Implement RFC8705

This extends oauth2 to authenticate servers via mTLS and retreive access
tokens fo use against other services, all without having to support
different code paths or worry about long-lived passwords or service
tokens flying around the network.  The client itself needs some roles
defining so it can do what it needs to, we adopt anything authentication
related from core, as it makes changes a lot easier, we add some code to
do the authentication dance for other services, and make lots of changes
to pick up the new code APIs.

README.md

@@ -231,6 +231,7 @@ metadata:
     # This is the human readable, and mutable, name that will get displayed in clients.
     # It is expected to exist on all CRD backed resources.
     unikorn-cloud.org/name: acme.com
+spec: {}
 ```
 
 This will provision fairly quickly, you can extract the organization's namespace via:

charts/identity/Chart.yaml

@@ -4,12 +4,12 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.2.29
-appVersion: v0.2.29
+version: v0.2.30
+appVersion: v0.2.30
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png
 
 dependencies:
 - name: unikorn-common
-  version: v0.1.6
+  version: v0.1.8
   repository: https://unikorn-cloud.github.io/helm-common

charts/identity/templates/identity/ingress.yaml

@@ -6,6 +6,7 @@ metadata:
     {{- include "unikorn.labels" . | nindent 4 }}
   annotations:
     {{- include "unikorn.ingress.clusterIssuer.annotations" . | nindent 4 }}
+    {{- include "unikorn.ingress.mtls.annotations" . | nindent 4 }}
     {{- if (include "unikorn.ingress.externalDNS" .) }}
     external-dns.alpha.kubernetes.io/hostname: {{ include "unikorn.identity.host" . }}
     {{- end }}

charts/identity/templates/organization-controller/deployment.yaml

@@ -17,6 +17,8 @@ spec:
       containers:
       - name: unikorn-organization-controller
         image: {{ include "unikorn.organizationControllerImage" . }}
+        args:
+        {{- include "unikorn.otlp.flags" . | nindent 8 }}
         resources:
           requests:
             cpu: 50m

charts/identity/templates/project-controller/deployment.yaml

@@ -17,6 +17,8 @@ spec:
       containers:
       - name: unikorn-project-controller
         image: {{ include "unikorn.projectControllerImage" . }}
+        args:
+        {{- include "unikorn.otlp.flags" . | nindent 8 }}
         resources:
           requests:
             cpu: 50m

charts/identity/values.yaml

@@ -75,7 +75,6 @@ roles:
   # A platform-admin can do anything anywhere.
   platform-adminstrator:
     description: Platform administrator
-    protected: true
     scopes:
       global:
         organizations: [create,read,update,delete]
@@ -87,6 +86,14 @@ roles:
         identities: [create,read,update,delete]
         kubernetesclustermanagers: [create,read,update,delete]
         kubernetesclusters: [create,read,update,delete]
+  # A region admin is a role primarily for the Kubernetes service that
+  # can manage identities and physical networks on behalf of a cluster.
+  region-admin:
+    decription: Region administrator
+    scopes:
+      global:
+        regions: [create,read,update,delete]
+        identities: [create,read,update,delete]
   # An administrator can do anything within an organization.
   adminstrator:
     description: Organization administrator

go.mod

@@ -11,10 +11,10 @@ require (
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/unikorn-cloud/core v0.1.63
+	github.com/unikorn-cloud/core v0.1.66
 	go.opentelemetry.io/otel v1.28.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0
 	go.opentelemetry.io/otel/sdk v1.28.0
+	go.opentelemetry.io/otel/trace v1.28.0
 	golang.org/x/oauth2 v0.21.0
 	k8s.io/api v0.30.2
 	k8s.io/apimachinery v0.30.2
@@ -65,8 +65,8 @@ require (
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect

go.sum

@@ -127,8 +127,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/unikorn-cloud/core v0.1.63 h1:Jl/xuoGRKESMXhS1+apcaS/1I776agTyT75BGz9AKBA=
-github.com/unikorn-cloud/core v0.1.63/go.mod h1:JcUIQW3+oiZPUQmOlENw3OCi35IBxPKa+J4MbP3TO7k=
+github.com/unikorn-cloud/core v0.1.66 h1:5FbosJk2+XsOsvO+nxs7ei/q+5y+uu4PgKtn2W5MnnQ=
+github.com/unikorn-cloud/core v0.1.66/go.mod h1:MhA9xeueMB7EJgdyF0rE7lFQSkuHEcoPen6iwt/QCBE=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=

pkg/client/client.go

@@ -18,114 +18,53 @@ package client
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
 	"net/http"
 
-	"github.com/spf13/pflag"
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/propagation"
 
-	"github.com/unikorn-cloud/core/pkg/authorization/accesstoken"
+	coreclient "github.com/unikorn-cloud/core/pkg/client"
+	"github.com/unikorn-cloud/identity/pkg/middleware/authorization"
+	"github.com/unikorn-cloud/identity/pkg/middleware/openapi/accesstoken"
 	"github.com/unikorn-cloud/identity/pkg/openapi"
 
-	corev1 "k8s.io/api/core/v1"
-
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-var (
-	// ErrFormatError is returned when a secret doesn't meet the specification.
-	ErrFormatError = errors.New("secret incorrectly formatted")
-)
-
-type Options struct {
-	// Host is the identity Host name.
-	Host string
-	// CASecretNamespace tells us where to source the CA secret.
-	CASecretNamespace string
-	// CASecretName is the root CA secret of the identity endpoint.
-	CASecretName string
-}
+type Options = coreclient.HTTPOptions
 
-// AddFlags adds the options to the CLI flags.
-func (o *Options) AddFlags(f *pflag.FlagSet) {
-	f.StringVar(&o.Host, "identity-host", "", "Identity endpoint URL.")
-	f.StringVar(&o.CASecretNamespace, "identity-ca-secret-namespace", "", "Identity endpoint CA certificate secret namespace.")
-	f.StringVar(&o.CASecretName, "identity-ca-secret-name", "", "Identity endpoint CA certificate secret.")
+// NewOptions must be used to create options for consistency.
+func NewOptions() *Options {
+	return coreclient.NewHTTPOptions("identity")
 }
 
 // Client wraps up the raw OpenAPI client with things to make it useable e.g.
 // authorization and TLS.
 type Client struct {
 	// client is a Kubenetes client.
 	client client.Client
-	// namespace is the namespace the client is running in.
-	namespace string
-	// options allows setting of option from the CLI
+	// options allows setting of options from the CLI
 	options *Options
+	// clientOptions may be specified to inject client certificates etc.
+	clientOptions *coreclient.HTTPClientOptions
 }
 
 // New creates a new client.
-func New(client client.Client, namespace string, options *Options) *Client {
+func New(client client.Client, options *Options, clientOptions *coreclient.HTTPClientOptions) *Client {
 	return &Client{
-		client:    client,
-		namespace: namespace,
-		options:   options,
+		client:        client,
+		options:       options,
+		clientOptions: clientOptions,
 	}
 }
 
-// tlsClientConfig abstracts away private TLS CAs or self signed certificates.
-func (c *Client) tlsClientConfig(ctx context.Context) (*tls.Config, error) {
-	if c.options.CASecretName == "" {
-		//nolint:nilnil
-		return nil, nil
-	}
-
-	namespace := c.namespace
-
-	if c.options.CASecretNamespace != "" {
-		namespace = c.options.CASecretNamespace
-	}
-
-	secret := &corev1.Secret{}
-
-	if err := c.client.Get(ctx, client.ObjectKey{Namespace: namespace, Name: c.options.CASecretName}, secret); err != nil {
-		return nil, err
-	}
-
-	if secret.Type != corev1.SecretTypeTLS {
-		return nil, fmt.Errorf("%w: issuer CA not of type kubernetes.io/tls", ErrFormatError)
-	}
-
-	cert, ok := secret.Data[corev1.TLSCertKey]
-	if !ok {
-		return nil, fmt.Errorf("%w: issuer CA missing tls.crt", ErrFormatError)
-	}
-
-	certPool := x509.NewCertPool()
-
-	if ok := certPool.AppendCertsFromPEM(cert); !ok {
-		return nil, fmt.Errorf("%w: failed to load identity CA certificate", ErrFormatError)
-	}
-
-	config := &tls.Config{
-		RootCAs:    certPool,
-		MinVersion: tls.VersionTLS13,
-	}
-
-	return config, nil
-}
-
-// httpClient returns a new http client that will transparently do oauth2 header
+// HTTPClient returns a new http client that will transparently do oauth2 header
 // injection and refresh token updates.
-func (c *Client) httpClient(ctx context.Context) (*http.Client, error) {
+func (c *Client) HTTPClient(ctx context.Context) (*http.Client, error) {
 	// Handle non-system CA certificates for the OIDC discovery protocol
 	// and oauth2 token refresh. This will return nil if none is specified
 	// and default to the system roots.
-	tlsClientConfig, err := c.tlsClientConfig(ctx)
+	tlsClientConfig, err := coreclient.TLSClientConfig(ctx, c.client, c.options, c.clientOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -139,23 +78,28 @@ func (c *Client) httpClient(ctx context.Context) (*http.Client, error) {
 	return client, nil
 }
 
-// accessTokenInjector implements OAuth2 bearer token authorization.
-func accessTokenInjector(ctx context.Context, req *http.Request) error {
-	req.Header.Set("Authorization", "bearer "+accesstoken.FromContext(ctx))
+// requestMutator implements OAuth2 bearer token authorization.
+func RequestMutator(ctx context.Context, req *http.Request) error {
+	// NOTE: this can legitimately not be set e.g. if we are actually getting
+	// an access token, which makes the error checking somewhat useless!
+	if accessToken, err := accesstoken.FromContext(ctx); err == nil {
+		req.Header.Set("Authorization", "bearer "+accessToken)
+	}
 
 	otel.GetTextMapPropagator().Inject(ctx, propagation.HeaderCarrier(req.Header))
+	authorization.InjectClientCert(ctx, req.Header)
 
 	return nil
 }
 
 // Client returns a new OpenAPI client that can be used to access the API.
 func (c *Client) Client(ctx context.Context) (*openapi.ClientWithResponses, error) {
-	httpClient, err := c.httpClient(ctx)
+	httpClient, err := c.HTTPClient(ctx)
 	if err != nil {
 		return nil, err
 	}
 
-	client, err := openapi.NewClientWithResponses(c.options.Host, openapi.WithHTTPClient(httpClient), openapi.WithRequestEditorFn(accessTokenInjector))
+	client, err := openapi.NewClientWithResponses(c.options.Host(), openapi.WithHTTPClient(httpClient), openapi.WithRequestEditorFn(RequestMutator))
 	if err != nil {
 		return nil, err
 	}