Experimental UAA support

* New experimental helm values to configure UAA
* The configured uaa url will be returned by the `/` endpoint
* When UAA support is enabled `cf_on_k8s` in the `/` endpoint is false
* This will make `cf login` talks to the configured UAA instead of
  reading the kubeconfig
* Note that the cluster should be configured to trust the UAA via
  [oidc](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server)

fixes #2243

Co-authored-by: Georgi Sabev <[email protected]>

Author: danail-branekov

README.helm.md

@@ -78,8 +78,11 @@ Here are all the values that can be set for the chart:
 - `eksContainerRegistryRoleARN` (_String_): Amazon Resource Name (ARN) of the IAM role to use to access the ECR registry from an EKS deployed Korifi. Required if containerRegistrySecret not set.
 - `experimental`: Experimental features. No guarantees are provided and breaking/backwards incompatible changes should be expected. These features are not recommended for use in production environments.
   - `managedServices`:
-    - `include` (_Boolean_): Enable managed services support
+    - `enabled` (_Boolean_): Enable managed services support
     - `trustInsecureBrokers` (_Boolean_): Disable service broker certificate validation. Not recommended to be set to 'true' in production environments
+  - `uaa`:
+    - `enabled` (_Boolean_): Enable UAA support
+    - `url` (_String_): The url of a UAA instance
 - `generateIngressCertificates` (_Boolean_): Use `cert-manager` to generate self-signed certificates for the API and app endpoints.
 - `helm`:
   - `hooksImage` (_String_): Image for the helm hooks containing kubectl

api/config/config.go

@@ -48,7 +48,21 @@ type (
 		AuthProxyCACert string        `yaml:"authProxyCACert"`
 		LogLevel        zapcore.Level `yaml:"logLevel"`
 
-		ExperimentalManagedServicesEnabled bool `yaml:"experimentalManagedServicesEnabled"`
+		Experimental Experimental `yaml:"experimental"`
+	}
+
+	Experimental struct {
+		ManagedServices ManagedServices `yaml:"managedServices"`
+		UAA             UAA             `yaml:"uaa"`
+	}
+
+	ManagedServices struct {
+		Enabled bool `yaml:"enabled"`
+	}
+
+	UAA struct {
+		Enabled bool   `yaml:"enabled"`
+		URL     string `yaml:"url"`
 	}
 
 	RoleLevel string

api/config/config_test.go

@@ -46,7 +46,11 @@ var _ = Describe("Config", func() {
 				Stack:           "lc-stack",
 				StagingMemoryMB: 10,
 			},
-			"experimentalManagedServicesEnabled": true,
+			"experimental": map[string]any{
+				"managedServices": map[string]any{
+					"enabled": true,
+				},
+			},
 		}
 	})
 
@@ -89,7 +93,7 @@ var _ = Describe("Config", func() {
 			StagingMemoryMB: 10,
 		}))
 		Expect(cfg.ContainerRegistryType).To(BeEmpty())
-		Expect(cfg.ExperimentalManagedServicesEnabled).To(BeTrue())
+		Expect(cfg.Experimental.ManagedServices.Enabled).To(BeTrue())
 	})
 
 	When("the FQDN is not specified", func() {

api/handlers/root.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"net/url"
 
+	"code.cloudfoundry.org/korifi/api/config"
 	"code.cloudfoundry.org/korifi/api/presenter"
 	"code.cloudfoundry.org/korifi/api/routing"
 )
@@ -13,17 +14,19 @@ const (
 )
 
 type Root struct {
-	baseURL url.URL
+	baseURL   url.URL
+	uaaConfig config.UAA
 }
 
-func NewRoot(baseURL url.URL) *Root {
+func NewRoot(baseURL url.URL, uaaConfig config.UAA) *Root {
 	return &Root{
-		baseURL: baseURL,
+		baseURL:   baseURL,
+		uaaConfig: uaaConfig,
 	}
 }
 
 func (h *Root) get(r *http.Request) (*routing.Response, error) {
-	return routing.NewResponse(http.StatusOK).WithBody(presenter.ForRoot(h.baseURL)), nil
+	return routing.NewResponse(http.StatusOK).WithBody(presenter.ForRoot(h.baseURL, h.uaaConfig)), nil
 }
 
 func (h *Root) UnauthenticatedRoutes() []routing.Route {

api/handlers/root_test.go

@@ -3,6 +3,7 @@ package handlers_test
 import (
 	"net/http"
 
+	"code.cloudfoundry.org/korifi/api/config"
 	"code.cloudfoundry.org/korifi/api/handlers"
 	. "code.cloudfoundry.org/korifi/tests/matchers"
 
@@ -11,14 +12,17 @@ import (
 )
 
 var _ = Describe("Root", func() {
-	var req *http.Request
+	var (
+		apiHandler *handlers.Root
+		req        *http.Request
+	)
 
 	BeforeEach(func() {
-		apiHandler := handlers.NewRoot(*serverURL)
-		routerBuilder.LoadRoutes(apiHandler)
+		apiHandler = handlers.NewRoot(*serverURL, config.UAA{})
 	})
 
 	JustBeforeEach(func() {
+		routerBuilder.LoadRoutes(apiHandler)
 		routerBuilder.Build().ServeHTTP(rr, req)
 	})
 
@@ -34,9 +38,29 @@ var _ = Describe("Root", func() {
 			Expect(rr).To(HaveHTTPHeaderWithValue("Content-Type", "application/json"))
 
 			Expect(rr).To(HaveHTTPBody(SatisfyAll(
+				MatchJSONPath("$.cf_on_k8s", true),
 				MatchJSONPath("$.links.self.href", "https://api.example.org"),
 				MatchJSONPath("$.links.cloud_controller_v3.href", "https://api.example.org/v3"),
 			)))
 		})
+
+		When("UAA support is enabled", func() {
+			BeforeEach(func() {
+				apiHandler = handlers.NewRoot(*serverURL, config.UAA{
+					Enabled: true,
+					URL:     "https://my.uaa",
+				})
+			})
+
+			It("returns the uaa config", func() {
+				Expect(rr).To(HaveHTTPStatus(http.StatusOK))
+
+				Expect(rr).To(HaveHTTPBody(SatisfyAll(
+					MatchJSONPath("$.cf_on_k8s", false),
+					MatchJSONPath("$.links.uaa.href", "https://my.uaa"),
+					MatchJSONPath("$.links.login.href", "https://my.uaa"),
+				)))
+			})
+		})
 	})
 })

api/main.go

@@ -266,7 +266,7 @@ func main() {
 		chiMiddlewares.StripSlashes,
 	)
 
-	if !cfg.ExperimentalManagedServicesEnabled {
+	if !cfg.Experimental.ManagedServices.Enabled {
 		routerBuilder.UseMiddleware(middleware.DisableManagedServices)
 	}
 
@@ -292,7 +292,7 @@ func main() {
 
 	apiHandlers := []routing.Routable{
 		handlers.NewRootV3(*serverURL),
-		handlers.NewRoot(*serverURL),
+		handlers.NewRoot(*serverURL, cfg.Experimental.UAA),
 		handlers.NewInfoV3(
 			*serverURL,
 			cfg.InfoConfig,

api/payloads/role.go

@@ -50,33 +50,42 @@ func (p RoleCreate) Validate() error {
 }
 
 func (p RoleCreate) ToMessage() repositories.CreateRoleMessage {
-	record := repositories.CreateRoleMessage{
+	message := repositories.CreateRoleMessage{
 		Type: p.Type,
 	}
 
 	if p.Relationships.Space != nil {
-		record.Space = p.Relationships.Space.Data.GUID
+		message.Space = p.Relationships.Space.Data.GUID
 	}
 
 	if p.Relationships.Organization != nil {
-		record.Org = p.Relationships.Organization.Data.GUID
+		message.Org = p.Relationships.Organization.Data.GUID
+	}
+
+	message.Kind = rbacv1.UserKind
+	message.User = p.Relationships.User.Data.Username
+
+	// For UAA Authenticated users, prefix the Origin as our Cluster uses the Orgin:User for
+	// Authentication verification (via OIDC prefixs)
+	// --kube-apiserver-arg oidc-username-prefix="<origin>:"
+	// --kube-apiserver-arg oidc-groups-prefix="<origin>:"
+	if p.Relationships.User.Data.Origin != "" {
+		message.User = p.Relationships.User.Data.Origin + ":" + message.User
 	}
 
-	record.Kind = rbacv1.UserKind
-	record.User = p.Relationships.User.Data.Username
 	if p.Relationships.User.Data.GUID != "" {
-		record.User = p.Relationships.User.Data.GUID
+		message.User = p.Relationships.User.Data.GUID
 	}
 
-	if authorization.HasServiceAccountPrefix(record.User) {
-		namespace, user := authorization.ServiceAccountNSAndName(record.User)
+	if authorization.HasServiceAccountPrefix(message.User) {
+		namespace, user := authorization.ServiceAccountNSAndName(message.User)
 
-		record.Kind = rbacv1.ServiceAccountKind
-		record.User = user
-		record.ServiceAccountNamespace = namespace
+		message.Kind = rbacv1.ServiceAccountKind
+		message.User = user
+		message.ServiceAccountNamespace = namespace
 	}
 
-	return record
+	return message
 }
 
 type RoleRelationships struct {
@@ -118,6 +127,7 @@ type UserRelationship struct {
 type UserRelationshipData struct {
 	Username string `json:"username"`
 	GUID     string `json:"guid"`
+	Origin   string `json:"origin"`
 }
 
 type RoleList struct {

api/payloads/role_test.go

@@ -92,13 +92,28 @@ var _ = Describe("RoleCreate", func() {
 	})
 
 	Context("ToMessage()", func() {
+		var msg repositories.CreateRoleMessage
+
+		JustBeforeEach(func() {
+			msg = roleCreate.ToMessage()
+		})
+
 		It("converts to repo message correctly", func() {
-			msg := roleCreate.ToMessage()
 			Expect(msg.Type).To(Equal("space_manager"))
 			Expect(msg.Space).To(Equal("cf-space-guid"))
 			Expect(msg.User).To(Equal("cf-service-account"))
 			Expect(msg.Kind).To(Equal(rbacv1.UserKind))
 		})
+
+		When("user origin is specified", func() {
+			BeforeEach(func() {
+				createPayload.Relationships.User.Data.Origin = "my-origin"
+			})
+
+			It("uses the origin in the message user", func() {
+				Expect(msg.User).To(Equal("my-origin:cf-service-account"))
+			})
+		})
 	})
 
 	When("the service account name is provided", func() {

api/presenter/root.go

@@ -1,6 +1,10 @@
 package presenter
 
-import "net/url"
+import (
+	"net/url"
+
+	"code.cloudfoundry.org/korifi/api/config"
+)
 
 type APILink struct {
 	Link
@@ -18,8 +22,8 @@ type RootResponse struct {
 
 const V3APIVersion = "3.117.0+cf-k8s"
 
-func ForRoot(baseURL url.URL) RootResponse {
-	return RootResponse{
+func ForRoot(baseURL url.URL, uaaConfig config.UAA) RootResponse {
+	rootResponse := RootResponse{
 		Links: map[string]*APILink{
 			"self": {
 				Link: Link{
@@ -57,6 +61,22 @@ func ForRoot(baseURL url.URL) RootResponse {
 		},
 		CFOnK8s: true,
 	}
+
+	if uaaConfig.Enabled {
+		rootResponse.CFOnK8s = false
+		rootResponse.Links["uaa"] = &APILink{
+			Link: Link{
+				HRef: uaaConfig.URL,
+			},
+		}
+		rootResponse.Links["login"] = &APILink{
+			Link: Link{
+				HRef: uaaConfig.URL,
+			},
+		}
+	}
+
+	return rootResponse
 }
 
 type RootV3Response struct {

api/presenter/root_test.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"net/url"
 
+	"code.cloudfoundry.org/korifi/api/config"
 	"code.cloudfoundry.org/korifi/api/presenter"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -23,8 +24,14 @@ var _ = Describe("Root endpoints", func() {
 	})
 
 	Context("/", func() {
+		var uaaConfig config.UAA
+
+		BeforeEach(func() {
+			uaaConfig = config.UAA{}
+		})
+
 		JustBeforeEach(func() {
-			response := presenter.ForRoot(*baseURL)
+			response := presenter.ForRoot(*baseURL, uaaConfig)
 			var err error
 			output, err = json.Marshal(response)
 			Expect(err).NotTo(HaveOccurred())
@@ -71,6 +78,62 @@ var _ = Describe("Root endpoints", func() {
 				"cf_on_k8s": true
 			}`))
 		})
+
+		When("UAA support is enabled", func() {
+			BeforeEach(func() {
+				uaaConfig = config.UAA{
+					Enabled: true,
+					URL:     "https://my.uaa",
+				}
+			})
+
+			It("produces expected root json", func() {
+				Expect(output).To(MatchJSON(`{
+				"links": {
+					"app_ssh": null,
+					"bits_service": null,
+					"cloud_controller_v2": null,
+					"cloud_controller_v3": {
+							"href": "https://api.example.org/v3",
+							"meta": {
+									"version": "3.117.0+cf-k8s"
+							}
+					},
+					"credhub": null,
+					"log_cache": {
+							"href": "https://api.example.org",
+							"meta": {
+									"version": ""
+							}
+					},
+					"log_stream": null,
+					"logging": null,
+					"login": {
+							"href": "https://my.uaa",
+							"meta": {
+									"version": ""
+							}
+					},
+					"network_policy_v0": null,
+					"network_policy_v1": null,
+					"routing": null,
+					"self": {
+							"href": "https://api.example.org",
+							"meta": {
+									"version": ""
+							}
+					},
+					"uaa": {
+							"href": "https://my.uaa",
+							"meta": {
+									"version": ""
+							}
+					}
+				},
+				"cf_on_k8s": false
+			}`))
+			})
+		})
 	})
 
 	Context("/v3", func() {