operator: Allow reduced tenant OIDC authentication requirements (#6362)

3 years ago · 6205b962d0
parent 73a144e064
commit 6205b962d0
7 changed files with 20 additions and 38 deletions
--- a/operator/CHANGELOG.md
+++ b/operator/CHANGELOG.md
@ -1,5 +1,6 @@
 ## Main

+- [6362](https://github.com/grafana/loki/pull/6362) **periklis**: Allow reduced tenant OIDC authentication requirements
 - [6288](https://github.com/grafana/loki/pull/6288) **aminesnow**: Expose only an HTTPS gateway when in openshift mode
 - [6195](https://github.com/grafana/loki/pull/6195) **periklis**: Add ruler config support
 - [6198](https://github.com/grafana/loki/pull/6198) **periklis**: Add support for custom S3 CA
--- a/operator/api/v1beta1/lokistack_types.go
+++ b/operator/api/v1beta1/lokistack_types.go
@ -159,12 +159,20 @@ type OIDCSpec struct {
 	IssuerURL string `json:"issuerURL"`
 	// RedirectURL defines the URL for redirect.
 	//
-	// +required
-	// +kubebuilder:validation:Required
+	// +optional
+	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Redirect URL"
-	RedirectURL   string `json:"redirectURL"`
-	GroupClaim    string `json:"groupClaim"`
-	UsernameClaim string `json:"usernameClaim"`
+	RedirectURL string `json:"redirectURL,omitempty"`
+	// Group claim field from ID Token
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	GroupClaim string `json:"groupClaim,omitempty"`
+	// User claim field from ID Token
+	//
+	// +optional
+	// +kubebuilder:validation:Optional
+	UsernameClaim string `json:"usernameClaim,omitempty"`
 }

 // AuthenticationSpec defines the oidc configuration per tenant for lokiStack Gateway component.
--- a/operator/bundle/manifests/loki.grafana.com_lokistacks.yaml
+++ b/operator/bundle/manifests/loki.grafana.com_lokistacks.yaml
@ -838,6 +838,7 @@ spec:
                            authentication.
                          properties:
                            groupClaim:
+                              description: Group claim field from ID Token
                              type: string
                            issuerURL:
                              description: IssuerURL defines the URL for issuer.
@ -857,13 +858,11 @@ spec:
                              - name
                              type: object
                            usernameClaim:
+                              description: User claim field from ID Token
                              type: string
                          required:
-                          - groupClaim
                          - issuerURL
-                          - redirectURL
                          - secret
-                          - usernameClaim
                          type: object
                        tenantId:
                          description: TenantID defines the id of the tenant.
--- a/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
+++ b/operator/config/crd/bases/loki.grafana.com_lokistacks.yaml
@ -833,6 +833,7 @@ spec:
                            authentication.
                          properties:
                            groupClaim:
+                              description: Group claim field from ID Token
                              type: string
                            issuerURL:
                              description: IssuerURL defines the URL for issuer.
@ -852,13 +853,11 @@ spec:
                              - name
                              type: object
                            usernameClaim:
+                              description: User claim field from ID Token
                              type: string
                          required:
-                          - groupClaim
                          - issuerURL
-                          - redirectURL
                          - secret
-                          - usernameClaim
                          type: object
                        tenantId:
                          description: TenantID defines the id of the tenant.
--- a/operator/internal/handlers/internal/gateway/tenant_secrets.go
+++ b/operator/internal/handlers/internal/gateway/tenant_secrets.go
@ -69,13 +69,7 @@ func extractSecret(s *corev1.Secret, tenantName string) (*manifests.TenantSecret
 		return nil, kverrors.New("missing clientID field", "field", "clientID")
 	}
 	clientSecret := s.Data["clientSecret"]
-	if len(clientSecret) == 0 {
-		return nil, kverrors.New("missing clientSecret field", "field", "clientSecret")
-	}
 	issuerCAPath := s.Data["issuerCAPath"]
-	if len(issuerCAPath) == 0 {
-		return nil, kverrors.New("missing issuerCAPath field", "field", "issuerCAPath")
-	}

 	return &manifests.TenantSecrets{
 		TenantName:   tenantName,
--- a/operator/internal/handlers/internal/gateway/tenant_secrets_test.go
+++ b/operator/internal/handlers/internal/gateway/tenant_secrets_test.go
@ -157,27 +157,6 @@ func TestExtractSecret(t *testing.T) {
 			secret:     &corev1.Secret{},
 			wantErr:    true,
 		},
-		{
-			name:       "missing clientSecret",
-			tenantName: "tenant-a",
-			secret: &corev1.Secret{
-				Data: map[string][]byte{
-					"clientID": []byte("test"),
-				},
-			},
-			wantErr: true,
-		},
-		{
-			name:       "missing issuerCAPath",
-			tenantName: "tenant-a",
-			secret: &corev1.Secret{
-				Data: map[string][]byte{
-					"clientID":     []byte("test"),
-					"clientSecret": []byte("test"),
-				},
-			},
-			wantErr: true,
-		},
 		{
 			name:       "all set",
 			tenantName: "tenant-a",
--- a/operator/internal/manifests/internal/gateway/gateway-tenants.yaml
+++ b/operator/internal/manifests/internal/gateway/gateway-tenants.yaml
@ -19,7 +19,9 @@ tenants:
    {{- end -}}
    {{- end }}
    issuerURL: {{ $spec.OIDC.IssuerURL }}
+    {{ if $spec.OIDC.RedirectURL }}
    redirectURL: {{ $spec.OIDC.RedirectURL }}
+    {{- end -}}
    {{ if $spec.OIDC.UsernameClaim }}
    usernameClaim: {{ $spec.OIDC.UsernameClaim }}
    {{- end -}}