From e27d2dd05a535109ecf8bfeb0af6fa985caa6253 Mon Sep 17 00:00:00 2001 From: Trong Huu Nguyen Date: Wed, 11 Sep 2024 10:01:18 +0200 Subject: [PATCH] application: add login stanza Co-authored-by: Morten Lied Johansen --- charts/templates/nais.io_applications.yaml | 29 ++++++++++++++ config/crd/bases/nais.io_applications.yaml | 29 ++++++++++++++ pkg/apis/nais.io/v1/naiserator_types.go | 16 ++++++++ pkg/apis/nais.io/v1/zz_generated.deepcopy.go | 40 +++++++++++++++++++ .../v1alpha1/application_doc_example.go | 12 +++++- .../nais.io/v1alpha1/application_types.go | 5 +++ .../nais.io/v1alpha1/zz_generated.deepcopy.go | 5 +++ 7 files changed, 135 insertions(+), 1 deletion(-) diff --git a/charts/templates/nais.io_applications.yaml b/charts/templates/nais.io_applications.yaml index 68995e72..560e7acd 100644 --- a/charts/templates/nais.io_applications.yaml +++ b/charts/templates/nais.io_applications.yaml @@ -913,6 +913,35 @@ spec: - influxdb - log15 type: string + login: + description: Login configures a login proxy that sits in front of + the application. + properties: + enforce: + description: Enforce login for all requests to the application. + properties: + enabled: + description: If enabled, all unauthenticated requests to the + application will be redirected to the login provider. + type: boolean + excludePaths: + description: Absolute paths to ignore when enforcing login. + items: + pattern: ^\/.*$ + type: string + type: array + required: + - enabled + type: object + provider: + description: Provider configures the authentication provider for + the application. + enum: + - oidc + type: string + required: + - provider + type: object logtransform: description: Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code. diff --git a/config/crd/bases/nais.io_applications.yaml b/config/crd/bases/nais.io_applications.yaml index 68995e72..560e7acd 100644 --- a/config/crd/bases/nais.io_applications.yaml +++ b/config/crd/bases/nais.io_applications.yaml @@ -913,6 +913,35 @@ spec: - influxdb - log15 type: string + login: + description: Login configures a login proxy that sits in front of + the application. + properties: + enforce: + description: Enforce login for all requests to the application. + properties: + enabled: + description: If enabled, all unauthenticated requests to the + application will be redirected to the login provider. + type: boolean + excludePaths: + description: Absolute paths to ignore when enforcing login. + items: + pattern: ^\/.*$ + type: string + type: array + required: + - enabled + type: object + provider: + description: Provider configures the authentication provider for + the application. + enum: + - oidc + type: string + required: + - provider + type: object logtransform: description: Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code. diff --git a/pkg/apis/nais.io/v1/naiserator_types.go b/pkg/apis/nais.io/v1/naiserator_types.go index ac5a9f0a..c0628d2e 100644 --- a/pkg/apis/nais.io/v1/naiserator_types.go +++ b/pkg/apis/nais.io/v1/naiserator_types.go @@ -756,3 +756,19 @@ type Observability struct { // +nais:doc:Link="https://doc.nais.io/observability/auto-instrumentation/" AutoInstrumentation *AutoInstrumentation `json:"autoInstrumentation,omitempty"` } + +type Login struct { + // Provider configures the authentication provider for the application. + // +kubebuilder:validation:required + // +kubebuilder:validation:Enum=oidc + Provider string `json:"provider"` + // Enforce login for all requests to the application. + Enforce *LoginEnforce `json:"enforce,omitempty"` +} + +type LoginEnforce struct { + // If enabled, all unauthenticated requests to the application will be redirected to the login provider. + Enabled bool `json:"enabled"` + // Absolute paths to ignore when enforcing login. + ExcludePaths []WonderwallIgnorePaths `json:"excludePaths,omitempty"` +} diff --git a/pkg/apis/nais.io/v1/zz_generated.deepcopy.go b/pkg/apis/nais.io/v1/zz_generated.deepcopy.go index bf6f6172..1638e5c9 100644 --- a/pkg/apis/nais.io/v1/zz_generated.deepcopy.go +++ b/pkg/apis/nais.io/v1/zz_generated.deepcopy.go @@ -1461,6 +1461,46 @@ func (in *Logging) DeepCopy() *Logging { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Login) DeepCopyInto(out *Login) { + *out = *in + if in.Enforce != nil { + in, out := &in.Enforce, &out.Enforce + *out = new(LoginEnforce) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Login. +func (in *Login) DeepCopy() *Login { + if in == nil { + return nil + } + out := new(Login) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *LoginEnforce) DeepCopyInto(out *LoginEnforce) { + *out = *in + if in.ExcludePaths != nil { + in, out := &in.ExcludePaths, &out.ExcludePaths + *out = make([]WonderwallIgnorePaths, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoginEnforce. +func (in *LoginEnforce) DeepCopy() *LoginEnforce { + if in == nil { + return nil + } + out := new(LoginEnforce) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Maintenance) DeepCopyInto(out *Maintenance) { *out = *in diff --git a/pkg/apis/nais.io/v1alpha1/application_doc_example.go b/pkg/apis/nais.io/v1alpha1/application_doc_example.go index 0d3dd9f1..62f56712 100644 --- a/pkg/apis/nais.io/v1alpha1/application_doc_example.go +++ b/pkg/apis/nais.io/v1alpha1/application_doc_example.go @@ -344,7 +344,17 @@ func ExampleApplicationForDocumentation() *Application { Port: 8080, Timeout: 1, }, - Logformat: "accesslog_with_referer_useragent", + Logformat: "accesslog_with_referer_useragent", + Login: &nais_io_v1.Login{ + Provider: "oidc", + Enforce: &nais_io_v1.LoginEnforce{ + Enabled: true, + ExcludePaths: []nais_io_v1.WonderwallIgnorePaths{ + "/some/path", + "/api/**", + }, + }, + }, Logtransform: "http_loglevel", Maskinporten: &nais_io_v1.Maskinporten{ Enabled: true, diff --git a/pkg/apis/nais.io/v1alpha1/application_types.go b/pkg/apis/nais.io/v1alpha1/application_types.go index c33f8c1c..3b26af14 100644 --- a/pkg/apis/nais.io/v1alpha1/application_types.go +++ b/pkg/apis/nais.io/v1alpha1/application_types.go @@ -142,6 +142,11 @@ type ApplicationSpec struct { // +kubebuilder:validation:Enum="";accesslog;accesslog_with_processing_time;accesslog_with_referer_useragent;capnslog;logrus;gokit;redis;glog;simple;influxdb;log15 Logformat string `json:"logformat,omitempty"` + // Login configures a login proxy that sits in front of the application. + // +nais:doc:Link="https://doc.nais.io/auth/explanations/#login-proxy" + // +nais:doc:Availability="Tenant: SSB" + Login *nais_io_v1.Login `json:"login,omitempty"` + // Extra filters for modifying log content. This can e.g. be used for setting loglevel based on http status code. // +kubebuilder:validation:Enum=http_loglevel;dns_loglevel Logtransform string `json:"logtransform,omitempty"` diff --git a/pkg/apis/nais.io/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/nais.io/v1alpha1/zz_generated.deepcopy.go index 3e35a922..f327533b 100644 --- a/pkg/apis/nais.io/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/nais.io/v1alpha1/zz_generated.deepcopy.go @@ -140,6 +140,11 @@ func (in *ApplicationSpec) DeepCopyInto(out *ApplicationSpec) { *out = new(v1.Probe) **out = **in } + if in.Login != nil { + in, out := &in.Login, &out.Login + *out = new(v1.Login) + (*in).DeepCopyInto(*out) + } if in.Maskinporten != nil { in, out := &in.Maskinporten, &out.Maskinporten *out = new(v1.Maskinporten)