From 52a445530f4e55b977141f038180fb36ad349f56 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 22 Jan 2024 16:33:07 +0100 Subject: [PATCH 1/5] Add ADR035: User info fetcher CRD changes --- .../pages/adr/ADR035-user-info-fetcher.adoc | 76 +++++++++++++++++++ .../contributor/partials/current_adrs.adoc | 1 + 2 files changed, 77 insertions(+) create mode 100644 modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc diff --git a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc new file mode 100644 index 000000000..eabf7bd7d --- /dev/null +++ b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc @@ -0,0 +1,76 @@ += ADR035: User info fetcher CRD changes +Sebastian Bernauer +v0.1, 2024-01-22 +:status: [draft] + +* Status: {status} +* Date: 2024-01-22 + +Technical Story: https://github.com/stackabletech/opa-operator/issues/478 + +== Context and Problem Statement + +From the https://docs.stackable.tech/home/nightly/opa/usage-guide/user-info-fetcher[documentation for user-info-fetcher]: + +> The User info fetcher allows for additional information to be obtained from the configured backend (for example, Keycloak). You can then write Rego rules for OpenPolicyAgent which make an HTTP request to the User info fetcher and make use of the additional information returned for the username or user id. + +We need to design a CRD change for users to enable the UIF. + +== Considered Options + +=== Stand-alone CRD + +Create a new CRD, e.g. UserInfoFetcher and have a controller for it that e.g. creates a DaemonSet. +A OpaCluster would than be able to link to a UserInfoFetcher discovery ConfigMap. + +* Good, because a UIF instance can be shared across multiple OPA clusters -> Simplicity and improves caching as well +* Bad, because OPA clusters would need to authenticate against UIF clusters. +* Bad, because UIF might need some form of authorization as well + +=== Integrate in OpaCluster + +A OpaCluster has a new section that allows to spin a UIF as a sidecar within the Opa DaemonSet. + +[source,yaml] +---- +apiVersion: opa.stackable.tech/v1alpha1 +kind: OpaCluster +metadata: + name: opa +spec: + image: + productVersion: 0.57.0 + clusterConfig: + userInfo: + backend: + keycloak: + hostname: keycloak.my-namespace.svc.cluster.local + port: 8443 + tls: + verification: + server: + caCert: + secretClass: tls + clientCredentialsSecret: user-info-fetcher-client-credentials + adminRealm: master + userRealm: master + cache: # optional, enabled by default + entryTimeToLive: 60s # optional, defaults to 60s + servers: + roleGroups: + default: {} +--- +apiVersion: v1 +kind: Secret +metadata: + name: user-info-fetcher-client-credentials +stringData: + clientId: user-info-fetcher + clientSecret: user-info-fetcher-client-secret +---- + +* Good, because only accessible via loopback to OPA clusters -> No authentication or authorization needed. + +== Decision Outcome + +Chosen option: "Integrate in OpaCluster", because we wanted to avoid the whole authentication and authorization story. diff --git a/modules/contributor/partials/current_adrs.adoc b/modules/contributor/partials/current_adrs.adoc index 77966be43..1be184f74 100644 --- a/modules/contributor/partials/current_adrs.adoc +++ b/modules/contributor/partials/current_adrs.adoc @@ -29,3 +29,4 @@ **** xref:adr/ADR030-allowed-pod-disruptions.adoc[] **** xref:adr/ADR031-resource-labels.adoc[] **** xref:adr/ADR032-oidc-support.adoc[] +**** xref:adr/ADR035-user-info-fetcher.adoc[] From 1694f492cdefa4149c48fd54a8f4eefff042c045 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 22 Jan 2024 16:39:04 +0100 Subject: [PATCH 2/5] more crd docs --- modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc index eabf7bd7d..8befdf0aa 100644 --- a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc +++ b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc @@ -31,6 +31,10 @@ A OpaCluster would than be able to link to a UserInfoFetcher discovery ConfigMap A OpaCluster has a new section that allows to spin a UIF as a sidecar within the Opa DaemonSet. +The CRD is mostly copied from the `oidc` AuthenticationClass introduced in xref:adr/ADR032-oidc-support.adoc[] with the addition of needed credentials for Keycloak as well as the admin and user realm and a very simplistic cache. + +The cache will be probably extended in the future (e.g. max number of entries or users that should not be cached), which can be done in a non-breaking fashion below `spec.clusterConfig.userInfo.backend.keycloak.cache`.` + [source,yaml] ---- apiVersion: opa.stackable.tech/v1alpha1 From 88350d0890d3ecc4954dc7c2bc158855a904060f Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Mon, 22 Jan 2024 16:45:56 +0100 Subject: [PATCH 3/5] wording --- .../contributor/pages/adr/ADR035-user-info-fetcher.adoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc index 8befdf0aa..d09688773 100644 --- a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc +++ b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc @@ -20,19 +20,18 @@ We need to design a CRD change for users to enable the UIF. === Stand-alone CRD -Create a new CRD, e.g. UserInfoFetcher and have a controller for it that e.g. creates a DaemonSet. +We could create a new CRD, e.g. UserInfoFetcher and have a controller for it that creates a DaemonSet. A OpaCluster would than be able to link to a UserInfoFetcher discovery ConfigMap. -* Good, because a UIF instance can be shared across multiple OPA clusters -> Simplicity and improves caching as well +* Good, because a UIF instance can be shared across multiple OPA clusters -> Simple and improved caching * Bad, because OPA clusters would need to authenticate against UIF clusters. * Bad, because UIF might need some form of authorization as well === Integrate in OpaCluster -A OpaCluster has a new section that allows to spin a UIF as a sidecar within the Opa DaemonSet. +Add a new section to OpaCluster that allows users to spin up a UIF as a sidecar within the Opa DaemonSet. The CRD is mostly copied from the `oidc` AuthenticationClass introduced in xref:adr/ADR032-oidc-support.adoc[] with the addition of needed credentials for Keycloak as well as the admin and user realm and a very simplistic cache. - The cache will be probably extended in the future (e.g. max number of entries or users that should not be cached), which can be done in a non-breaking fashion below `spec.clusterConfig.userInfo.backend.keycloak.cache`.` [source,yaml] From d97d1817d6e96110052d983fab7b868d7263a829 Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Tue, 23 Jan 2024 09:28:19 +0100 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: Nick --- .../pages/adr/ADR035-user-info-fetcher.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc index d09688773..b2971c1b4 100644 --- a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc +++ b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc @@ -21,7 +21,7 @@ We need to design a CRD change for users to enable the UIF. === Stand-alone CRD We could create a new CRD, e.g. UserInfoFetcher and have a controller for it that creates a DaemonSet. -A OpaCluster would than be able to link to a UserInfoFetcher discovery ConfigMap. +An OpaCluster would then be able to link to a UserInfoFetcher discovery ConfigMap. * Good, because a UIF instance can be shared across multiple OPA clusters -> Simple and improved caching * Bad, because OPA clusters would need to authenticate against UIF clusters. @@ -29,10 +29,10 @@ A OpaCluster would than be able to link to a UserInfoFetcher discovery ConfigMap === Integrate in OpaCluster -Add a new section to OpaCluster that allows users to spin up a UIF as a sidecar within the Opa DaemonSet. +Add a new section to OpaCluster that allows users to spin up a UIF as a sidecar within the Opa DaemonSet's Pods. -The CRD is mostly copied from the `oidc` AuthenticationClass introduced in xref:adr/ADR032-oidc-support.adoc[] with the addition of needed credentials for Keycloak as well as the admin and user realm and a very simplistic cache. -The cache will be probably extended in the future (e.g. max number of entries or users that should not be cached), which can be done in a non-breaking fashion below `spec.clusterConfig.userInfo.backend.keycloak.cache`.` +The CRD is mostly copied from the `oidc` AuthenticationClass introduced in xref:adr/ADR032-oidc-support.adoc[] with the addition of needed credentials for Keycloak as well as the _admin_ and _user_ realms and a very simplistic cache. +The cache might be extended in the future (e.g. to set the maximum number of cache entries or exempt particular users from being cached), which can be done in a non-breaking fashion below `spec.clusterConfig.userInfo.backend.keycloak.cache`.` [source,yaml] ---- @@ -72,7 +72,7 @@ stringData: clientSecret: user-info-fetcher-client-secret ---- -* Good, because only accessible via loopback to OPA clusters -> No authentication or authorization needed. +* Good, because only accessible via the loopback network interface to OPA clusters -> No authentication or authorization needed. == Decision Outcome From 2c6746c6057fe87f579442709eb18e4cdee98f6a Mon Sep 17 00:00:00 2001 From: Sebastian Bernauer Date: Wed, 24 Jan 2024 15:33:23 +0100 Subject: [PATCH 5/5] change status to accepted --- modules/contributor/pages/adr/ADR032-oidc-support.adoc | 2 +- modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/contributor/pages/adr/ADR032-oidc-support.adoc b/modules/contributor/pages/adr/ADR032-oidc-support.adoc index 938a00a63..2af59b652 100644 --- a/modules/contributor/pages/adr/ADR032-oidc-support.adoc +++ b/modules/contributor/pages/adr/ADR032-oidc-support.adoc @@ -1,7 +1,7 @@ = ADR032: OIDC Support Felix Hennig v0.2, 2023-11-14 -:status: draft +:status: accepted * Status: {status} * Deciders: diff --git a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc index b2971c1b4..90167b0b5 100644 --- a/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc +++ b/modules/contributor/pages/adr/ADR035-user-info-fetcher.adoc @@ -1,7 +1,7 @@ = ADR035: User info fetcher CRD changes Sebastian Bernauer v0.1, 2024-01-22 -:status: [draft] +:status: accepted * Status: {status} * Date: 2024-01-22