Merge pull request redpanda-data#6282 from pvsune/enterprise/pvsune/rp-console

Console Google SSO support in operator

Author: pvsune

src/go/k8s/apis/redpanda/v1alpha1/common_types.go

@@ -0,0 +1,60 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// SecretKeyRef contains enough information to inspect or modify the referred Secret data
+// REF https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference
+type SecretKeyRef struct {
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name string `json:"name"`
+
+	// Namespace of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	Namespace string `json:"namespace"`
+
+	// +optional
+	// Key in Secret data to get value from
+	Key string `json:"key,omitempty"`
+}
+
+// GetSecret fetches the referenced Secret
+func (s *SecretKeyRef) GetSecret(ctx context.Context, cl client.Client) (*corev1.Secret, error) {
+	secret := &corev1.Secret{}
+	if err := cl.Get(ctx, client.ObjectKey{Namespace: s.Namespace, Name: s.Name}, secret); err != nil {
+		return nil, fmt.Errorf("getting Secret %s/%s: %w", s.Namespace, s.Name, err)
+	}
+	return secret, nil
+}
+
+// GetValue extracts the value from the specified key or default
+func (s *SecretKeyRef) GetValue(secret *corev1.Secret, defaultKey string) ([]byte, error) {
+	key := s.Key
+	if key == "" {
+		key = defaultKey
+	}
+
+	value, ok := secret.Data[key]
+	if !ok {
+		return nil, fmt.Errorf("getting value from Secret %s/%s: key %s not found", s.Namespace, s.Name, key) // nolint:goerr113 // no need to declare new error type
+	}
+	return value, nil
+}
+
+// NamespaceNameRef contains namespace and name to inspect or modify the referred object
+// REF https://pkg.go.dev/k8s.io/api/core/v1#ObjectReference
+type NamespaceNameRef struct {
+	// Name of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+	Name string `json:"name"`
+
+	// Namespace of the referent.
+	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+	Namespace string `json:"namespace"`
+}

src/go/k8s/apis/redpanda/v1alpha1/console_enterprise_types.go

@@ -0,0 +1,57 @@
+package v1alpha1
+
+import corev1 "k8s.io/api/core/v1"
+
+// Enterprise defines configurable fields for features that require license
+type Enterprise struct {
+	// Console uses role-based access control (RBAC) to restrict system access to authorized users
+	RBAC EnterpriseRBAC `json:"rbac"`
+}
+
+// EnterpriseRBAC defines configurable fields for specifying RBAC Authorization
+type EnterpriseRBAC struct {
+	Enabled bool `json:"enabled"`
+
+	// RoleBindingsRef is the ConfigMap that contains the RBAC file
+	// The ConfigMap should contain "rbac.yaml" key
+	RoleBindingsRef corev1.LocalObjectReference `json:"roleBindingsRef"`
+}
+
+// EnterpriseLogin defines configurable fields to enable SSO Authentication for supported login providers
+type EnterpriseLogin struct {
+	Enabled bool `json:"enabled"`
+
+	// JWTSecret is the Secret that is used to sign and encrypt the JSON Web tokens that are used by the backend for session management
+	// If not provided, the default key is "jwt"
+	JWTSecretRef SecretKeyRef `json:"jwtSecretRef"`
+
+	Google *EnterpriseLoginGoogle `json:"google,omitempty"`
+}
+
+// IsGoogleLoginEnabled returns true if Google SSO provider is enabled
+func (c *Console) IsGoogleLoginEnabled() bool {
+	login := c.Spec.Login
+	return login != nil && login.Google != nil && login.Google.Enabled
+}
+
+// EnterpriseLoginGoogle defines configurable fields for Google provider
+type EnterpriseLoginGoogle struct {
+	Enabled bool `json:"enabled"`
+
+	// ClientCredentials is the Secret that contains SSO credentials
+	// The Secret should contain keys "clientId", "clientSecret"
+	ClientCredentialsRef NamespaceNameRef `json:"clientCredentialsRef"`
+
+	// Use Google groups in your RBAC role bindings.
+	Directory *EnterpriseLoginGoogleDirectory `json:"directory,omitempty"`
+}
+
+// EnterpriseLoginGoogleDirectory defines configurable fields for enabling RBAC Google groups sync
+type EnterpriseLoginGoogleDirectory struct {
+	// ServiceAccountRef is the ConfigMap that contains the Google Service Account json
+	// The ConfigMap should contain "sa.json" key
+	ServiceAccountRef corev1.LocalObjectReference `json:"serviceAccountRef"`
+
+	// TargetPrincipal is the user that shall be impersonated by the service account
+	TargetPrincipal string `json:"targetPrincipal"`
+}

src/go/k8s/apis/redpanda/v1alpha1/console_types.go

@@ -35,10 +35,23 @@ type ConsoleSpec struct {
 	SchemaRegistry Schema `json:"schema"`
 
 	// The referenced Redpanda Cluster
-	ClusterKeyRef corev1.ObjectReference `json:"clusterKeyRef"`
+	ClusterRef NamespaceNameRef `json:"clusterRef"`
 
 	Deployment Deployment `json:"deployment"`
 	Connect    Connect    `json:"connect"`
+
+	Enterprise *Enterprise `json:"enterprise,omitempty"`
+
+	// If you don't provide an enterprise license, Console ignores configurations for enterprise features
+	// REF https://docs.redpanda.com/docs/console/reference/config/
+	// If key is not provided in the SecretRef, Secret data should have key "license"
+	LicenseRef *SecretKeyRef `json:"licenseRef,omitempty"`
+
+	// Login contains all configurations in order to protect Console with a login screen
+	// Configure one or more of the below identity providers in order to support SSO
+	// This feature requires an Enterprise license
+	// REF https://docs.redpanda.com/docs/console/single-sign-on/identity-providers/google/
+	Login *EnterpriseLogin `json:"login,omitempty"`
 }
 
 // Server is the Console app HTTP server config
@@ -203,12 +216,12 @@ var AllowConsoleAnyNamespace bool
 
 // IsAllowedNamespace returns true if Console is valid to be created in current namespace
 func (c *Console) IsAllowedNamespace() bool {
-	return AllowConsoleAnyNamespace || c.GetNamespace() == c.Spec.ClusterKeyRef.Namespace
+	return AllowConsoleAnyNamespace || c.GetNamespace() == c.Spec.ClusterRef.Namespace
 }
 
 // GetClusterRef returns the NamespacedName of referenced Cluster object
 func (c *Console) GetClusterRef() types.NamespacedName {
-	return types.NamespacedName{Name: c.Spec.ClusterKeyRef.Name, Namespace: c.Spec.ClusterKeyRef.Namespace}
+	return types.NamespacedName{Name: c.Spec.ClusterRef.Name, Namespace: c.Spec.ClusterRef.Namespace}
 }
 
 //+kubebuilder:object:root=true