes) }}
+            - mountPath: /etc/kubernetes/auth
+              name: auth-config
+              readOnly: true
 {{- end }}
           livenessProbe:
 {{- if .Values.etcd.backup.enabled }}

go.mod

@@ -53,6 +53,7 @@ require (
 	k8s.io/api v0.32.2
 	k8s.io/apiextensions-apiserver v0.32.2
 	k8s.io/apimachinery v0.32.2
+	k8s.io/apiserver v0.32.2
 	k8s.io/client-go v0.32.2
 	k8s.io/cluster-bootstrap v0.32.1
 	k8s.io/klog v1.0.0
@@ -62,10 +63,12 @@ require (
 
 require (
 	al.essio.dev/pkg/shellescape v1.5.1 // indirect
+	cel.dev/expr v0.18.0 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/aws/aws-sdk-go v1.55.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -112,6 +115,7 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
+	github.com/google/cel-go v0.22.0 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -165,6 +169,7 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/vincent-petithory/dataurl v1.0.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
@@ -177,17 +182,18 @@ require (
 	go.opentelemetry.io/otel v1.28.0 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 // indirect
 	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.35.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiserver v0.32.2 // indirect
 	k8s.io/cli-runtime v0.32.2 // indirect
 	k8s.io/component-base v0.32.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect

go.sum

@@ -1,5 +1,7 @@
 al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
 al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
+cel.dev/expr v0.18.0 h1:CJ6drgk+Hf96lkLikr4rFf19WrU0BOWEihyZnI2TAzo=
+cel.dev/expr v0.18.0/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
@@ -42,6 +44,8 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
+github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
 github.com/aokoli/goutils v1.1.1 h1:/hA+Ywo3AxoDZY5ZMnkiEkUvkK4BPp927ax110KCqqg=
 github.com/aokoli/goutils v1.1.1/go.mod h1:SijmP0QR8LtwsmDs8Yii5Z/S4trXFGFC2oO5g9DP+DQ=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
@@ -272,6 +276,8 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/cel-go v0.22.0 h1:b3FJZxpiv1vTMo2/5RDUqAHPxkT8mmMfJIrq1llbf7g=
+github.com/google/cel-go v0.22.0/go.mod h1:BuznPXXfQDpXKWQ9sPW3TzlAJN5zzFe+i9tIs0yC4s8=
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -587,18 +593,25 @@ github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
+github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
 github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -671,6 +684,8 @@ golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -799,6 +814,8 @@ google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRn
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190530194941-fb225487d101/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 h1:YcyjlL1PRr2Q17/I0dPk2JmYS5CDXfcdb2Z3YRioEbw=
+google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:OCdP9MfskevB/rbYvHTsXTtKC+3bHWajPdoKgjcYkfo=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7 h1:2035KHhUv+EpyB+hWgJnaWKJOdX1E95w2S8Rr4uWKTs=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=

pkg/api/models/authentication_configuration.go

@@ -0,0 +1,57 @@
+package models
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/strfmt"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apiserver/pkg/apis/apiserver"
+	apiserverv1alpha1 "k8s.io/apiserver/pkg/apis/apiserver/v1alpha1"
+	apiserverv1beta1 "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
+	apiservervalidation "k8s.io/apiserver/pkg/apis/apiserver/validation"
+	authenticationcel "k8s.io/apiserver/pkg/authentication/cel"
+)
+
+var decoder runtime.Decoder
+
+func init() {
+	scheme := runtime.NewScheme()
+	schemeBuilder := runtime.NewSchemeBuilder(apiserverv1beta1.AddToScheme, apiserverv1alpha1.AddToScheme, apiserver.AddToScheme)
+	utilruntime.Must(schemeBuilder.AddToScheme(scheme))
+	decoder = serializer.NewCodecFactory(scheme).UniversalDecoder()
+}
+
+// AuthenticationConfiguration is a custom string type
+type AuthenticationConfiguration string
+
+// Validate ensures that the AuthenticationConfiguration fulfills the go-swagger validation interface
+func (a AuthenticationConfiguration) Validate(formats strfmt.Registry) error {
+	if a == "" {
+		return nil // empty is valid
+	}
+	obj, schemaVersion, err := decoder.Decode([]byte(a), nil, nil)
+	if err != nil {
+		return errors.New(http.StatusBadRequest, "failed to decode authenticationConfiguration: %s", err)
+	}
+
+	authenticationConfig, ok := obj.(*apiserver.AuthenticationConfiguration)
+	if !ok {
+		return errors.New(http.StatusBadRequest, "failed to cast authenticationConfiguration type: %v", schemaVersion)
+	}
+
+	if errList := apiservervalidation.ValidateAuthenticationConfiguration(authenticationcel.NewDefaultCompiler(), authenticationConfig, nil); len(errList) != 0 {
+		return errors.New(http.StatusBadRequest, "invalid authenticationConfiguration: %v", errList)
+	}
+	// Add additional validation logic here if needed
+	return nil
+}
+
+// ContextValidate validates the AuthenticationConfiguration based on the context it is used in
+func (a AuthenticationConfiguration) ContextValidate(ctx context.Context, formats strfmt.Registry) error {
+	// Add context-specific validation logic here if needed
+	return nil
+}

pkg/api/models/kluster_spec.go

@@ -147,7 +147,7 @@ func TestCreateCluster(t *testing.T) {
 		assert.Contains(t, string(body), "nase")
 	}
 
-	//Ensure specifying a different router doesn't obverlap
+	//Ensure specifying a different router doesn't overlap
 	req = createRequest("POST", "/api/v1/clusters", `{"name": "ohr", "spec": { "openstack": { "routerID":"routerB"}}}`)
 	code, _, body = result(handler, req)
 	assert.Equal(t, 201, code, "specifying a different router should not conflict. response: %s", string(body))
@@ -169,7 +169,7 @@ func TestCreateCluster(t *testing.T) {
 		assert.Contains(t, string(body), "CIDR")
 	}
 
-	//Ensure specifying a different router doesn't obverlap
+	//Ensure specifying an empty clusterCIDR does not fail
 	req = createRequest("POST", "/api/v1/clusters", `{"name": "nocidr", "spec": { "clusterCIDR": "", "noCloud": true, "serviceCIDR":"5.5.5.5/24"}}`)
 
 	code, _, body = result(handler, req)
@@ -180,6 +180,73 @@ func TestCreateCluster(t *testing.T) {
 
 }
 
+func TestAuthenticationConfigurationValidation(t *testing.T) {
+	handler, _, cancel := createTestHandler(t)
+	defer cancel()
+	//Ensure invalid authentication configuration is rejected
+	invalidAuthConfig, err := json.Marshal(models.Kluster{
+		Name: "auth",
+		Spec: models.KlusterSpec{
+			AuthenticationConfiguration: models.AuthenticationConfiguration(`
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: https://issuer1.example.com
+    audiences:
+    - audience1
+    - audience2
+    audienceMatchPolicy: MatchAny
+`),
+		},
+	})
+	assert.NoError(t, err, "failed to marshal authentication configuration")
+	req := createRequest("POST", "/api/v1/clusters", string(invalidAuthConfig))
+	code, _, body := result(handler, req)
+	assert.Equal(t, 400, code, "invalid authentication configuration should be rejected. response: %s, %s", string(body))
+
+	validAuthConfig, err := json.Marshal(models.Kluster{
+		Name: "auth",
+		Spec: models.KlusterSpec{
+			AuthenticationConfiguration: models.AuthenticationConfiguration(`
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+jwt:
+- issuer:
+    url: https://issuer1.example.com
+    audiences:
+    - audience1
+    - audience2
+    audienceMatchPolicy: MatchAny
+  claimMappings:
+    username:
+      expression: 'claims.username'
+    groups:
+      expression: 'claims.groups'
+`),
+		},
+	})
+	assert.NoError(t, err, "failed to marshal authentication configuration")
+	req = createRequest("POST", "/api/v1/clusters", string(validAuthConfig))
+	code, _, body = result(handler, req)
+	assert.Equal(t, 201, code, "valid authentication configuration should be accepted. response: %s", string(body))
+
+	emptyAuthConfig, err := json.Marshal(models.Kluster{
+		Name: "emptyauth",
+		Spec: models.KlusterSpec{
+			ClusterCIDR: swag.String("100.101.0.0/16"),
+			AuthenticationConfiguration: models.AuthenticationConfiguration(`
+apiVersion: apiserver.config.k8s.io/v1beta1
+kind: AuthenticationConfiguration
+`),
+		},
+	})
+	assert.NoError(t, err, "failed to marshal authentication configuration")
+	req = createRequest("POST", "/api/v1/clusters", string(emptyAuthConfig))
+	code, _, body = result(handler, req)
+	assert.Equal(t, 201, code, "empty authentication configuration is valid. response: %s", string(body))
+}
+
 func TestClusterShow(t *testing.T) {
 	kluster := kubernikusv1.Kluster{
 		ObjectMeta: metav1.ObjectMeta{
@@ -484,5 +551,4 @@ func TestClusterBootstrapConfig(t *testing.T) {
 		ClusterDomain:      "example.com",
 		RotateCertificates: true,
 	}, config)
-
 }