vmauth: JWT support

.golangci.yml

@@ -44,7 +44,7 @@ linters:
           alias: metav1
         - pkg: k8s.io/api/apps/v1
           alias: appsv1
-        - pkg: k8s.io/api/autoscaling/v2"
+        - pkg: k8s.io/api/autoscaling/v2
           alias: autoscalingv2
         - pkg: k8s.io/apimachinery/pkg/api/errors
           alias: k8serrors

api/operator/v1beta1/vmauth_types.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -98,6 +99,9 @@ type VMAuthSpec struct {
 	// currently it has collision with inlined fields
 	// IPFilters VMUserIPFilters `json:"ip_filters,omitempty"`
 
+	// JWTIssuers represents configuration section for JWT issuers
+	// +optional
+	JWTIssuers []*VMAuthJWTIssuer `json:"jwt_issuers,omitempty"`
 	// License allows to configure license key to be used for enterprise features.
 	// Using license key is supported starting from VictoriaMetrics v1.94.0.
 	// See [here](https://docs.victoriametrics.com/victoriametrics/enterprise/)
@@ -147,6 +151,26 @@ type VMAuthSpec struct {
 	HPA *EmbeddedHPA `json:"hpa,omitempty"`
 }
 
+// VMAuthJWTIssuer defines JWT issuer parameters
+type VMAuthJWTIssuer struct {
+	// Match defines map of claims to match issuer against
+	Match map[string]string `json:"match,omitempty"`
+	// DiscoveryURL is OpenID Connect discovery URL
+	// +optional
+	DiscoveryURL string `json:"discovery_url,omitempty"`
+	// JWKsURL is the OpenID Connect JWKS URL
+	// +optional
+	JWKsURL string `json:"jwks_url,omitempty"`
+	// PublicKeyFiles is a list of paths pointing to public key files in PEM format to use
+	// for verifying JWT tokens
+	PublicKeyFiles []string `json:"public_key_files,omitempty"`
+	// PublicKeySecrets is a list of k8s Secret selectors pointing to public key files in PEM format to use
+	// for verifying JWT tokens
+	PublicKeySecrets []*corev1.SecretKeySelector `json:"public_key_secrets,omitempty"`
+	// SyncPeriod defines how frequently JWT issuer keys are synchronized
+	SyncPeriod string `json:"sync_period,omitempty"`
+}
+
 // VMAuthUnauthorizedUserAccessSpec defines unauthorized_user section configuration for vmauth
 type VMAuthUnauthorizedUserAccessSpec struct {
 	// URLPrefix defines prefix prefix for destination
@@ -447,7 +471,6 @@ func (cr *VMAuth) Validate() error {
 			return fmt.Errorf("incorrect cr.spec UnauthorizedAccessConfig options: %w", err)
 		}
 	}
-
 	if cr.Spec.UnauthorizedUserAccessSpec != nil {
 		if err := cr.Spec.UnauthorizedUserAccessSpec.Validate(); err != nil {
 			return fmt.Errorf("incorrect cr.spec.UnauthorizedUserAccess syntax: %w", err)

api/operator/v1beta1/vmuser_types.go

@@ -16,6 +16,8 @@ type VMUserSpec struct {
 	// Name of the VMUser object.
 	// +optional
 	Name *string `json:"name,omitempty"`
+	// JWTToken defines JWT auth section for user
+	JWTToken *VMUserJWTToken `json:"jwt_token,omitempty"`
 	// Username basic auth user name for accessing protected endpoint,
 	// will be replaced with metadata.name of VMUser if omitted.
 	// +optional
@@ -53,6 +55,14 @@ type VMUserSpec struct {
 	ManagedMetadata *ManagedObjectsMetadata `json:"managedMetadata,omitempty"`
 }
 
+// VMUserJWTToken describes JWT auth for user
+type VMUserJWTToken struct {
+	// Match defines claim match map
+	Match map[string]string `json:"match,omitempty" yaml:"match,omitempty"`
+	// AllowUnhealthy defines if unhealthy JWT issuer status is ignored
+	AllowUnhealthy bool `json:"allow_unhealthy,omitempty" yaml:"allow_unhealthy,omitempty"`
+}
+
 // TargetRef describes target for user traffic forwarding.
 // one of target types can be chosen:
 // crd or static per targetRef.

config/crd/overlay/crd.yaml

@@ -25978,6 +25978,64 @@ spec:
                   and v1.111.0 vmauth version
                   related doc https://docs.victoriametrics.com/victoriametrics/vmauth/#security
                 type: string
+              jwt_issuers:
+                description: JWTIssuers represents configuration section for JWT issuers
+                items:
+                  description: VMAuthJWTIssuer defines JWT issuer parameters
+                  properties:
+                    discovery_url:
+                      description: DiscoveryURL is OpenID Connect discovery URL
+                      type: string
+                    jwks_url:
+                      description: JWKsURL is the OpenID Connect JWKS URL
+                      type: string
+                    match:
+                      additionalProperties:
+                        type: string
+                      description: Match defines map of claims to match issuer against
+                      type: object
+                    public_key_files:
+                      description: |-
+                        PublicKeyFiles is a list of paths pointing to public key files in PEM format to use
+                        for verifying JWT tokens
+                      items:
+                        type: string
+                      type: array
+                    public_key_secrets:
+                      description: |-
+                        PublicKeySecrets is a list of k8s Secret selectors pointing to public key files in PEM format to use
+                        for verifying JWT tokens
+                      items:
+                        description: SecretKeySelector selects a key of a Secret.
+                        properties:
+                          key:
+                            description: The key of the secret to select from.  Must
+                              be a valid secret key.
+                            type: string
+                          name:
+                            default: ""
+                            description: |-
+                              Name of the referent.
+                              This field is effectively required, but due to backwards compatibility is
+                              allowed to be empty. Instances of this type with an empty value here are
+                              almost certainly wrong.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          optional:
+                            description: Specify whether the Secret or its key must
+                              be defined
+                            type: boolean
+                        required:
+                        - key
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      type: array
+                    sync_period:
+                      description: SyncPeriod defines how frequently JWT issuer keys
+                        are synchronized
+                      type: string
+                  type: object
+                type: array
               license:
                 description: |-
                   License allows to configure license key to be used for enterprise features.
@@ -41988,6 +42046,19 @@ spec:
                       type: string
                     type: array
                 type: object
+              jwt_token:
+                description: JWTToken defines JWT auth section for user
+                properties:
+                  allow_unhealthy:
+                    description: AllowUnhealthy defines if unhealthy JWT issuer status
+                      is ignored
+                    type: boolean
+                  match:
+                    additionalProperties:
+                      type: string
+                    description: Match defines claim match map
+                    type: object
+                type: object
               load_balancing_policy:
                 description: |-
                   LoadBalancingPolicy defines load balancing policy to use for backend urls.