feat: Implement k8s auth provider

crates/keystone/src/assignment/types/provider_api.rs

@@ -18,8 +18,8 @@ use super::assignment::*;
 use crate::assignment::AssignmentProviderError;
 use crate::keystone::ServiceState;
 
-/// The trait covering `[Role](crate::role::Role)` assignments between `actors`
-/// and `objects`.
+/// The trait covering [`Role`](crate::role::types::Role) assignments between
+/// `actors` and `objects`.
 #[async_trait]
 pub trait AssignmentApi: Send + Sync {
     /// Create assignment grant.

crates/keystone/src/config.rs

@@ -31,6 +31,7 @@ mod federation;
 mod fernet_token;
 mod identity;
 mod identity_mapping;
+mod k8s_auth;
 mod policy;
 mod resource;
 mod revoke;
@@ -51,6 +52,7 @@ use federation::FederationProvider;
 pub use fernet_token::FernetTokenProvider;
 pub use identity::*;
 use identity_mapping::IdentityMappingProvider;
+use k8s_auth::K8sAuthProvider;
 use policy::PolicyProvider;
 use resource::ResourceProvider;
 use revoke::RevokeProvider;
@@ -111,6 +113,10 @@ pub struct Config {
     #[serde(default)]
     pub identity_mapping: IdentityMappingProvider,
 
+    /// K8s Auth provider configuration.
+    #[serde(default)]
+    pub k8s_auth: K8sAuthProvider,
+
     /// Resource provider configuration.
     #[serde(default)]
     pub resource: ResourceProvider,

crates/keystone/src/config/k8s_auth.rs

@@ -0,0 +1,32 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+use serde::Deserialize;
+
+use crate::config::common::default_sql_driver;
+
+/// K8s auth provider.
+#[derive(Debug, Deserialize, Clone)]
+pub struct K8sAuthProvider {
+    /// K8s auth provider backend.
+    #[serde(default = "default_sql_driver")]
+    pub driver: String,
+}
+
+impl Default for K8sAuthProvider {
+    fn default() -> Self {
+        Self {
+            driver: default_sql_driver(),
+        }
+    }
+}

crates/keystone/src/db/entity.rs

@@ -39,6 +39,8 @@ pub mod id_mapping;
 pub mod identity_provider;
 pub mod idp_remote_ids;
 pub mod implied_role;
+pub mod kubernetes_auth;
+pub mod kubernetes_auth_role;
 pub mod limit;
 pub mod local_user;
 pub mod mapping;

crates/keystone/src/db/entity/kubernetes_auth.rs

@@ -0,0 +1,62 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.19
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kubernetes_auth")]
+pub struct Model {
+    #[sea_orm(column_type = "Text", nullable)]
+    pub ca_cert: Option<String>,
+
+    pub domain_id: String,
+
+    pub enabled: bool,
+
+    pub host: String,
+
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: String,
+
+    pub name: Option<String>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(has_many = "super::kubernetes_auth_role::Entity")]
+    KubernetesAuthRole,
+    #[sea_orm(
+        belongs_to = "super::project::Entity",
+        from = "Column::DomainId",
+        to = "super::project::Column::Id",
+        on_update = "NoAction",
+        on_delete = "Cascade"
+    )]
+    Project,
+}
+
+impl Related<super::kubernetes_auth_role::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubernetesAuthRole.def()
+    }
+}
+
+impl Related<super::project::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Project.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}

crates/keystone/src/db/entity/kubernetes_auth_role.rs

@@ -0,0 +1,89 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+//! `SeaORM` Entity, @generated by sea-orm-codegen 1.1.19
+
+use sea_orm::entity::prelude::*;
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[sea_orm(table_name = "kubernetes_auth_role")]
+pub struct Model {
+    pub auth_configuration_id: String,
+
+    pub bound_audience: Option<String>,
+
+    #[sea_orm(column_type = "Text")]
+    pub bound_service_account_names: String,
+
+    #[sea_orm(column_type = "Text")]
+    pub bound_service_account_namespaces: String,
+
+    pub domain_id: String,
+
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub id: String,
+
+    pub enabled: bool,
+
+    pub name: String,
+
+    pub token_restriction_id: String,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::kubernetes_auth::Entity",
+        from = "Column::AuthConfigurationId",
+        to = "super::kubernetes_auth::Column::Id",
+        on_update = "NoAction",
+        on_delete = "Cascade"
+    )]
+    KubernetesAuth,
+    #[sea_orm(
+        belongs_to = "super::project::Entity",
+        from = "Column::DomainId",
+        to = "super::project::Column::Id",
+        on_update = "NoAction",
+        on_delete = "Cascade"
+    )]
+    Project,
+    #[sea_orm(
+        belongs_to = "super::token_restriction::Entity",
+        from = "Column::TokenRestrictionId",
+        to = "super::token_restriction::Column::Id",
+        on_update = "NoAction",
+        on_delete = "Cascade"
+    )]
+    TokenRestriction,
+}
+
+impl Related<super::kubernetes_auth::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::KubernetesAuth.def()
+    }
+}
+
+impl Related<super::project::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Project.def()
+    }
+}
+
+impl Related<super::token_restriction::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::TokenRestriction.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}

crates/keystone/src/db/entity/prelude.rs

@@ -38,6 +38,8 @@ pub use super::id_mapping::Entity as IdMapping;
 pub use super::identity_provider::Entity as IdentityProvider;
 pub use super::idp_remote_ids::Entity as IdpRemoteIds;
 pub use super::implied_role::Entity as ImpliedRole;
+pub use super::kubernetes_auth::Entity as KubernetesAuth;
+pub use super::kubernetes_auth_role::Entity as KubernetesAuthRole;
 pub use super::limit::Entity as Limit;
 pub use super::local_user::Entity as LocalUser;
 pub use super::mapping::Entity as Mapping;

crates/keystone/src/db_migration/m20260217_164934_k8.rs

@@ -0,0 +1,144 @@
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+use sea_orm_migration::{prelude::*, schema::*};
+
+use crate::db::entity::prelude::{Project, TokenRestriction};
+use crate::db::entity::{project, token_restriction};
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubernetesAuth::Table)
+                    .if_not_exists()
+                    .col(string_len(KubernetesAuth::Id, 64).primary_key())
+                    .col(string_len(KubernetesAuth::DomainId, 64))
+                    .col(string_len_null(KubernetesAuth::Name, 255))
+                    .col(string_len(KubernetesAuth::Host, 128))
+                    .col(boolean(KubernetesAuth::Enabled))
+                    .col(text_null(KubernetesAuth::CaCert))
+                    .foreign_key(
+                        ForeignKey::create()
+                            .name("fk-k8auth-domain")
+                            .from(KubernetesAuth::Table, KubernetesAuth::DomainId)
+                            .to(Project, project::Column::Id)
+                            .on_delete(ForeignKeyAction::Cascade),
+                    )
+                    .index(
+                        Index::create()
+                            .unique()
+                            .nulls_not_distinct()
+                            .name("idx-k8auth-domain-name")
+                            .col(KubernetesAuth::DomainId)
+                            .col(KubernetesAuth::Name),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+
+        manager
+            .create_table(
+                Table::create()
+                    .table(KubernetesAuthRole::Table)
+                    .if_not_exists()
+                    .col(string_len(KubernetesAuthRole::Id, 64).primary_key())
+                    .col(string_len(KubernetesAuthRole::DomainId, 64))
+                    .col(string_len(KubernetesAuthRole::AuthConfigurationId, 64))
+                    .col(string_len(KubernetesAuthRole::Name, 255))
+                    .col(boolean(KubernetesAuthRole::Enabled))
+                    .col(text(KubernetesAuthRole::BoundServiceAccountNames))
+                    .col(text(KubernetesAuthRole::BoundServiceAccountNamespaces))
+                    .col(string_len_null(KubernetesAuthRole::BoundAudience, 128))
+                    .col(string_len(KubernetesAuthRole::TokenRestrictionId, 64))
+                    .foreign_key(
+                        ForeignKey::create()
+                            .name("fk-k8role-domain")
+                            .from(KubernetesAuthRole::Table, KubernetesAuthRole::DomainId)
+                            .to(Project, project::Column::Id)
+                            .on_delete(ForeignKeyAction::Cascade),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .name("fk-k8role-k8")
+                            .from(
+                                KubernetesAuthRole::Table,
+                                KubernetesAuthRole::AuthConfigurationId,
+                            )
+                            .to(KubernetesAuth::Table, KubernetesAuth::Id)
+                            .on_delete(ForeignKeyAction::Cascade),
+                    )
+                    .foreign_key(
+                        ForeignKey::create()
+                            .name("fk-k8role-token-restriction")
+                            .from(
+                                KubernetesAuthRole::Table,
+                                KubernetesAuthRole::TokenRestrictionId,
+                            )
+                            .to(TokenRestriction, token_restriction::Column::Id)
+                            .on_delete(ForeignKeyAction::Cascade),
+                    )
+                    .index(
+                        Index::create()
+                            .unique()
+                            .nulls_not_distinct()
+                            .name("idx-k8role-domain-name")
+                            .col(KubernetesAuth::DomainId)
+                            .col(KubernetesAuth::Name),
+                    )
+                    .to_owned(),
+            )
+            .await?;
+        Ok(())
+    }
+
+    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+        manager
+            .drop_table(Table::drop().table(KubernetesAuthRole::Table).to_owned())
+            .await?;
+        manager
+            .drop_table(Table::drop().table(KubernetesAuth::Table).to_owned())
+            .await?;
+        Ok(())
+    }
+}
+
+#[derive(DeriveIden)]
+enum KubernetesAuth {
+    Table,
+    Id,
+    DomainId,
+    Name,
+    Enabled,
+    Host,
+    CaCert,
+}
+
+#[derive(DeriveIden)]
+enum KubernetesAuthRole {
+    Table,
+    Id,
+    DomainId,
+    AuthConfigurationId,
+    Name,
+    Enabled,
+    BoundServiceAccountNames,
+    BoundServiceAccountNamespaces,
+    BoundAudience,
+    TokenRestrictionId,
+}