Merge pull request #40 from SimonTheLeg/configure-groups-in-fp

✨ allow configuring pass-on and dropped groups in frontproxy

Author: kcp-ci-bot

config/crd/bases/operator.kcp.io_frontproxies.yaml

@@ -80,6 +80,12 @@ spec:
                 description: 'Optional: Auth configures various aspects of Authentication
                   and Authorization for this front-proxy instance.'
                 properties:
+                  dropGroups:
+                    description: 'Optional: DropGroups configures groups to be dropped
+                      before forwarding requests to Shards'
+                    items:
+                      type: string
+                    type: array
                   oidc:
                     description: 'Optional: OIDC configures OpenID Connect Authentication.'
                     properties:
@@ -122,6 +128,12 @@ spec:
                     - enabled
                     - issuerURL
                     type: object
+                  passOnGroups:
+                    description: 'Optional: PassOnGroups configures groups to be passed
+                      on before forwarding requests to Shards'
+                    items:
+                      type: string
+                    type: array
                 type: object
               externalHostname:
                 description: 'Optional: ExternalHostname under which the FrontProxy

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/zapr v1.3.0
 	github.com/go-test/deep v1.1.0
+	github.com/google/go-cmp v0.6.0
 	github.com/kcp-dev/apimachinery/v2 v2.0.1-0.20240817110845-a9eb9752bfeb
 	github.com/kcp-dev/client-go v0.0.0-20240912145314-f5949d81732a
 	github.com/kcp-dev/code-generator/v2 v2.3.1
@@ -54,7 +55,6 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/cel-go v0.20.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
 	github.com/google/uuid v1.6.0 // indirect

internal/resources/frontproxy/deployment.go

@@ -18,6 +18,7 @@ package frontproxy
 
 import (
 	"fmt"
+	"strings"
 
 	"k8c.io/reconciler/pkg/reconciling"
 
@@ -41,7 +42,7 @@ func DeploymentReconciler(frontProxy *operatorv1alpha1.FrontProxy, rootShard *op
 			dep.Spec.Template.ObjectMeta.SetLabels(resources.GetFrontProxyResourceLabels(frontProxy))
 
 			image, _ := resources.GetImageSettings(frontProxy.Spec.Image)
-			args := getArgs()
+			args := getArgs(&frontProxy.Spec)
 
 			container := corev1.Container{
 				Name:    "kcp-front-proxy",
@@ -236,16 +237,28 @@ func DeploymentReconciler(frontProxy *operatorv1alpha1.FrontProxy, rootShard *op
 	}
 }
 
-func getArgs() []string {
-	args := []string{
-		"--secure-port=6443",
-		"--root-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
-		"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
-		"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
-		"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
-		"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
-		"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
-		"--service-account-key-file=/etc/kcp/tls/service-account/tls.key",
+var defaultArgs = []string{
+	"--secure-port=6443",
+	"--root-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
+	"--shards-kubeconfig=/etc/kcp-front-proxy/kubeconfig/kubeconfig",
+	"--tls-private-key-file=/etc/kcp-front-proxy/tls/tls.key",
+	"--tls-cert-file=/etc/kcp-front-proxy/tls/tls.crt",
+	"--client-ca-file=/etc/kcp-front-proxy/client-ca/tls.crt",
+	"--mapping-file=/etc/kcp-front-proxy/config/path-mapping.yaml",
+	"--service-account-key-file=/etc/kcp/tls/service-account/tls.key",
+}
+
+func getArgs(fps *operatorv1alpha1.FrontProxySpec) []string {
+	args := defaultArgs
+
+	if fps.Auth != nil {
+		if fps.Auth.DropGroups != nil {
+			args = append(args, fmt.Sprintf("--authentication-drop-groups=%q", strings.Join(fps.Auth.DropGroups, ",")))
+		}
+
+		if fps.Auth.PassOnGroups != nil {
+			args = append(args, fmt.Sprintf("--authentication-pass-on-groups=%q", strings.Join(fps.Auth.PassOnGroups, ",")))
+		}
 	}
 
 	return args

internal/resources/frontproxy/deployment_test.go

@@ -0,0 +1,41 @@
+package frontproxy
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+)
+
+func TestGetArgs(t *testing.T) {
+	tests := map[string]struct {
+		in  *operatorv1alpha1.FrontProxySpec
+		exp []string
+	}{
+		"only defaults configured": {
+			in:  &operatorv1alpha1.FrontProxySpec{Auth: &operatorv1alpha1.AuthSpec{}},
+			exp: defaultArgs,
+		},
+		"drop-groups and pass-on-groups configured": {
+			in: &operatorv1alpha1.FrontProxySpec{
+				Auth: &operatorv1alpha1.AuthSpec{
+					DropGroups:   []string{"some-group", "some-other-group"},
+					PassOnGroups: []string{"totally-different-group"},
+				},
+			},
+			exp: append(defaultArgs, []string{
+				"--authentication-drop-groups=\"some-group,some-other-group\"",
+				"--authentication-pass-on-groups=\"totally-different-group\"",
+			}...),
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			res := getArgs(tc.in)
+			if !cmp.Equal(res, tc.exp) {
+				t.Error(cmp.Diff(res, tc.exp))
+			}
+		})
+	}
+}

sdk/apis/operator/v1alpha1/frontproxy_types.go

@@ -43,6 +43,12 @@ type FrontProxySpec struct {
 type AuthSpec struct {
 	// Optional: OIDC configures OpenID Connect Authentication.
 	OIDC *OIDCConfiguration `json:"oidc,omitempty"`
+
+	// Optional: DropGroups configures groups to be dropped before forwarding requests to Shards
+	DropGroups []string `json:"dropGroups,omitempty"`
+
+	// Optional: PassOnGroups configures groups to be passed on before forwarding requests to Shards
+	PassOnGroups []string `json:"passOnGroups,omitempty"`
 }
 
 type ServiceSpec struct {