Skip to content

feat: Add experimental Entra user-info-fetcher backend #712

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 34 commits into
base: main
Choose a base branch
from
Open

feat: Add experimental Entra user-info-fetcher backend #712

wants to merge 34 commits into from

Conversation

maltesander
Copy link
Member

@maltesander maltesander commented Apr 14, 2025
edited
Loading

Description

  • adds expermimental Entra UIF backend

CRD

    pub struct EntraBackend {
        /// Hostname of the token provider, defaults to `login.microsoft.com`.
        #[serde(default = "entra_default_token_hostname")]
        pub token_hostname: HostName,

        /// Hostname of the user info provider, defaults to `graph.microsoft.com`.
        #[serde(default = "entra_default_user_info_hostname")]
        pub user_info_hostname: HostName,

        /// Port of the identity provider. If TLS is used defaults to `443`, otherwise to `80`.
        pub port: Option<u16>,

        /// The Microsoft Entra tenant ID.
        pub tenant_id: String,

        /// Use a TLS connection. Should usually be set to WebPki.
        // We do not use the flattened `TlsClientDetails` here since we cannot
        // default to WebPki using a default and flatten
        // https://github.com/serde-rs/serde/issues/1626
        // This means we have to wrap `Tls` in `TlsClientDetails` to use its
        // method like `uses_tls()`.
        #[serde(default = "default_tls_web_pki")]
        pub tls: Option<Tls>,

        /// Name of a Secret that contains client credentials of an Entra account with
        /// permissions `User.ReadAll` and `GroupMemberShip.ReadAll`.
        ///
        /// Must contain the fields `clientId` and `clientSecret`.
        pub client_credentials_secret: String,
    }

And the usage:

---
apiVersion: v1
kind: Secret
metadata:
  name: user-info-fetcher-client-credentials
stringData:
  clientId: foo
  clientSecret: bar
---
apiVersion: opa.stackable.tech/v1alpha1
kind: OpaCluster
metadata:
  name: opa
spec:
  image:
    productVersion: "1.0.1"
  clusterConfig:
    userInfo:
      backend:
        experimentalEntra:
          tenantId: foo-bar
          clientCredentialsSecret: user-info-fetcher-client-credentials
  servers:
    roleGroups:
      default: {}

@maltesander maltesander self-assigned this Apr 14, 2025
sbernauer
sbernauer reviewed Apr 14, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only minor comments.
Did not test it, you mentioned some Python script for simulating Entra?

sbernauer
sbernauer requested changes Apr 15, 2025
View reviewed changes
sbernauer
sbernauer requested changes Apr 16, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing the review!

@maltesander maltesander requested a review from sbernauer April 17, 2025 11:28
@maltesander maltesander changed the title experimental: Add Entra backend feat: Add experimental Entra user-info-fetcher backend Apr 17, 2025
@maltesander maltesander marked this pull request as ready for review April 17, 2025 15:12
@maltesander maltesander added release-note Denotes a PR that will be considered when it comes time to generate release notes. type/feature-new scheduled-for/25.7.0 labels Apr 17, 2025
sbernauer
sbernauer reviewed Apr 22, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only one CRD change question left.
As this is a CRD change I think we should put it on the decisions board (even for experimental features)

sbernauer
sbernauer approved these changes Apr 22, 2025
View reviewed changes
Copy link
Member

@sbernauer sbernauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but I think this needs to go through the decision board

@maltesander maltesander moved this to Development: In Review in Stackable Engineering Apr 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbernauer sbernauer sbernauer approved these changes

Assignees

@maltesander maltesander

Labels
release-note Denotes a PR that will be considered when it comes time to generate release notes. scheduled-for/25.7.0 type/feature-new
Projects
Stackable Engineering
Status: Development: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@maltesander @sbernauer