application: add login stanza

Co-authored-by: Morten Lied Johansen <morten.lied.johansen@nav.no>

charts/templates/nais.io_applications.yaml

@@ -913,6 +913,35 @@ spec:
                 - influxdb
                 - log15
                 type: string
+              login:
+                description: Login configures a login proxy that sits in front of
+                  the application.
+                properties:
+                  enforce:
+                    description: Enforce login for all requests to the application.
+                    properties:
+                      enabled:
+                        description: If enabled, all unauthenticated requests to the
+                          application will be redirected to the login provider.
+                        type: boolean
+                      excludePaths:
+                        description: Absolute paths to ignore when enforcing login.
+                        items:
+                          pattern: ^\/.*$
+                          type: string
+                        type: array
+                    required:
+                    - enabled
+                    type: object
+                  provider:
+                    description: Provider configures the authentication provider for
+                      the application.
+                    enum:
+                    - oidc
+                    type: string
+                required:
+                - provider
+                type: object
               logtransform:
                 description: Extra filters for modifying log content. This can e.g.
                   be used for setting loglevel based on http status code.

config/crd/bases/nais.io_applications.yaml

@@ -913,6 +913,35 @@ spec:
                 - influxdb
                 - log15
                 type: string
+              login:
+                description: Login configures a login proxy that sits in front of
+                  the application.
+                properties:
+                  enforce:
+                    description: Enforce login for all requests to the application.
+                    properties:
+                      enabled:
+                        description: If enabled, all unauthenticated requests to the
+                          application will be redirected to the login provider.
+                        type: boolean
+                      excludePaths:
+                        description: Absolute paths to ignore when enforcing login.
+                        items:
+                          pattern: ^\/.*$
+                          type: string
+                        type: array
+                    required:
+                    - enabled
+                    type: object
+                  provider:
+                    description: Provider configures the authentication provider for
+                      the application.
+                    enum:
+                    - oidc
+                    type: string
+                required:
+                - provider
+                type: object
               logtransform:
                 description: Extra filters for modifying log content. This can e.g.
                   be used for setting loglevel based on http status code.

pkg/apis/nais.io/v1/naiserator_types.go

@@ -756,3 +756,19 @@ type Observability struct {
 	// +nais:doc:Link="https://doc.nais.io/observability/auto-instrumentation/"
 	AutoInstrumentation *AutoInstrumentation `json:"autoInstrumentation,omitempty"`
 }
+
+type Login struct {
+	// Provider configures the authentication provider for the application.
+	// +kubebuilder:validation:required
+	// +kubebuilder:validation:Enum=oidc
+	Provider string `json:"provider"`
+	// Enforce login for all requests to the application.
+	Enforce *LoginEnforce `json:"enforce,omitempty"`
+}
+
+type LoginEnforce struct {
+	// If enabled, all unauthenticated requests to the application will be redirected to the login provider.
+	Enabled bool `json:"enabled"`
+	// Absolute paths to ignore when enforcing login.
+	ExcludePaths []WonderwallIgnorePaths `json:"excludePaths,omitempty"`
+}

pkg/apis/nais.io/v1alpha1/application_doc_example.go

@@ -344,7 +344,17 @@ func ExampleApplicationForDocumentation() *Application {
 				Port:             8080,
 				Timeout:          1,
 			},
-			Logformat:    "accesslog_with_referer_useragent",
+			Logformat: "accesslog_with_referer_useragent",
+			Login: &nais_io_v1.Login{
+				Provider: "oidc",
+				Enforce: &nais_io_v1.LoginEnforce{
+					Enabled: true,
+					ExcludePaths: []nais_io_v1.WonderwallIgnorePaths{
+						"/some/path",
+						"/api/**",
+					},
+				},
+			},
 			Logtransform: "http_loglevel",
 			Maskinporten: &nais_io_v1.Maskinporten{
 				Enabled: true,

pkg/apis/nais.io/v1alpha1/application_types.go

@@ -142,6 +142,11 @@ type ApplicationSpec struct {
 	// +kubebuilder:validation:Enum="";accesslog;accesslog_with_processing_time;accesslog_with_referer_useragent;capnslog;logrus;gokit;redis;glog;simple;influxdb;log15
 	Logformat string `json:"logformat,omitempty"`
 
+	// Login configures a login proxy that sits in front of the application.
+	// +nais:doc:Link="https://doc.nais.io/auth/explanations/#login-proxy"
+	// +nais:doc:Availability="Tenant: SSB"
+	Login *nais_io_v1.Login `json:"login,omitempty"`
+
 	// Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code.
 	// +kubebuilder:validation:Enum=http_loglevel;dns_loglevel
 	Logtransform string `json:"logtransform,omitempty"`