Merge pull request #44 from datum-cloud/feat/zitadelapiserver

feat: zitadel identity api server

Author: zachsmith1

README.md

@@ -47,6 +47,46 @@ workflows?"*
 7. **Integration Bridge**: Seamless integration with Milo's Kubernetes-based
 APIs
 
+## Zitadel API Server (virtual Sessions)
+
+This repository includes a small API server that exposes Milo's identity sessions as a Kubernetes-native API under the provider group/version:
+
+- Group/Version: `identity.milo.io/v1alpha1`
+- Resource: `sessions`
+- Scope: cluster-scoped, virtual (no etcd)
+- Types: reuses Milo Identity public `Session` types bound to the provider G/V
+
+### What it does
+
+- Trusts Milo's inbound request headers (X-Remote-User, X-Remote-Group, X-Remote-Uid, etc)
+- Enforces self-scoping (users only see and act on their own sessions)
+- Proxies list/get/delete to Zitadel Session Service v2 using the official `zitadel-go/v3` SDK
+
+### Deploy
+
+Kustomize base manifests live under `config/base/services/apiserver/` and are included in `config/base/kustomization.yaml`.
+
+- Deployment: runs the `apiserver` subcommand from this binary
+- Service: ClusterIP on 443 -> container 8443
+
+Environment variables (mounted via Secret/ConfigMap as you prefer):
+
+- `ZITADEL_API`: e.g. `<tenant>.<region>.zitadel.cloud`
+- `ZITADEL_ISSUER`: e.g. `https://<tenant>.<region>.zitadel.cloud`
+- `ZITADEL_KEY_PATH`: path to Zitadel machine account JSON key (mounted to the container)
+- `REQUESTHEADER_CLIENT_CA_FILE`: path to PEM CA bundle that signs Milo's client cert
+- `REQUESTHEADER_ALLOWED_NAMES`: allowed CNs for Milo client cert; empty means any signed by CA
+- `REQUESTHEADER_EXTRA_HEADERS_PREFIX`: header name prefixes to determine user extra info
+- `REQUESTHEADER_GROUP_HEADERS`: header names to determine user groups
+- `REQUESTHEADER_USERNAME_HEADERS`: header names to determine user identity
+- `REQUESTHEADER_UID_HEADERS`: header names to determine user UID
+
+### Notes
+
+- The apiserver is stateless and does not use etcd
+- It relies on the core apiserver for authentication and authorization
+- The service user (machine account JSON key) is used to authenticate to Zitadel
+
 ## Testing
 
 Follow these steps to run the end-to-end (e2e) tests locally:

cmd/apiserver/command.go

@@ -0,0 +1,175 @@
+package zitadelapiserver
+
+import (
+	"context"
+	"flag"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"k8s.io/apiserver/pkg/apis/apiserver"
+	authorizerfactory "k8s.io/apiserver/pkg/authorization/authorizerfactory"
+	openapi "k8s.io/apiserver/pkg/endpoints/openapi"
+	"k8s.io/apiserver/pkg/registry/rest"
+	genericserver "k8s.io/apiserver/pkg/server"
+	genericoptions "k8s.io/apiserver/pkg/server/options"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	compatibility "k8s.io/component-base/compatibility"
+	"k8s.io/klog/v2"
+	openapicommon "k8s.io/kube-openapi/pkg/common"
+	generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
+
+	registrysessions "go.miloapis.com/auth-provider-zitadel/internal/apiserver/identity/sessions"
+	"go.miloapis.com/auth-provider-zitadel/internal/config"
+	identityinstall "go.miloapis.com/auth-provider-zitadel/pkg/apis/identity"
+	"go.miloapis.com/auth-provider-zitadel/pkg/zitadel"
+	miloidentity "go.miloapis.com/milo/pkg/apis/identity"
+	identityv1alpha1 "go.miloapis.com/milo/pkg/apis/identity/v1alpha1"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+)
+
+// NewAPIServerCommand creates a cobra command that runs the aggregated API server
+// for the identity.miloapis.com/v1alpha1 group.
+func NewAPIServerCommand(global *config.GlobalConfig) *cobra.Command {
+	log := logf.Log.WithName("apiserver-cmd")
+
+	var (
+		tlsCertFile string
+		tlsKeyFile  string
+		securePort  int
+		// RequestHeader front-proxy trust configuration
+		requestHeaderCAFile           string
+		requestHeaderAllowedNames     []string
+		requestHeaderUsernameHeaders  []string
+		requestHeaderGroupHeaders     []string
+		requestHeaderUIDHeaders       []string
+		requestHeaderExtraHeadersPref []string
+		// Zitadel configuration (flags with env fallbacks)
+		zitadelIssuer  string
+		zitadelAPI     string
+		zitadelKeyPath string
+	)
+
+	cmd := &cobra.Command{
+		Use:   "apiserver",
+		Short: "Run API server for Zitadel sessions",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := config.InitializeLogging(global); err != nil {
+				return fmt.Errorf("init logging: %w", err)
+			}
+			// Route klog through the controller-runtime logger and ensure flushing on exit
+			klog.EnableContextualLogging(true)
+			defer klog.Flush()
+			log.Info("Starting API server")
+
+			scheme := runtime.NewScheme()
+			identityinstall.Install(scheme)
+			miloidentity.Install(scheme)
+			_ = clientgoscheme.AddToScheme(scheme)
+
+			codecs := serializer.NewCodecFactory(scheme)
+
+			ro := genericoptions.NewRecommendedOptions("/unused/registry", nil)
+			// Ensure we don't try to bind to privileged port 443; default to 8443 and allow override via flag
+			ro.SecureServing.BindPort = securePort
+			if tlsCertFile != "" && tlsKeyFile != "" {
+				ro.SecureServing.ServerCert.CertKey.CertFile = tlsCertFile
+				ro.SecureServing.ServerCert.CertKey.KeyFile = tlsKeyFile
+			}
+			// Configure RequestHeader authn to trust Milo as a front-proxy
+			authn := genericoptions.NewDelegatingAuthenticationOptions()
+			authn.SkipInClusterLookup = true
+			authn.Anonymous = &apiserver.AnonymousAuthConfig{Enabled: false}
+			authn.RequestHeader.ClientCAFile = requestHeaderCAFile
+			authn.RequestHeader.AllowedNames = requestHeaderAllowedNames
+			authn.RequestHeader.UsernameHeaders = requestHeaderUsernameHeaders
+			authn.RequestHeader.GroupHeaders = requestHeaderGroupHeaders
+			authn.RequestHeader.UIDHeaders = requestHeaderUIDHeaders
+			authn.RequestHeader.ExtraHeaderPrefixes = requestHeaderExtraHeadersPref
+			ro.Authentication = authn
+			// Use an allow-all authorizer so Milo acts as PDP
+			ro.Authorization = nil
+			ro.Etcd = nil
+			ro.Admission = nil
+			ro.CoreAPI = nil
+			ro.Audit = nil
+			ro.Features.EnablePriorityAndFairness = false
+
+			cfg := genericserver.NewRecommendedConfig(codecs)
+			if err := ro.ApplyTo(cfg); err != nil {
+				return fmt.Errorf("apply recommended options: %w", err)
+			}
+
+			// Always-allow authorizer (treat Milo front-proxy as PDP)
+			cfg.Authorization.Authorizer = authorizerfactory.NewAlwaysAllowAuthorizer()
+			// Ensure EffectiveVersion is non-nil to avoid nil deref in Complete()
+			if cfg.EffectiveVersion == nil {
+				cfg.EffectiveVersion = compatibility.NewEffectiveVersionFromString("", "", "")
+			}
+			// Enable OpenAPI and provide minimal definitions set
+			cfg.SkipOpenAPIInstallation = false
+			getOpenAPIDefinitions := func(ref openapicommon.ReferenceCallback) map[string]openapicommon.OpenAPIDefinition {
+				base := generatedopenapi.GetOpenAPIDefinitions(ref)
+				id := identityv1alpha1.GetOpenAPIDefinitions(ref)
+				for k, v := range id {
+					base[k] = v
+				}
+				return base
+			}
+			cfg.OpenAPIConfig = genericserver.DefaultOpenAPIConfig(getOpenAPIDefinitions, openapi.NewDefinitionNamer(scheme))
+			cfg.OpenAPIConfig.Info.Title = "Milo Sessions API"
+			cfg.OpenAPIConfig.Info.Version = "v1alpha1"
+			cfg.OpenAPIV3Config = genericserver.DefaultOpenAPIV3Config(getOpenAPIDefinitions, openapi.NewDefinitionNamer(scheme))
+
+			// Note: secure serving is configured by flags of the apiserver library; we default to its settings.
+
+			srv, err := cfg.Complete().New("zitadel-sessions-apiserver", genericserver.NewEmptyDelegate())
+			if err != nil {
+				return fmt.Errorf("build server: %w", err)
+			}
+
+			zc, err := zitadel.NewSDK(context.Background(), zitadel.SDKConfig{
+				Issuer:  zitadelIssuer,
+				Domain:  zitadelAPI,
+				KeyPath: zitadelKeyPath,
+			})
+			if err != nil {
+				return fmt.Errorf("init zitadel sdk: %w", err)
+			}
+
+			storage := map[string]rest.Storage{"sessions": &registrysessions.REST{Z: zc}}
+
+			agi := genericserver.NewDefaultAPIGroupInfo(identityv1alpha1.SchemeGroupVersion.Group, scheme, metav1.ParameterCodec, codecs)
+			agi.VersionedResourcesStorageMap = map[string]map[string]rest.Storage{"v1alpha1": storage}
+			if err := srv.InstallAPIGroup(&agi); err != nil {
+				return fmt.Errorf("install api group: %w", err)
+			}
+
+			log.Info("API server is starting")
+			return srv.PrepareRun().RunWithContext(cmd.Context())
+		},
+	}
+
+	cmd.Flags().StringVar(&tlsCertFile, "tls-cert-file", "", "Path to TLS certificate")
+	cmd.Flags().StringVar(&tlsKeyFile, "tls-private-key-file", "", "Path to TLS private key")
+	cmd.Flags().IntVar(&securePort, "secure-port", 8443, "Secure serving port")
+	// RequestHeader trust configuration flags
+	cmd.Flags().StringVar(&requestHeaderCAFile, "requestheader-client-ca-file", "", "Path to PEM CA bundle that signs Milo's proxy client cert")
+	cmd.Flags().StringSliceVar(&requestHeaderAllowedNames, "requestheader-allowed-names", nil, "Allowed CNs for Milo proxy client cert; empty means any signed by CA")
+	cmd.Flags().StringSliceVar(&requestHeaderUsernameHeaders, "requestheader-username-headers", nil, "Header names to determine user identity")
+	cmd.Flags().StringSliceVar(&requestHeaderGroupHeaders, "requestheader-group-headers", nil, "Header names to determine user groups")
+	cmd.Flags().StringSliceVar(&requestHeaderUIDHeaders, "requestheader-uid-headers", nil, "Header names to determine user UID")
+	cmd.Flags().StringSliceVar(&requestHeaderExtraHeadersPref, "requestheader-extra-headers-prefix", nil, "Header name prefixes to determine user extra info")
+	cmd.Flags().StringVar(&zitadelIssuer, "zitadel-issuer", "", "Zitadel issuer URL")
+	cmd.Flags().StringVar(&zitadelAPI, "zitadel-api", "", "Zitadel API base URL")
+	cmd.Flags().StringVar(&zitadelKeyPath, "zitadel-key", "", "Path to Zitadel machine account key")
+
+	// Wire klog flags to this command so users can set verbosity with -v=N
+	goFS := flag.NewFlagSet("klog", flag.ContinueOnError)
+	klog.InitFlags(goFS)
+	cmd.Flags().AddGoFlagSet(goFS)
+
+	return cmd
+}

cmd/main.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"go.miloapis.com/auth-provider-zitadel/cmd/actionsserver"
+	zitadelapiserver "go.miloapis.com/auth-provider-zitadel/cmd/apiserver"
 	"go.miloapis.com/auth-provider-zitadel/cmd/controller"
 	"go.miloapis.com/auth-provider-zitadel/cmd/version"
 	"go.miloapis.com/auth-provider-zitadel/cmd/webhookserver"
@@ -49,6 +50,7 @@ func execute() error {
 	rootCmd.AddCommand(version.NewVersionCommand())
 	rootCmd.AddCommand(actionsserver.NewActionsServerCommand(globalConfig))
 	rootCmd.AddCommand(webhookserver.NewAuthenticationWebhookServerCommand(globalConfig))
+	rootCmd.AddCommand(zitadelapiserver.NewAPIServerCommand(globalConfig))
 
 	return rootCmd.Execute()
 }

config/base/kustomization.yaml

@@ -11,3 +11,4 @@ resources:
   - rbac
   - services/controller-manager
   - services/authn-webhook
+  - services/apiserver

config/base/services/apiserver/deployment.yaml

@@ -0,0 +1,94 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: apiserver
+  labels:
+    app.kubernetes.io/name: auth-provider-zitadel
+    app.kubernetes.io/component: apiserver
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: auth-provider-zitadel
+      app.kubernetes.io/component: apiserver
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: auth-provider-zitadel
+        app.kubernetes.io/component: apiserver
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: apiserver
+          image: ghcr.io/datum-cloud/auth-provider-zitadel:latest
+          args:
+            - apiserver
+            - --secure-port=8443
+            - --tls-cert-file=$(TLS_CERT_FILE)
+            - --tls-private-key-file=$(TLS_PRIVATE_KEY_FILE)
+            - --requestheader-client-ca-file=$(REQUESTHEADER_CLIENT_CA_FILE)
+            - --requestheader-allowed-names=$(REQUESTHEADER_ALLOWED_NAMES)
+            - --requestheader-extra-headers-prefix=$(REQUESTHEADER_EXTRA_HEADERS_PREFIX)
+            - --requestheader-group-headers=$(REQUESTHEADER_GROUP_HEADERS)
+            - --requestheader-username-headers=$(REQUESTHEADER_USERNAME_HEADERS)
+            - --requestheader-uid-headers=$(REQUESTHEADER_UID_HEADERS)
+            - --zitadel-issuer=$(ZITADEL_ISSUER)
+            - --zitadel-api=$(ZITADEL_API)
+            - --zitadel-key=$(ZITADEL_MACHINE_ACCOUNT_KEY_PATH)
+            - -v=4
+          env:
+            - name: LOG_LEVEL
+              value: "info"
+            - name: LOG_FORMAT
+              value: "json"
+            - name: ZITADEL_ISSUER
+              value: "https://zitadel.datum-cloud.com"
+            - name: ZITADEL_API
+              value: "zitadel.datum-cloud.com"
+            - name: ZITADEL_MACHINE_ACCOUNT_KEY_PATH
+              value: "/etc/zitadel/machine-account-key.json"
+            - name: TLS_CERT_FILE
+              value: /etc/kubernetes/pki/client/tls.crt
+            - name: TLS_PRIVATE_KEY_FILE
+              value: /etc/kubernetes/pki/client/tls.key
+            - name: REQUESTHEADER_CLIENT_CA_FILE
+              value: "/etc/kubernetes/pki/trust/ca.crt"
+            - name: REQUESTHEADER_ALLOWED_NAMES
+              value: ""
+            - name: REQUESTHEADER_EXTRA_HEADERS_PREFIX
+              value: "X-Remote-Extra-"
+            - name: REQUESTHEADER_USERNAME_HEADERS
+              value: "X-Remote-User"
+            - name: REQUESTHEADER_GROUP_HEADERS
+              value: "X-Remote-Group"
+            - name: REQUESTHEADER_UID_HEADERS
+              value: "X-Remote-Uid"
+          ports:
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 10
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8443
+              scheme: HTTPS
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
+          volumeMounts: []
+      volumes: []
+
+

config/base/services/apiserver/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - deployment.yaml
+  - service.yaml
+
+
+

config/base/services/apiserver/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: apiserver
+  namespace: auth-provider-zitadel-system
+  labels:
+    app.kubernetes.io/name: auth-provider-zitadel
+    app.kubernetes.io/component: apiserver
+spec:
+  selector:
+    app.kubernetes.io/name: auth-provider-zitadel
+    app.kubernetes.io/component: apiserver
+  ports:
+    - name: https
+      port: 443
+      targetPort: 8443
+      protocol: TCP
+
+

config/default/kustomization.yaml

@@ -32,12 +32,12 @@ resources:
 #- ../network-policy
 
 # Uncomment the patches line if you enable Metrics
-patches:
+# patches:
 # [METRICS] The following patch will enable the metrics endpoint using HTTPS and the port :8443.
 # More info: https://book.kubebuilder.io/reference/metrics
-- path: manager_metrics_patch.yaml
-  target:
-    kind: Deployment
+# - path: manager_metrics_patch.yaml
+#   target:
+#     kind: Deployment
 
 # Uncomment the patches line if you enable Metrics and CertManager
 # [METRICS-WITH-CERTS] To enable metrics protected with certManager, uncomment the following line.