feat: add DomainCA lookup option to PatchOIDC and Kcpsetup subroutines (#61)

* feat: add DomainCA lookup option to PatchOIDC and Kcpsetup subroutines

* chore: fix tests

* chore: fix tests

Author: aaronschweig

internal/config/config.go

@@ -25,9 +25,10 @@ type OperatorConfig struct {
 			Enabled bool `mapstructure:"subroutines-provider-secret-enabled" default:"true"`
 		} `mapstructure:",squash"`
 		PatchOIDC struct {
-			ConfigMapName string `mapstructure:"subroutines-patch-oidc-configmap-name" default:"oidc-authentication-config"`
-			Namespace     string `mapstructure:"subroutines-patch-oidc-namespace" default:"platform-mesh-system"`
-			BaseDomain    string `mapstructure:"subroutines-patch-oidc-basedomain" default:"portal.dev.local:8443"`
+			ConfigMapName  string `mapstructure:"subroutines-patch-oidc-configmap-name" default:"oidc-authentication-config"`
+			Namespace      string `mapstructure:"subroutines-patch-oidc-namespace" default:"platform-mesh-system"`
+			BaseDomain     string `mapstructure:"subroutines-patch-oidc-basedomain" default:"portal.dev.local:8443"`
+			DomainCALookup bool   `mapstructure:"subroutines-patch-oidc-domain-ca-lookup" default:"false"`
 		} `mapstructure:",squash"`
 	} `mapstructure:",squash"`
 }

internal/controller/platformmesh_controller.go

@@ -83,7 +83,7 @@ func NewPlatformMeshReconciler(log *logger.Logger, mgr ctrl.Manager, cfg *config
 		subs = append(subs, subroutines.NewDeploymentSubroutine(mgr.GetClient(), commonCfg, cfg))
 	}
 	if cfg.Subroutines.KcpSetup.Enabled {
-		subs = append(subs, subroutines.NewKcpsetupSubroutine(mgr.GetClient(), &subroutines.Helper{}, dir+"/manifests/kcp", kcpUrl))
+		subs = append(subs, subroutines.NewKcpsetupSubroutine(mgr.GetClient(), &subroutines.Helper{}, cfg, dir+"/manifests/kcp", kcpUrl))
 	}
 	if cfg.Subroutines.ProviderSecret.Enabled {
 		subs = append(subs, subroutines.NewProviderSecretSubroutine(mgr.GetClient(), &subroutines.Helper{}, subroutines.DefaultHelmGetter{}, kcpUrl))

internal/controller/realm_controller.go

@@ -32,6 +32,7 @@ func NewRealmReconciler(mgr ctrl.Manager, log *logger.Logger, cfg *config.Operat
 					cfg.Subroutines.PatchOIDC.ConfigMapName,
 					cfg.Subroutines.PatchOIDC.Namespace,
 					cfg.Subroutines.PatchOIDC.BaseDomain,
+					cfg.Subroutines.PatchOIDC.DomainCALookup,
 				),
 			},
 			"platform-mesh-operator",

manifests/kcp/workspace-authentication-configuration.yaml

@@ -5,10 +5,13 @@ metadata:
 spec:
   jwt:
     - issuer:
-        url: https://{{ .baseDomain }}/keycloak/realms/welcome
+        url: https://{{ .baseDomainWithPort }}/keycloak/realms/welcome
         audiences:
           - welcome
         audienceMatchPolicy: MatchAny
+        {{- with .domainCA }}
+        certificateAuthority: {{ . }}
+        {{- end }}
       claimMappings:
         groups:
           claim: groups

pkg/subroutines/kcpsetup.go

@@ -46,21 +46,23 @@ type KcpsetupSubroutine struct {
 	kcpDirectory string
 	// Cache for CA bundles to avoid redundant secret lookups
 	caBundleCache map[string]string
+	cfg           *config.OperatorConfig
 }
 
 const (
 	KcpsetupSubroutineName      = "KcpsetupSubroutine"
 	KcpsetupSubroutineFinalizer = "platform-mesh.core.platform-mesh.io/finalizer"
 )
 
-func NewKcpsetupSubroutine(client client.Client, helper KcpHelper, kcpdir string, kcpUrl string) *KcpsetupSubroutine {
+func NewKcpsetupSubroutine(client client.Client, helper KcpHelper, cfg *config.OperatorConfig, kcpdir string, kcpUrl string) *KcpsetupSubroutine {
 	return &KcpsetupSubroutine{
 		client:        client,
 		kcpDirectory:  kcpdir,
 		kcpUrl:        kcpUrl,
 		kcpHelper:     helper,
 		helm:          DefaultHelmGetter{},
 		caBundleCache: make(map[string]string),
+		cfg:           cfg,
 	}
 }
 
@@ -71,9 +73,6 @@ func (r *KcpsetupSubroutine) GetName() string {
 func (r *KcpsetupSubroutine) Finalize(
 	ctx context.Context, runtimeObj runtimeobject.RuntimeObject,
 ) (ctrl.Result, errors.OperatorError) {
-	instance := runtimeObj.(*corev1alpha1.PlatformMesh)
-	_ = instance
-
 	return ctrl.Result{}, nil // TODO: Implement
 }
 
@@ -244,6 +243,12 @@ func (r *KcpsetupSubroutine) createKcpResources(ctx context.Context, config *res
 		templateData["port"] = fmt.Sprintf("%d", inst.Spec.Exposure.Port)
 	}
 
+	if templateData["port"] != "443" {
+		templateData["baseDomainWithPort"] = fmt.Sprintf("%s:%s", templateData["baseDomain"], templateData["port"])
+	} else {
+		templateData["baseDomainWithPort"] = templateData["baseDomain"]
+	}
+
 	err = r.applyDirStructure(ctx, dir, "root", config, templateData, inst)
 	if err != nil {
 		log.Err(err).Msg("Failed to apply dir structure")
@@ -296,6 +301,22 @@ func (r *KcpsetupSubroutine) getCABundleInventory(
 	validatingB64Data := base64.StdEncoding.EncodeToString(validatingCaData)
 	caBundles[validatingKey] = validatingB64Data
 
+	if r.cfg.Subroutines.PatchOIDC.DomainCALookup {
+		domainCA, err := r.getCaBundle(ctx, &corev1alpha1.WebhookConfiguration{
+			SecretData: "tls.crt",
+			SecretRef: corev1alpha1.SecretReference{
+				Name:      "domain-certificate-ca",
+				Namespace: "platform-mesh-system",
+			},
+		})
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to get Domain CA bundle")
+			return nil, errors.Wrap(err, "Failed to get Domain CA bundle")
+		}
+
+		caBundles["domainCA"] = base64.StdEncoding.EncodeToString(domainCA)
+	}
+
 	// Cache the results
 	r.caBundleCache = caBundles
 

pkg/subroutines/kcpsetup_test.go

@@ -149,7 +149,7 @@ func (s *KcpsetupTestSuite) Test_getCABundleInventory() {
 
 	// Test case 2: Secret not found
 	// Create a new instance to clear the cache
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, &config.OperatorConfig{}, ManifestStructureTest, "")
 
 	// Mock the mutating webhook secret lookup to return error
 	s.clientMock.EXPECT().
@@ -224,7 +224,7 @@ func (s *KcpsetupTestSuite) SetupTest() {
 	s.clientMock = new(mocks.Client)
 	s.helperMock = new(mocks.KcpHelper)
 	s.log, _ = logger.New(logger.DefaultConfig())
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, ManifestStructureTest, "https://kcp.example.com")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, &config.OperatorConfig{}, ManifestStructureTest, "https://kcp.example.com")
 }
 
 func (s *KcpsetupTestSuite) TearDownTest() {
@@ -430,15 +430,15 @@ func (s *KcpsetupTestSuite) TestProcess() {
 	s.Assert().Equal(ctrl.Result{}, result)
 
 	// Test error case - create a new instance to clear the cache
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, ManifestStructureTest, "https://kcp.example.com")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, s.helperMock, &config.OperatorConfig{}, ManifestStructureTest, "https://kcp.example.com")
 }
 
 func (s *KcpsetupTestSuite) Test_getAPIExportHashInventory() {
 	// mocks
 	mockKcpClient := new(mocks.Client)
 	mockedKcpHelper := new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(mockKcpClient, nil).Times(3)
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
 
 	apiexport := &kcpapiv1alpha.APIExport{
 		Status: kcpapiv1alpha.APIExportStatus{
@@ -515,7 +515,7 @@ func (s *KcpsetupTestSuite) Test_Constructor() {
 	helper := &subroutines.Helper{}
 
 	// create new test object
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, helper, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, helper, &config.OperatorConfig{}, ManifestStructureTest, "")
 }
 
 func (s *KcpsetupTestSuite) TestFinalizers() {
@@ -581,7 +581,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 	// test err1 - expect error when NewKcpClient fails
 	mockedKcpHelper := new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(nil, errors.New("failed to create client"))
-	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(s.clientMock, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
 
 	err := s.testObj.CreateKcpResources(context.Background(), &rest.Config{}, ManifestStructureTest, &corev1alpha1.PlatformMesh{})
 	s.Assert().Error(err)
@@ -592,7 +592,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 	mockKcpClient := new(mocks.Client)
 	mockedKcpHelper = new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(mockKcpClient, nil)
-	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
 
 	// Mock both webhook secret lookups for CA bundle inventory
 	webhookConfig := subroutines.DEFAULT_WEBHOOK_CONFIGURATION
@@ -671,7 +671,7 @@ func (s *KcpsetupTestSuite) TestCreateWorkspaces() {
 	mockKcpClient = new(mocks.Client)
 	mockedKcpHelper = new(mocks.KcpHelper)
 	mockedKcpHelper.EXPECT().NewKcpClient(mock.Anything, mock.Anything).Return(mockKcpClient, nil)
-	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, ManifestStructureTest, "")
+	s.testObj = subroutines.NewKcpsetupSubroutine(mockedK8sClient, mockedKcpHelper, &config.OperatorConfig{}, ManifestStructureTest, "")
 
 	// Mock both secret lookups again (they should be cached from previous call)
 	// Since we're creating a new instance, the cache is cleared, so we need to mock again

pkg/subroutines/patch_oidc.go

@@ -8,29 +8,31 @@ import (
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/runtimeobject"
 	"github.com/platform-mesh/golang-commons/controller/lifecycle/subroutine"
 	"github.com/platform-mesh/golang-commons/errors"
-	"gopkg.in/yaml.v3"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/yaml"
 
 	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apiserver/pkg/apis/apiserver"
+	apiserverv1beta1 "k8s.io/apiserver/pkg/apis/apiserver/v1beta1"
 	"k8s.io/utils/ptr"
 )
 
 type PatchOIDCSubroutine struct {
-	cl            client.Client
-	baseDomain    string
-	configMapName string
-	namespace     string
+	cl             client.Client
+	baseDomain     string
+	configMapName  string
+	namespace      string
+	domainCALookup bool
 }
 
-func NewPatchOIDCSubroutine(cl client.Client, configMapName, namespace, baseDomain string) *PatchOIDCSubroutine {
+func NewPatchOIDCSubroutine(cl client.Client, configMapName, namespace, baseDomain string, domainCALookup bool) *PatchOIDCSubroutine {
 	return &PatchOIDCSubroutine{
-		cl:            cl,
-		baseDomain:    baseDomain,
-		configMapName: configMapName,
-		namespace:     namespace,
+		cl:             cl,
+		baseDomain:     baseDomain,
+		configMapName:  configMapName,
+		namespace:      namespace,
+		domainCALookup: domainCALookup,
 	}
 }
 
@@ -49,13 +51,13 @@ func (p *PatchOIDCSubroutine) Finalize(ctx context.Context, instance runtimeobje
 			oidcCM.Data = map[string]string{}
 		}
 
-		var structuredAuth apiserver.AuthenticationConfiguration
+		var structuredAuth apiserverv1beta1.AuthenticationConfiguration
 		err := yaml.Unmarshal([]byte(configYaml), &structuredAuth)
 		if err != nil {
 			return err
 		}
 
-		structuredAuth.JWT = slices.DeleteFunc(structuredAuth.JWT, func(j apiserver.JWTAuthenticator) bool {
+		structuredAuth.JWT = slices.DeleteFunc(structuredAuth.JWT, func(j apiserverv1beta1.JWTAuthenticator) bool {
 			return j.Issuer.URL == fmt.Sprintf("https://%s/keycloak/realms/%s", p.baseDomain, name)
 		})
 
@@ -91,37 +93,66 @@ func (p *PatchOIDCSubroutine) Process(ctx context.Context, instance runtimeobjec
 	oidcCM.SetName(p.configMapName)
 	oidcCM.SetNamespace(p.namespace)
 
+	var domainCA string
+	if p.domainCALookup {
+		var domainCASecret corev1.Secret
+		err := p.cl.Get(ctx, client.ObjectKey{Name: "domain-certificate-ca", Namespace: p.namespace}, &domainCASecret)
+		if err != nil {
+			return ctrl.Result{}, errors.NewOperatorError(err, true, true)
+		}
+
+		domainCA = string(domainCASecret.Data["tls.crt"])
+	}
+
 	_, err := controllerutil.CreateOrPatch(ctx, p.cl, &oidcCM, func() error {
 
 		configYaml, ok := oidcCM.Data["config.yaml"]
 		if !ok {
 			oidcCM.Data = map[string]string{}
 		}
 
-		var structuredAuth apiserver.AuthenticationConfiguration
+		var structuredAuth apiserverv1beta1.AuthenticationConfiguration
 		err := yaml.Unmarshal([]byte(configYaml), &structuredAuth)
 		if err != nil {
 			return err
 		}
 
-		structuredAuth.JWT = append(structuredAuth.JWT, apiserver.JWTAuthenticator{
-			Issuer: apiserver.Issuer{
+		oidcConfig := apiserverv1beta1.JWTAuthenticator{
+			Issuer: apiserverv1beta1.Issuer{
 				URL:                 fmt.Sprintf("https://%s/keycloak/realms/%s", p.baseDomain, name),
 				Audiences:           []string{name},
-				AudienceMatchPolicy: apiserver.AudienceMatchPolicyMatchAny,
+				AudienceMatchPolicy: apiserverv1beta1.AudienceMatchPolicyMatchAny,
 			},
-			ClaimMappings: apiserver.ClaimMappings{
-				Username: apiserver.PrefixedClaimOrExpression{
+			ClaimMappings: apiserverv1beta1.ClaimMappings{
+				Username: apiserverv1beta1.PrefixedClaimOrExpression{
 					Claim:  "email",
 					Prefix: ptr.To(""),
 				},
-				Groups: apiserver.PrefixedClaimOrExpression{
+				Groups: apiserverv1beta1.PrefixedClaimOrExpression{
 					Claim:  "groups",
 					Prefix: ptr.To(""),
 				},
 			},
+		}
+
+		if p.domainCALookup {
+			oidcConfig.Issuer.CertificateAuthority = domainCA
+		}
+
+		idx := slices.IndexFunc(structuredAuth.JWT, func(j apiserverv1beta1.JWTAuthenticator) bool {
+			return j.Issuer.URL == fmt.Sprintf("https://%s/keycloak/realms/%s", p.baseDomain, name)
 		})
 
+		if idx != -1 {
+			structuredAuth.JWT[idx] = oidcConfig
+		} else {
+			structuredAuth.JWT = append(structuredAuth.JWT, oidcConfig)
+		}
+
+		if structuredAuth.GroupVersionKind().Empty() {
+			structuredAuth.SetGroupVersionKind(apiserverv1beta1.ConfigSchemeGroupVersion.WithKind("AuthenticationConfiguration"))
+		}
+
 		rawYaml, err := yaml.Marshal(&structuredAuth)
 		if err != nil {
 			return err