kcp-dev
diff --git a/‎config/crd/bases/operator.kcp.io_frontproxies.yaml‎
Lines changed: 16 additions & 0 deletions b/‎config/crd/bases/operator.kcp.io_frontproxies.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎config/crd/bases/operator.kcp.io_rootshards.yaml‎
Lines changed: 16 additions & 0 deletions b/‎config/crd/bases/operator.kcp.io_rootshards.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎config/crd/bases/operator.kcp.io_shards.yaml‎
Lines changed: 16 additions & 0 deletions b/‎config/crd/bases/operator.kcp.io_shards.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎go.mod‎
Lines changed: 6 additions & 6 deletions b/‎go.mod‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎go.sum‎
Lines changed: 12 additions & 12 deletions b/‎go.sum‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎internal/resources/utils/authentication.go‎
Lines changed: 18 additions & 1 deletion b/‎internal/resources/utils/authentication.go‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎sdk/apis/operator/v1alpha1/common.go‎
Lines changed: 12 additions & 0 deletions b/‎sdk/apis/operator/v1alpha1/common.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎sdk/apis/operator/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 21 additions & 1 deletion b/‎sdk/apis/operator/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 21 additions & 1 deletion
diff --git a/‎sdk/applyconfiguration/operator/v1alpha1/oidccafileref.go‎
Lines changed: 48 additions & 0 deletions b/‎sdk/applyconfiguration/operator/v1alpha1/oidccafileref.go‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎sdk/applyconfiguration/operator/v1alpha1/oidcconfiguration.go‎
Lines changed: 16 additions & 7 deletions b/‎sdk/applyconfiguration/operator/v1alpha1/oidcconfiguration.go‎
Lines changed: 16 additions & 7 deletions
@@ -90,6 +90,22 @@ spec:
                   oidc:
                     description: 'Optional: OIDC configures OpenID Connect Authentication.'
                     properties:
+                      caFileRef:
+                        description: |-
+                          Optionally provides a reference to a secret that contains a CA bundle for the OIDC issuer. This is useful when
+                          the OIDC issuer is not publicly trusted.
+                        properties:
+                          key:
+                            description: Key is the key in the secret that contains
+                              the CA file. Defaults to "ca.crt".
+                            type: string
+                          name:
+                            description: Name is the name of the secret that contains
+                              the CA file.
+                            type: string
+                        required:
+                        - name
+                        type: object
                       clientID:
                         description: ClientID is the OIDC client ID configured on
                           the issuer side for this KCP instance.
 
@@ -133,6 +133,22 @@ spec:
                   oidc:
                     description: 'Optional: OIDC configures OpenID Connect Authentication.'
                     properties:
+                      caFileRef:
+                        description: |-
+                          Optionally provides a reference to a secret that contains a CA bundle for the OIDC issuer. This is useful when
+                          the OIDC issuer is not publicly trusted.
+                        properties:
+                          key:
+                            description: Key is the key in the secret that contains
+                              the CA file. Defaults to "ca.crt".
+                            type: string
+                          name:
+                            description: Name is the name of the secret that contains
+                              the CA file.
+                            type: string
+                        required:
+                        - name
+                        type: object
                       clientID:
                         description: ClientID is the OIDC client ID configured on
                           the issuer side for this KCP instance.
 
@@ -133,6 +133,22 @@ spec:
                   oidc:
                     description: 'Optional: OIDC configures OpenID Connect Authentication.'
                     properties:
+                      caFileRef:
+                        description: |-
+                          Optionally provides a reference to a secret that contains a CA bundle for the OIDC issuer. This is useful when
+                          the OIDC issuer is not publicly trusted.
+                        properties:
+                          key:
+                            description: Key is the key in the secret that contains
+                              the CA file. Defaults to "ca.crt".
+                            type: string
+                          name:
+                            description: Name is the name of the secret that contains
+                              the CA file.
+                            type: string
+                        required:
+                        - name
+                        type: object
                       clientID:
                         description: ClientID is the OIDC client ID configured on
                           the issuer side for this KCP instance.
 
@@ -87,13 +87,13 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 // indirect
-	golang.org/x/mod v0.20.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 
@@ -185,34 +185,34 @@ golang.org/x/exp v0.0.0-20240823005443-9b4947da3948 h1:kx6Ds3MlpiUHKj7syVnbp57++
 golang.org/x/exp v0.0.0-20240823005443-9b4947da3948/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
-golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
 golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
 golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 
@@ -56,7 +56,24 @@ func applyOIDCConfiguration(deployment *appsv1.Deployment, config operatorv1alph
 		extraArgs = append(extraArgs, fmt.Sprintf("--oidc-groups-prefix=%s", val))
 	}
 
-	// TODO(mjudeikis): Add support for  when OIDC is not publically trusted --oidc-ca-file=/etc/kcp/tls/oidc/<ca-secret-name>
+	if val := config.CAFileRef; val != nil {
+		extraArgs = append(extraArgs, fmt.Sprintf("--oidc-ca-file=/etc/kcp/tls/oidc/%s", val.Key))
+
+		podSpec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: "oidc-ca-file",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: val.Name,
+				},
+			},
+		})
+
+		podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{
+			Name:      "oidc-ca-file",
+			MountPath: "/etc/kcp/tls/oidc",
+			ReadOnly:  true,
+		})
+	}
 
 	podSpec.Containers[0].Args = append(podSpec.Containers[0].Args, extraArgs...)
 	deployment.Spec.Template.Spec = podSpec
 
@@ -379,4 +379,16 @@ type OIDCConfiguration struct {
 	// Optionally sets a custom username prefix. This defaults to "oidc:" if unset, which means a user called "[email protected]"
 	// on the OIDC side will be recognised as "oidc:[email protected]" in KCP.
 	UsernamePrefix string `json:"usernamePrefix,omitempty"`
+
+	// Optionally provides a reference to a secret that contains a CA bundle for the OIDC issuer. This is useful when
+	// the OIDC issuer is not publicly trusted.
+	CAFileRef *OIDCCAFileRef `json:"caFileRef,omitempty"`
+}
+
+type OIDCCAFileRef struct {
+	// Name is the name of the secret that contains the CA file.
+	Name string `json:"name"`
+	// Key is the key in the secret that contains the CA file. Defaults to "ca.crt".
+	// +optional
+	Key string `json:"key,omitempty"`
 }