feat: Add OPA support (#573)

* test: Add integration test for OPA

* test: Extend the OPA test

* feat: Allow the configuration of OPA

* chore: Update changelog

* chore: Run pre-commit hook

* chore: Update operator-rs

* test(opa): Remove unnecessary test scripts

* docs: Document the authorization with OPA

* chore: Upgrade stackable-operator to version 0.86.0

* docs: Extend the OPA documentation

* chore: Regenerate charts

* docs: Fix link

* test: Remove custom image from the test definitions

* Regenerate Nix files

* Fix merge commit slightly

* Fix Clippy warning

* test: Fix OPA integration test for Airflow 2.9.2 and 2.9.3

* test: Increase timeout in the logging integration test

---------

Co-authored-by: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>

Author: siegfriedweber

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - Run a `containerdebug` process in the background of each Airflow container to collect debugging information ([#557]).
 - Aggregate emitted Kubernetes events on the CustomResources ([#571]).
+- Add OPA support ([#573]).
 
 ### Changed
 
@@ -14,6 +15,7 @@
 [#557]: https://github.com/stackabletech/airflow-operator/pull/557
 [#571]: https://github.com/stackabletech/airflow-operator/pull/571
 [#572]: https://github.com/stackabletech/airflow-operator/pull/572
+[#573]: https://github.com/stackabletech/airflow-operator/pull/573
 
 ## [24.11.1] - 2025-01-09
 

Cargo.lock

@@ -11,7 +11,7 @@ repository = "https://github.com/stackabletech/airflow-operator"
 
 [workspace.dependencies]
 stackable-versioned = { git = "https://github.com/stackabletech/operator-rs.git", features = ["k8s"], tag = "stackable-versioned-0.5.0" }
-stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.85.0" }
+stackable-operator = { git = "https://github.com/stackabletech/operator-rs.git", tag = "stackable-operator-0.86.0" }
 product-config = { git = "https://github.com/stackabletech/product-config.git", tag = "0.7.0" }
 
 anyhow = "1.0"

Cargo.nix

@@ -492,6 +492,42 @@ spec:
                           - authenticationClass
                         type: object
                       type: array
+                    authorization:
+                      description: Authorization options. Learn more in the [Airflow authorization usage guide](https://docs.stackable.tech/home/nightly/airflow/usage-guide/security#_authorization).
+                      nullable: true
+                      properties:
+                        opa:
+                          description: Configure the OPA stacklet [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) and the name of the Rego package containing your authorization rules. Consult the [OPA authorization documentation](https://docs.stackable.tech/home/nightly/concepts/opa) to learn how to deploy Rego authorization rules with OPA.
+                          nullable: true
+                          properties:
+                            cache:
+                              default:
+                                entryTimeToLive: 30s
+                                maxEntries: 10000
+                              description: Least Recently Used (LRU) cache with per-entry time-to-live (TTL) value.
+                              properties:
+                                entryTimeToLive:
+                                  default: 30s
+                                  description: Time to live per entry
+                                  type: string
+                                maxEntries:
+                                  default: 10000
+                                  description: Maximum number of entries in the cache; If this threshold is reached then the least recently used item is removed.
+                                  format: uint32
+                                  minimum: 0.0
+                                  type: integer
+                              type: object
+                            configMapName:
+                              description: The [discovery ConfigMap](https://docs.stackable.tech/home/nightly/concepts/service_discovery) for the OPA stacklet that should be used for authorization requests.
+                              type: string
+                            package:
+                              description: The name of the Rego package containing the Rego rules for the product.
+                              nullable: true
+                              type: string
+                          required:
+                            - configMapName
+                          type: object
+                      type: object
                     credentialsSecret:
                       description: The name of the Secret object containing the admin user credentials and database connection details. Read the [getting started guide first steps](https://docs.stackable.tech/home/nightly/airflow/getting_started/first_steps) to find out more.
                       type: string