init authOptions

ydb-platform · Oct 10, 2023 · 1d8ad34 · 1d8ad34
1 parent b6bae2d
commit 1d8ad34
Show file tree

Hide file tree

Showing 16 changed files with 523 additions and 98 deletions.
diff --git a/api/v1alpha1/auth_types.go b/api/v1alpha1/auth_types.go
@@ -0,0 +1,20 @@
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+type AuthOptions struct {
+	Anonymous         bool                   `json:"anonymous"`
+	AccessToken       *AccessTokenAuth       `json:"access_token"`
+	StaticCredentials *StaticCredentialsAuth `json:"static_credentials"`
+}
+
+type AccessTokenAuth struct {
+	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef,omitempty"`
+}
+
+type StaticCredentialsAuth struct {
+	Username     string                    `json:"username,omitempty"`
+	SecretKeyRef *corev1.SecretKeySelector `json:"secretKeyRef"`
+}
diff --git a/api/v1alpha1/storage_types.go b/api/v1alpha1/storage_types.go
@@ -27,6 +27,11 @@ type StorageSpec struct {
 	// +required
 	DataStore []corev1.PersistentVolumeClaimSpec `json:"dataStore"`
 
+	// (Optional) Auth services parameter overrides
+	// Default: (not specified)
+	// +optional
+	Auth *AuthOptions `json:"auth,omitempty"`
+
 	// (Optional) Storage services parameter overrides
 	// Default: (not specified)
 	// +optional

diff --git a/api/v1alpha1/storage_webhook.go b/api/v1alpha1/storage_webhook.go
@@ -1,8 +1,10 @@
 package v1alpha1
 
 import (
+	"errors"
 	"fmt"
 
+	"gopkg.in/yaml.v3"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/utils/strings/slices"
@@ -20,6 +22,14 @@ func (r *Storage) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
+type YDBConfiguration struct {
+	DomainsConfig struct {
+		SecurityConfig struct {
+			EnforceUserTokenRequirement bool `yaml:"enforce_user_token_requirement"`
+		} `yaml:"security_config"`
+	} `yaml:"domains_config"`
+}
+
 //+kubebuilder:webhook:path=/mutate-ydb-tech-v1alpha1-storage,mutating=true,failurePolicy=fail,sideEffects=None,groups=ydb.tech,resources=storages,verbs=create;update,versions=v1alpha1,name=mutate-storage.ydb.tech,admissionReviewVersions=v1
 
 var _ webhook.Defaulter = &Storage{}
@@ -54,6 +64,12 @@ func (r *Storage) Default() {
 		}
 	}
 
+	if r.Spec.Auth == nil {
+		r.Spec.Auth = &AuthOptions{
+			Anonymous: true,
+		}
+	}
+
 	if r.Spec.Domain == "" {
 		r.Spec.Domain = "root" // FIXME
 	}
@@ -88,6 +104,22 @@ func (r *Storage) ValidateCreate() error {
 		}
 	}
 
+	yamlConfig := YDBConfiguration{}
+	err := yaml.Unmarshal([]byte(r.Spec.Configuration), &yamlConfig)
+	if err != nil {
+		return errors.New("failed parse 'spec.configuration' to determine `enforce_user_token_requirement`")
+	}
+
+	if yamlConfig.DomainsConfig.SecurityConfig.EnforceUserTokenRequirement {
+		if r.Spec.Auth.Anonymous {
+			return errors.New("field 'spec.auth' does not satisfy with config option `enforce_user_token_requirement: true`")
+		}
+	} else {
+		if !r.Spec.Auth.Anonymous {
+			return errors.New("field 'spec.auth' does not satisfy with config option `enforce_user_token_requirement: false` ")
+		}
+	}
+
 	// TODO(user): fill in your validation logic upon object creation.
 	return nil
 }
@@ -96,6 +128,22 @@ func (r *Storage) ValidateCreate() error {
 func (r *Storage) ValidateUpdate(old runtime.Object) error {
 	storagelog.Info("validate update", "name", r.Name)
 
+	yamlConfig := YDBConfiguration{}
+	err := yaml.Unmarshal([]byte(r.Spec.Configuration), &yamlConfig)
+	if err != nil {
+		return errors.New("failed to parse 'spec.configuration' to determine `enforce_user_token_requirement`")
+	}
+
+	if yamlConfig.DomainsConfig.SecurityConfig.EnforceUserTokenRequirement {
+		if r.Spec.Auth.Anonymous {
+			return errors.New("empty field 'spec.auth' does not satisfy with config option `enforce_user_token_requirement: true`")
+		}
+	} else {
+		if !r.Spec.Auth.Anonymous {
+			return errors.New("field 'spec.auth' does not satisfy with config option `enforce_user_token_requirement: false` ")
+		}
+	}
+
 	// TODO(user): fill in your validation logic upon object update.
 	return nil
 }

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/deploy/ydb-operator/crds/storage.yaml b/deploy/ydb-operator/crds/storage.yaml
@@ -881,6 +881,63 @@ spec:
                         type: array
                     type: object
                 type: object
+              auth:
+                description: '(Optional) Auth services parameter overrides Default:
+                  (not specified)'
+                properties:
+                  access_token:
+                    properties:
+                      secretKeyRef:
+                        description: SecretKeySelector selects a key of a Secret.
+                        properties:
+                          key:
+                            description: The key of the secret to select from.  Must
+                              be a valid secret key.
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                          optional:
+                            description: Specify whether the Secret or its key must
+                              be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                    type: object
+                  anonymous:
+                    type: boolean
+                  static_credentials:
+                    properties:
+                      secretKeyRef:
+                        description: SecretKeySelector selects a key of a Secret.
+                        properties:
+                          key:
+                            description: The key of the secret to select from.  Must
+                              be a valid secret key.
+                            type: string
+                          name:
+                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                              TODO: Add other useful fields. apiVersion, kind, uid?'
+                            type: string
+                          optional:
+                            description: Specify whether the Secret or its key must
+                              be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                      username:
+                        type: string
+                    required:
+                    - secretKeyRef
+                    type: object
+                required:
+                - access_token
+                - anonymous
+                - static_credentials
+                type: object
               caBundle:
                 description: User-defined root certificate authority that is added
                   to system trust store of Storage pods on startup.

diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/go-logr/logr v0.4.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.50.0
-	github.com/ydb-platform/ydb-go-genproto v0.0.0-20221215182650-986f9d10542f
+	github.com/ydb-platform/ydb-go-genproto v0.0.0-20230528143953-42c825ace222
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v3 v3.0.0
 	k8s.io/api v0.22.1
@@ -20,8 +20,13 @@ require (
 require (
 	cloud.google.com/go/compute v1.13.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.1 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
 	github.com/jonboulle/clockwork v0.3.0 // indirect
+	github.com/yandex-cloud/go-genproto v0.0.0-20211115083454-9ca41db5ed9e // indirect
+	github.com/ydb-platform/ydb-go-sdk-auth-environ v0.2.0 // indirect
+	github.com/ydb-platform/ydb-go-yc v0.10.2 // indirect
+	github.com/ydb-platform/ydb-go-yc-metadata v0.5.2 // indirect
 	golang.org/x/sync v0.1.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/grpc v1.52.0 // indirect
@@ -60,16 +65,16 @@ require (
 	github.com/prometheus/common v0.26.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/ydb-platform/ydb-go-sdk/v3 v3.42.4
+	github.com/ydb-platform/ydb-go-sdk/v3 v3.47.3
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.19.0
-	golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 // indirect
-	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
+	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783 // indirect
-	golang.org/x/sys v0.4.0 // indirect
-	golang.org/x/term v0.4.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/term v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect