From 4a9ad26310e2fcfe2e94204a1013389812510fec Mon Sep 17 00:00:00 2001 From: Jonathan Chang Date: Tue, 25 Feb 2025 14:47:42 -0800 Subject: [PATCH] Remove External Auth, will be add back. Fields that were removed are ExternalAuthConfigProfile ExternalAuthProfile TokenIssuerProfile ExternalAuthClientProfile ExternalAuthClaimProfile ExternalAuthClientComponentProfile TokenClaimMappingsProfile TokenClaimValidationRuleProfile ClaimProfile --- .../hcpCluster-models.tsp | 119 ------- .../preview/2024-06-10-preview/openapi.json | 227 ------------- frontend/pkg/frontend/ocm.go | 5 - frontend/utils/create.go | 3 +- go.work.sum | 7 +- internal/api/hcpopenshiftcluster.go | 31 +- .../api/v20240610preview/generated/models.go | 100 ------ .../generated/models_serde.go | 321 ------------------ .../hcpopenshiftclusters_methods.go | 171 ---------- 9 files changed, 15 insertions(+), 969 deletions(-) diff --git a/api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp b/api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp index f79efd05b..08dc148e7 100644 --- a/api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp +++ b/api/redhatopenshift/HcpCluster.Management/hcpCluster-models.tsp @@ -100,12 +100,6 @@ model HcpOpenShiftClusterProperties { */ @visibility("read") issuerUrl: url; - - /** Configuration to override the openshift-oauth-apiserver inside cluster - * This changes user login into the cluster to external provider - */ - @visibility("create", "read") - externalAuth?: ExternalAuthConfigProfile; } /** HCP patchable cluster properties */ @@ -373,119 +367,6 @@ scalar UserAssignedIdentityResourceId * ======================================= */ -/* - * ======================================= - * ExternalAuth resources - * ======================================= - */ - -/** External authentication configuration profile */ -model ExternalAuthConfigProfile { - /** This can be set during cluster creation only to ensure there is no openshift-oauth-apiserver in cluster */ - @visibility("create", "read") - enabled?: boolean = false; - - /** This can only be set as a day-2 resource on a separate endpoint to provide a self-managed auth service */ - @visibility("read") - @OpenAPI.extension("x-ms-identifiers", ["issuer", "clients", "claim"]) - externalAuths: ExternalAuthProfile[]; -} - -/** External authentication profile */ -model ExternalAuthProfile { - /** Token Issuer profile */ - issuer: TokenIssuerProfile; - - /** External auth clients */ - clients: ExternalAuthClientProfile[]; - - /** External auth claim */ - claim: ExternalAuthClaimProfile; -} - -/** Token issuer profile */ -model TokenIssuerProfile { - /** The URL of the token issuer */ - url: url; - - /** The audience of the token issuer */ - audiences: string[]; - - /** The issuer of the token */ - ca: string; -} - -/** External auth client profile */ -model ExternalAuthClientProfile { - /** External auth client component */ - component: ExternalAuthClientComponentProfile; - - /** external auth client id */ - id: string; - - /** external auth client secret */ - @secret - secret: string; - - /** external auth client scopes */ - extraScopes: string[]; -} - -/** External auth component profile */ -model ExternalAuthClientComponentProfile { - /** The name of the external auth client */ - name: string; - - /** The namespace of the external auth client */ - authClientNamespace: string; -} - -/** External auth claim profile */ -model ExternalAuthClaimProfile { - /** The claim mappings */ - mappings: TokenClaimMappingsProfile; - - /** The claim validation rules */ - @OpenAPI.extension("x-ms-identifiers", ["claim", "requiredValue"]) - validationRules: TokenClaimValidationRuleProfile[]; -} - -/** External auth claim mappings profile */ -model TokenClaimMappingsProfile { - /** The claim mappings username */ - username: ClaimProfile; - - /** The claim mappings groups */ - groups: ClaimProfile; -} - -/** External auth claim profile */ -model ClaimProfile { - /** Claim name of the external profile */ - claim: string; - - /** Prefix for the claim external profile */ - prefix: string; - - /** Prefix policy */ - prefixPolicy: string; -} - -/** External auth claim validation rule */ -model TokenClaimValidationRuleProfile { - /** Claim name for the validation profile */ - claim: string; - - /** Required value */ - requiredValue: string; -} - -/* - * ======================================= - * End ExternalAuth resources - * ======================================= - */ - /* * ======================================= * NodePool resources diff --git a/api/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json b/api/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json index fe2bdf395..ceb0394b1 100644 --- a/api/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json +++ b/api/redhatopenshift/resource-manager/Microsoft.RedHatOpenShift/hcpclusters/preview/2024-06-10-preview/openapi.json @@ -976,29 +976,6 @@ }, "readOnly": true }, - "ClaimProfile": { - "type": "object", - "description": "External auth claim profile", - "properties": { - "claim": { - "type": "string", - "description": "Claim name of the external profile" - }, - "prefix": { - "type": "string", - "description": "Prefix for the claim external profile" - }, - "prefixPolicy": { - "type": "string", - "description": "Prefix policy" - } - }, - "required": [ - "claim", - "prefix", - "prefixPolicy" - ] - }, "ConsoleProfile": { "type": "object", "description": "Configuration of the cluster web console", @@ -1065,139 +1042,6 @@ ] } }, - "ExternalAuthClaimProfile": { - "type": "object", - "description": "External auth claim profile", - "properties": { - "mappings": { - "$ref": "#/definitions/TokenClaimMappingsProfile", - "description": "The claim mappings" - }, - "validationRules": { - "type": "array", - "description": "The claim validation rules", - "items": { - "$ref": "#/definitions/TokenClaimValidationRuleProfile" - }, - "x-ms-identifiers": [ - "claim", - "requiredValue" - ] - } - }, - "required": [ - "mappings", - "validationRules" - ] - }, - "ExternalAuthClientComponentProfile": { - "type": "object", - "description": "External auth component profile", - "properties": { - "name": { - "type": "string", - "description": "The name of the external auth client" - }, - "authClientNamespace": { - "type": "string", - "description": "The namespace of the external auth client" - } - }, - "required": [ - "name", - "authClientNamespace" - ] - }, - "ExternalAuthClientProfile": { - "type": "object", - "description": "External auth client profile", - "properties": { - "component": { - "$ref": "#/definitions/ExternalAuthClientComponentProfile", - "description": "External auth client component" - }, - "id": { - "type": "string", - "description": "external auth client id" - }, - "secret": { - "type": "string", - "format": "password", - "description": "external auth client secret", - "x-ms-secret": true - }, - "extraScopes": { - "type": "array", - "description": "external auth client scopes", - "items": { - "type": "string" - } - } - }, - "required": [ - "component", - "id", - "secret", - "extraScopes" - ] - }, - "ExternalAuthConfigProfile": { - "type": "object", - "description": "External authentication configuration profile", - "properties": { - "enabled": { - "type": "boolean", - "description": "This can be set during cluster creation only to ensure there is no openshift-oauth-apiserver in cluster", - "default": false, - "x-ms-mutability": [ - "read", - "create" - ] - }, - "externalAuths": { - "type": "array", - "description": "This can only be set as a day-2 resource on a separate endpoint to provide a self-managed auth service", - "items": { - "$ref": "#/definitions/ExternalAuthProfile" - }, - "readOnly": true, - "x-ms-identifiers": [ - "issuer", - "clients", - "claim" - ] - } - }, - "required": [ - "externalAuths" - ] - }, - "ExternalAuthProfile": { - "type": "object", - "description": "External authentication profile", - "properties": { - "issuer": { - "$ref": "#/definitions/TokenIssuerProfile", - "description": "Token Issuer profile" - }, - "clients": { - "type": "array", - "description": "External auth clients", - "items": { - "$ref": "#/definitions/ExternalAuthClientProfile" - } - }, - "claim": { - "$ref": "#/definitions/ExternalAuthClaimProfile", - "description": "External auth claim" - } - }, - "required": [ - "issuer", - "clients", - "claim" - ] - }, "HcpOpenShiftClusterCredentials": { "type": "object", "description": "HCP cluster credentials", @@ -1421,14 +1265,6 @@ "format": "uri", "description": "URL for the OIDC provider to be used for authentication\nto authenticate against user Azure cloud account", "readOnly": true - }, - "externalAuth": { - "$ref": "#/definitions/ExternalAuthConfigProfile", - "description": "Configuration to override the openshift-oauth-apiserver inside cluster\nThis changes user login into the cluster to external provider", - "x-ms-mutability": [ - "read", - "create" - ] } }, "required": [ @@ -2036,69 +1872,6 @@ } } }, - "TokenClaimMappingsProfile": { - "type": "object", - "description": "External auth claim mappings profile", - "properties": { - "username": { - "$ref": "#/definitions/ClaimProfile", - "description": "The claim mappings username" - }, - "groups": { - "$ref": "#/definitions/ClaimProfile", - "description": "The claim mappings groups" - } - }, - "required": [ - "username", - "groups" - ] - }, - "TokenClaimValidationRuleProfile": { - "type": "object", - "description": "External auth claim validation rule", - "properties": { - "claim": { - "type": "string", - "description": "Claim name for the validation profile" - }, - "requiredValue": { - "type": "string", - "description": "Required value" - } - }, - "required": [ - "claim", - "requiredValue" - ] - }, - "TokenIssuerProfile": { - "type": "object", - "description": "Token issuer profile", - "properties": { - "url": { - "type": "string", - "format": "uri", - "description": "The URL of the token issuer" - }, - "audiences": { - "type": "array", - "description": "The audience of the token issuer", - "items": { - "type": "string" - } - }, - "ca": { - "type": "string", - "description": "The issuer of the token" - } - }, - "required": [ - "url", - "audiences", - "ca" - ] - }, "UserAssignedIdentitiesProfile": { "type": "object", "description": "Represents the information related to Azure User-Assigned managed identities needed\nto perform Operators authentication based on Azure User-Assigned Managed Identities", diff --git a/frontend/pkg/frontend/ocm.go b/frontend/pkg/frontend/ocm.go index a56120aab..5c79e7730 100644 --- a/frontend/pkg/frontend/ocm.go +++ b/frontend/pkg/frontend/ocm.go @@ -9,7 +9,6 @@ import ( "github.com/google/uuid" arohcpv1alpha1 "github.com/openshift-online/ocm-sdk-go/arohcp/v1alpha1" cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1" - configv1 "github.com/openshift/api/config/v1" "github.com/Azure/ARO-HCP/internal/api" "github.com/Azure/ARO-HCP/internal/api/arm" @@ -119,10 +118,6 @@ func ConvertCStoHCPOpenShiftCluster(resourceID *azcorearm.ResourceID, cluster *a EtcdEncryptionSetID: "", }, IssuerURL: "", - ExternalAuth: api.ExternalAuthConfigProfile{ - Enabled: false, - ExternalAuths: []*configv1.OIDCProvider{}, - }, }, } diff --git a/frontend/utils/create.go b/frontend/utils/create.go index 20231467a..530b295c2 100644 --- a/frontend/utils/create.go +++ b/frontend/utils/create.go @@ -71,8 +71,7 @@ func CreateJSONFile() error { SubnetID: "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/dev-test-rg/providers/Microsoft.Network/virtualNetworks/xyz/subnets/xyz", OutboundType: api.OutboundType("loadBalancer"), }, - IssuerURL: "", - ExternalAuth: api.ExternalAuthConfigProfile{}, + IssuerURL: "", }, } diff --git a/go.work.sum b/go.work.sum index a9fb021ce..59931950b 100644 --- a/go.work.sum +++ b/go.work.sum @@ -934,7 +934,6 @@ github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo= github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= -github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM= github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE= github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec= github.com/danieljoos/wincred v1.2.1 h1:dl9cBrupW8+r5250DYkYxocLeZ1Y4vB1kxgtjxw8GQs= @@ -1729,7 +1728,6 @@ github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v0.0.6/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= @@ -2170,6 +2168,7 @@ golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -2282,6 +2281,7 @@ golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2 h1:IRJeR9r1pYWsHKTRe/IInb7lYvbBVIqOgsX/u0mbOWY= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457 h1:zf5N6UOrA487eEFacMePxjXAJctxKmyjKUsjA11Uzuk= @@ -2317,6 +2317,7 @@ golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -2628,7 +2629,6 @@ honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= k8s.io/api v0.32.0/go.mod h1:4LEwHZEf6Q/cG96F3dqR965sYOfmPM7rq81BLgsE0p0= k8s.io/apiextensions-apiserver v0.32.0/go.mod h1:86hblMvN5yxMvZrZFX2OhIHAuFIMJIZ19bTvzkP+Fmw= -k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto= k8s.io/apimachinery v0.32.0/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= @@ -2680,7 +2680,6 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsA sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-runtime v0.20.1/go.mod h1:BrP3w158MwvB3ZbNpaAcIKkHQ7YGpYnzpoSTZ8E14WU= sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo= sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= diff --git a/internal/api/hcpopenshiftcluster.go b/internal/api/hcpopenshiftcluster.go index ffbc81754..48851d7d5 100644 --- a/internal/api/hcpopenshiftcluster.go +++ b/internal/api/hcpopenshiftcluster.go @@ -4,8 +4,6 @@ package api // Licensed under the Apache License 2.0. import ( - configv1 "github.com/openshift/api/config/v1" - "github.com/Azure/ARO-HCP/internal/api/arm" ) @@ -18,18 +16,17 @@ type HCPOpenShiftCluster struct { // HCPOpenShiftClusterProperties represents the property bag of a HCPOpenShiftCluster resource. type HCPOpenShiftClusterProperties struct { - ProvisioningState arm.ProvisioningState `json:"provisioningState,omitempty" visibility:"read"` - Version VersionProfile `json:"version,omitempty" visibility:"read create"` - DNS DNSProfile `json:"dns,omitempty" visibility:"read create update"` - Network NetworkProfile `json:"network,omitempty" visibility:"read create"` - Console ConsoleProfile `json:"console,omitempty" visibility:"read"` - API APIProfile `json:"api,omitempty" visibility:"read create"` - EtcdEncryption bool `json:"etcdEncryption,omitempty" visibility:"read create"` - DisableUserWorkloadMonitoring bool `json:"disableUserWorkloadMonitoring,omitempty" visibility:"read create update"` - Proxy ProxyProfile `json:"proxy,omitempty" visibility:"read create update"` - Platform PlatformProfile `json:"platform,omitempty" visibility:"read create"` - IssuerURL string `json:"issuerUrl,omitempty" visibility:"read"` - ExternalAuth ExternalAuthConfigProfile `json:"externalAuth,omitempty" visibility:"read create"` + ProvisioningState arm.ProvisioningState `json:"provisioningState,omitempty" visibility:"read"` + Version VersionProfile `json:"version,omitempty" visibility:"read create"` + DNS DNSProfile `json:"dns,omitempty" visibility:"read create update"` + Network NetworkProfile `json:"network,omitempty" visibility:"read create"` + Console ConsoleProfile `json:"console,omitempty" visibility:"read"` + API APIProfile `json:"api,omitempty" visibility:"read create"` + EtcdEncryption bool `json:"etcdEncryption,omitempty" visibility:"read create"` + DisableUserWorkloadMonitoring bool `json:"disableUserWorkloadMonitoring,omitempty" visibility:"read create update"` + Proxy ProxyProfile `json:"proxy,omitempty" visibility:"read create update"` + Platform PlatformProfile `json:"platform,omitempty" visibility:"read create"` + IssuerURL string `json:"issuerUrl,omitempty" visibility:"read"` } // VersionProfile represents the cluster control plane version. @@ -101,12 +98,6 @@ type UserAssignedIdentitiesProfile struct { ServiceManagedIdentity string `json:"serviceManagedIdentity,omitempty" validate:"omitempty,resource_id=Microsoft.ManagedIdentity/userAssignedIdentities"` } -// ExternalAuthConfigProfile represents the external authentication configuration. -type ExternalAuthConfigProfile struct { - Enabled bool `json:"enabled,omitempty" visibility:"read create"` - ExternalAuths []*configv1.OIDCProvider `json:"externalAuths,omitempty" visibility:"read"` -} - // Creates an HCPOpenShiftCluster with any non-zero default values. func NewDefaultHCPOpenShiftCluster() *HCPOpenShiftCluster { return &HCPOpenShiftCluster{ diff --git a/internal/api/v20240610preview/generated/models.go b/internal/api/v20240610preview/generated/models.go index caa792026..4c115f245 100644 --- a/internal/api/v20240610preview/generated/models.go +++ b/internal/api/v20240610preview/generated/models.go @@ -18,18 +18,6 @@ type APIProfile struct { URL *string } -// ClaimProfile - External auth claim profile -type ClaimProfile struct { - // REQUIRED; Claim name of the external profile - Claim *string - - // REQUIRED; Prefix for the claim external profile - Prefix *string - - // REQUIRED; Prefix policy - PrefixPolicy *string -} - type ComponentsQjfoe3SchemasManagedserviceidentityupdatePropertiesUserassignedidentitiesAdditionalproperties struct { // READ-ONLY; The client ID of the assigned identity. ClientID *string @@ -88,60 +76,6 @@ type ErrorResponse struct { Error *ErrorDetail } -// ExternalAuthClaimProfile - External auth claim profile -type ExternalAuthClaimProfile struct { - // REQUIRED; The claim mappings - Mappings *TokenClaimMappingsProfile - - // REQUIRED; The claim validation rules - ValidationRules []*TokenClaimValidationRuleProfile -} - -// ExternalAuthClientComponentProfile - External auth component profile -type ExternalAuthClientComponentProfile struct { - // REQUIRED; The namespace of the external auth client - AuthClientNamespace *string - - // REQUIRED; The name of the external auth client - Name *string -} - -// ExternalAuthClientProfile - External auth client profile -type ExternalAuthClientProfile struct { - // REQUIRED; External auth client component - Component *ExternalAuthClientComponentProfile - - // REQUIRED; external auth client scopes - ExtraScopes []*string - - // REQUIRED; external auth client id - ID *string - - // REQUIRED; external auth client secret - Secret *string -} - -// ExternalAuthConfigProfile - External authentication configuration profile -type ExternalAuthConfigProfile struct { - // READ-ONLY; This can only be set as a day-2 resource on a separate endpoint to provide a self-managed auth service - ExternalAuths []*ExternalAuthProfile - - // This can be set during cluster creation only to ensure there is no openshift-oauth-apiserver in cluster - Enabled *bool -} - -// ExternalAuthProfile - External authentication profile -type ExternalAuthProfile struct { - // REQUIRED; External auth claim - Claim *ExternalAuthClaimProfile - - // REQUIRED; External auth clients - Clients []*ExternalAuthClientProfile - - // REQUIRED; Token Issuer profile - Issuer *TokenIssuerProfile -} - // HcpOpenShiftClusterCredentials - HCP cluster credentials type HcpOpenShiftClusterCredentials struct { // READ-ONLY; kube admin password @@ -247,10 +181,6 @@ type HcpOpenShiftClusterProperties struct { // Enables customer ETCD encryption, set during creation When set to true, platform.etcdEncryptionSetId must be set EtcdEncryption *bool - // Configuration to override the openshift-oauth-apiserver inside cluster This changes user login into the cluster to external -// provider - ExternalAuth *ExternalAuthConfigProfile - // Cluster network configuration Network *NetworkProfile @@ -653,36 +583,6 @@ type Taint struct { Value *string } -// TokenClaimMappingsProfile - External auth claim mappings profile -type TokenClaimMappingsProfile struct { - // REQUIRED; The claim mappings groups - Groups *ClaimProfile - - // REQUIRED; The claim mappings username - Username *ClaimProfile -} - -// TokenClaimValidationRuleProfile - External auth claim validation rule -type TokenClaimValidationRuleProfile struct { - // REQUIRED; Claim name for the validation profile - Claim *string - - // REQUIRED; Required value - RequiredValue *string -} - -// TokenIssuerProfile - Token issuer profile -type TokenIssuerProfile struct { - // REQUIRED; The audience of the token issuer - Audiences []*string - - // REQUIRED; The issuer of the token - Ca *string - - // REQUIRED; The URL of the token issuer - URL *string -} - // TrackedResource - The resource model definition for an Azure Resource Manager tracked top level resource which has 'tags' // and a 'location' type TrackedResource struct { diff --git a/internal/api/v20240610preview/generated/models_serde.go b/internal/api/v20240610preview/generated/models_serde.go index db324b4a5..98359059a 100644 --- a/internal/api/v20240610preview/generated/models_serde.go +++ b/internal/api/v20240610preview/generated/models_serde.go @@ -47,43 +47,6 @@ func (a *APIProfile) UnmarshalJSON(data []byte) error { return nil } -// MarshalJSON implements the json.Marshaller interface for type ClaimProfile. -func (c ClaimProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "claim", c.Claim) - populate(objectMap, "prefix", c.Prefix) - populate(objectMap, "prefixPolicy", c.PrefixPolicy) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type ClaimProfile. -func (c *ClaimProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", c, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "claim": - err = unpopulate(val, "Claim", &c.Claim) - delete(rawMsg, key) - case "prefix": - err = unpopulate(val, "Prefix", &c.Prefix) - delete(rawMsg, key) - case "prefixPolicy": - err = unpopulate(val, "PrefixPolicy", &c.PrefixPolicy) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", c, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", c, err) - } - } - return nil -} - // MarshalJSON implements the json.Marshaller interface for type ComponentsQjfoe3SchemasManagedserviceidentityupdatePropertiesUserassignedidentitiesAdditionalproperties. func (c ComponentsQjfoe3SchemasManagedserviceidentityupdatePropertiesUserassignedidentitiesAdditionalproperties) MarshalJSON() ([]byte, error) { objectMap := make(map[string]any) @@ -286,183 +249,6 @@ func (e *ErrorResponse) UnmarshalJSON(data []byte) error { return nil } -// MarshalJSON implements the json.Marshaller interface for type ExternalAuthClaimProfile. -func (e ExternalAuthClaimProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "mappings", e.Mappings) - populate(objectMap, "validationRules", e.ValidationRules) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type ExternalAuthClaimProfile. -func (e *ExternalAuthClaimProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "mappings": - err = unpopulate(val, "Mappings", &e.Mappings) - delete(rawMsg, key) - case "validationRules": - err = unpopulate(val, "ValidationRules", &e.ValidationRules) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", e, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - } - return nil -} - -// MarshalJSON implements the json.Marshaller interface for type ExternalAuthClientComponentProfile. -func (e ExternalAuthClientComponentProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "authClientNamespace", e.AuthClientNamespace) - populate(objectMap, "name", e.Name) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type ExternalAuthClientComponentProfile. -func (e *ExternalAuthClientComponentProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "authClientNamespace": - err = unpopulate(val, "AuthClientNamespace", &e.AuthClientNamespace) - delete(rawMsg, key) - case "name": - err = unpopulate(val, "Name", &e.Name) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", e, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - } - return nil -} - -// MarshalJSON implements the json.Marshaller interface for type ExternalAuthClientProfile. -func (e ExternalAuthClientProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "component", e.Component) - populate(objectMap, "extraScopes", e.ExtraScopes) - populate(objectMap, "id", e.ID) - populate(objectMap, "secret", e.Secret) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type ExternalAuthClientProfile. -func (e *ExternalAuthClientProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "component": - err = unpopulate(val, "Component", &e.Component) - delete(rawMsg, key) - case "extraScopes": - err = unpopulate(val, "ExtraScopes", &e.ExtraScopes) - delete(rawMsg, key) - case "id": - err = unpopulate(val, "ID", &e.ID) - delete(rawMsg, key) - case "secret": - err = unpopulate(val, "Secret", &e.Secret) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", e, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - } - return nil -} - -// MarshalJSON implements the json.Marshaller interface for type ExternalAuthConfigProfile. -func (e ExternalAuthConfigProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "enabled", e.Enabled) - populate(objectMap, "externalAuths", e.ExternalAuths) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type ExternalAuthConfigProfile. -func (e *ExternalAuthConfigProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "enabled": - err = unpopulate(val, "Enabled", &e.Enabled) - delete(rawMsg, key) - case "externalAuths": - err = unpopulate(val, "ExternalAuths", &e.ExternalAuths) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", e, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - } - return nil -} - -// MarshalJSON implements the json.Marshaller interface for type ExternalAuthProfile. -func (e ExternalAuthProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "claim", e.Claim) - populate(objectMap, "clients", e.Clients) - populate(objectMap, "issuer", e.Issuer) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type ExternalAuthProfile. -func (e *ExternalAuthProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "claim": - err = unpopulate(val, "Claim", &e.Claim) - delete(rawMsg, key) - case "clients": - err = unpopulate(val, "Clients", &e.Clients) - delete(rawMsg, key) - case "issuer": - err = unpopulate(val, "Issuer", &e.Issuer) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", e, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", e, err) - } - } - return nil -} - // MarshalJSON implements the json.Marshaller interface for type HcpOpenShiftClusterCredentials. func (h HcpOpenShiftClusterCredentials) MarshalJSON() ([]byte, error) { objectMap := make(map[string]any) @@ -734,7 +520,6 @@ func (h HcpOpenShiftClusterProperties) MarshalJSON() ([]byte, error) { populate(objectMap, "dns", h.DNS) populate(objectMap, "disableUserWorkloadMonitoring", h.DisableUserWorkloadMonitoring) populate(objectMap, "etcdEncryption", h.EtcdEncryption) - populate(objectMap, "externalAuth", h.ExternalAuth) populate(objectMap, "issuerUrl", h.IssuerURL) populate(objectMap, "network", h.Network) populate(objectMap, "platform", h.Platform) @@ -768,9 +553,6 @@ func (h *HcpOpenShiftClusterProperties) UnmarshalJSON(data []byte) error { case "etcdEncryption": err = unpopulate(val, "EtcdEncryption", &h.EtcdEncryption) delete(rawMsg, key) - case "externalAuth": - err = unpopulate(val, "ExternalAuth", &h.ExternalAuth) - delete(rawMsg, key) case "issuerUrl": err = unpopulate(val, "IssuerURL", &h.IssuerURL) delete(rawMsg, key) @@ -1758,109 +1540,6 @@ func (t *Taint) UnmarshalJSON(data []byte) error { return nil } -// MarshalJSON implements the json.Marshaller interface for type TokenClaimMappingsProfile. -func (t TokenClaimMappingsProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "groups", t.Groups) - populate(objectMap, "username", t.Username) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type TokenClaimMappingsProfile. -func (t *TokenClaimMappingsProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", t, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "groups": - err = unpopulate(val, "Groups", &t.Groups) - delete(rawMsg, key) - case "username": - err = unpopulate(val, "Username", &t.Username) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", t, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", t, err) - } - } - return nil -} - -// MarshalJSON implements the json.Marshaller interface for type TokenClaimValidationRuleProfile. -func (t TokenClaimValidationRuleProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "claim", t.Claim) - populate(objectMap, "requiredValue", t.RequiredValue) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type TokenClaimValidationRuleProfile. -func (t *TokenClaimValidationRuleProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", t, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "claim": - err = unpopulate(val, "Claim", &t.Claim) - delete(rawMsg, key) - case "requiredValue": - err = unpopulate(val, "RequiredValue", &t.RequiredValue) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", t, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", t, err) - } - } - return nil -} - -// MarshalJSON implements the json.Marshaller interface for type TokenIssuerProfile. -func (t TokenIssuerProfile) MarshalJSON() ([]byte, error) { - objectMap := make(map[string]any) - populate(objectMap, "audiences", t.Audiences) - populate(objectMap, "ca", t.Ca) - populate(objectMap, "url", t.URL) - return json.Marshal(objectMap) -} - -// UnmarshalJSON implements the json.Unmarshaller interface for type TokenIssuerProfile. -func (t *TokenIssuerProfile) UnmarshalJSON(data []byte) error { - var rawMsg map[string]json.RawMessage - if err := json.Unmarshal(data, &rawMsg); err != nil { - return fmt.Errorf("unmarshalling type %T: %v", t, err) - } - for key, val := range rawMsg { - var err error - switch key { - case "audiences": - err = unpopulate(val, "Audiences", &t.Audiences) - delete(rawMsg, key) - case "ca": - err = unpopulate(val, "Ca", &t.Ca) - delete(rawMsg, key) - case "url": - err = unpopulate(val, "URL", &t.URL) - delete(rawMsg, key) - default: - err = fmt.Errorf("unmarshalling type %T, unknown field %q", t, key) - } - if err != nil { - return fmt.Errorf("unmarshalling type %T: %v", t, err) - } - } - return nil -} - // MarshalJSON implements the json.Marshaller interface for type TrackedResource. func (t TrackedResource) MarshalJSON() ([]byte, error) { objectMap := make(map[string]any) diff --git a/internal/api/v20240610preview/hcpopenshiftclusters_methods.go b/internal/api/v20240610preview/hcpopenshiftclusters_methods.go index f3926fcab..60ae19c03 100644 --- a/internal/api/v20240610preview/hcpopenshiftclusters_methods.go +++ b/internal/api/v20240610preview/hcpopenshiftclusters_methods.go @@ -7,8 +7,6 @@ import ( "fmt" "net/http" - configv1 "github.com/openshift/api/config/v1" - "github.com/Azure/ARO-HCP/internal/api" "github.com/Azure/ARO-HCP/internal/api/arm" "github.com/Azure/ARO-HCP/internal/api/v20240610preview/generated" @@ -90,72 +88,6 @@ func newUserAssignedIdentitiesProfile(from *api.UserAssignedIdentitiesProfile) * } } -func newExternalAuthProfile(from *configv1.OIDCProvider) *generated.ExternalAuthProfile { - out := &generated.ExternalAuthProfile{ - Issuer: &generated.TokenIssuerProfile{ - URL: api.Ptr(from.Issuer.URL), - Audiences: make([]*string, len(from.Issuer.Audiences)), - Ca: api.Ptr(from.Issuer.CertificateAuthority.Name), - }, - Clients: make([]*generated.ExternalAuthClientProfile, len(from.OIDCClients)), - Claim: &generated.ExternalAuthClaimProfile{ - Mappings: &generated.TokenClaimMappingsProfile{ - Username: &generated.ClaimProfile{ - Claim: api.Ptr(from.ClaimMappings.Username.Claim), - PrefixPolicy: api.Ptr(string(from.ClaimMappings.Username.PrefixPolicy)), - }, - Groups: &generated.ClaimProfile{ - Claim: api.Ptr(from.ClaimMappings.Groups.Claim), - Prefix: api.Ptr(from.ClaimMappings.Groups.Prefix), - }, - }, - ValidationRules: make([]*generated.TokenClaimValidationRuleProfile, len(from.ClaimValidationRules)), - }, - } - - for index, item := range from.Issuer.Audiences { - out.Issuer.Audiences[index] = api.Ptr(string(item)) - } - - for index, item := range from.OIDCClients { - out.Clients[index] = newExternalAuthClientProfile(item) - } - - if from.ClaimMappings.Username.Prefix != nil { - out.Claim.Mappings.Username.Prefix = api.Ptr(from.ClaimMappings.Username.Prefix.PrefixString) - } - - for index, item := range from.ClaimValidationRules { - out.Claim.ValidationRules[index] = newTokenClaimValidationRuleProfile(item) - } - - return out -} - -func newTokenClaimValidationRuleProfile(from configv1.TokenClaimValidationRule) *generated.TokenClaimValidationRuleProfile { - if from.RequiredClaim == nil { - // Should never happen since we create these rules. - panic("TokenClaimValidationRule has no RequiredClaim") - } - - return &generated.TokenClaimValidationRuleProfile{ - Claim: api.Ptr(from.RequiredClaim.Claim), - RequiredValue: api.Ptr(from.RequiredClaim.RequiredValue), - } -} - -func newExternalAuthClientProfile(from configv1.OIDCClientConfig) *generated.ExternalAuthClientProfile { - return &generated.ExternalAuthClientProfile{ - Component: &generated.ExternalAuthClientComponentProfile{ - Name: api.Ptr(from.ComponentName), - AuthClientNamespace: api.Ptr(from.ComponentNamespace), - }, - ID: api.Ptr(from.ClientID), - Secret: api.Ptr(from.ClientSecret.Name), - ExtraScopes: api.StringSliceToStringPtrSlice(from.ExtraScopes), - } -} - func (v version) NewHCPOpenShiftCluster(from *api.HCPOpenShiftCluster) api.VersionedHCPOpenShiftCluster { if from == nil { from = api.NewDefaultHCPOpenShiftCluster() @@ -187,10 +119,6 @@ func (v version) NewHCPOpenShiftCluster(from *api.HCPOpenShiftCluster) api.Versi Proxy: newProxyProfile(&from.Properties.Proxy), Platform: newPlatformProfile(&from.Properties.Platform), IssuerURL: api.Ptr(from.Properties.IssuerURL), - ExternalAuth: &generated.ExternalAuthConfigProfile{ - Enabled: api.Ptr(from.Properties.ExternalAuth.Enabled), - ExternalAuths: make([]*generated.ExternalAuthProfile, len(from.Properties.ExternalAuth.ExternalAuths)), - }, }, }, } @@ -206,10 +134,6 @@ func (v version) NewHCPOpenShiftCluster(from *api.HCPOpenShiftCluster) api.Versi } } - for index, item := range from.Properties.ExternalAuth.ExternalAuths { - out.Properties.ExternalAuth.ExternalAuths[index] = newExternalAuthProfile(item) - } - return out } @@ -300,9 +224,6 @@ func (c *HcpOpenShiftClusterResource) Normalize(out *api.HCPOpenShiftCluster) { if c.Properties.IssuerURL != nil { out.Properties.IssuerURL = *c.Properties.IssuerURL } - if c.Properties.ExternalAuth != nil { - normalizeExternalAuthConfig(c.Properties.ExternalAuth, &out.Properties.ExternalAuth) - } } } } @@ -530,98 +451,6 @@ func normalizeUserAssignedIdentities(p *generated.UserAssignedIdentitiesProfile, } } -func normalizeExternalAuthConfig(p *generated.ExternalAuthConfigProfile, out *api.ExternalAuthConfigProfile) { - if p.Enabled != nil { - out.Enabled = *p.Enabled - } - out.ExternalAuths = []*configv1.OIDCProvider{} - for _, item := range api.DeleteNilsFromPtrSlice(p.ExternalAuths) { - provider := &configv1.OIDCProvider{} - - if item.Issuer != nil { - if item.Issuer.URL != nil { - provider.Issuer.URL = *item.Issuer.URL - } - provider.Issuer.Audiences = make([]configv1.TokenAudience, len(item.Issuer.Audiences)) - for index, audience := range item.Issuer.Audiences { - if audience != nil { - provider.Issuer.Audiences[index] = configv1.TokenAudience(*audience) - } - } - if item.Issuer.Ca != nil { - // Slight misuse of the field. It's meant to name a config map holding a - // "ca-bundle.crt" key, whereas we store the data directly in the Name field. - provider.Issuer.CertificateAuthority = configv1.ConfigMapNameReference{ - Name: *item.Issuer.Ca, - } - } - } - - clientSequence := api.DeleteNilsFromPtrSlice(item.Clients) - provider.OIDCClients = make([]configv1.OIDCClientConfig, len(clientSequence)) - for index, client := range clientSequence { - if client.Component != nil { - if client.Component.Name != nil { - provider.OIDCClients[index].ComponentName = *client.Component.Name - } - if client.Component.AuthClientNamespace != nil { - provider.OIDCClients[index].ComponentNamespace = *client.Component.AuthClientNamespace - } - } - if client.ID != nil { - provider.OIDCClients[index].ClientID = *client.ID - } - if client.Secret != nil { - // Slight misuse of the field. It's meant to name a secret holding a - // "clientSecret" key, whereas we store the data directly in the Name field. - provider.OIDCClients[index].ClientSecret.Name = *client.Secret - } - provider.OIDCClients[index].ExtraScopes = api.StringPtrSliceToStringSlice(client.ExtraScopes) - } - - if item.Claim != nil { - if item.Claim.Mappings != nil { - if item.Claim.Mappings.Username != nil { - if item.Claim.Mappings.Username.Claim != nil { - provider.ClaimMappings.Username.TokenClaimMapping.Claim = *item.Claim.Mappings.Username.Claim - } - if item.Claim.Mappings.Username.PrefixPolicy != nil { - provider.ClaimMappings.Username.PrefixPolicy = configv1.UsernamePrefixPolicy(*item.Claim.Mappings.Username.PrefixPolicy) - } - if item.Claim.Mappings.Username.Prefix != nil { - provider.ClaimMappings.Username.Prefix.PrefixString = *item.Claim.Mappings.Username.Prefix - } - } - if item.Claim.Mappings.Groups != nil { - if item.Claim.Mappings.Groups.Claim != nil { - provider.ClaimMappings.Groups.TokenClaimMapping.Claim = *item.Claim.Mappings.Groups.Claim - } - if item.Claim.Mappings.Groups.Prefix != nil { - provider.ClaimMappings.Groups.Prefix = *item.Claim.Mappings.Groups.Prefix - } - } - } - } - - validationRuleSequence := api.DeleteNilsFromPtrSlice(item.Claim.ValidationRules) - provider.ClaimValidationRules = make([]configv1.TokenClaimValidationRule, len(validationRuleSequence)) - for index, rule := range validationRuleSequence { - provider.ClaimValidationRules[index] = configv1.TokenClaimValidationRule{ - Type: configv1.TokenValidationRuleTypeRequiredClaim, - RequiredClaim: &configv1.TokenRequiredClaim{}, - } - if rule.Claim != nil { - provider.ClaimValidationRules[index].RequiredClaim.Claim = *rule.Claim - } - if rule.RequiredValue != nil { - provider.ClaimValidationRules[index].RequiredClaim.RequiredValue = *rule.RequiredValue - } - } - - out.ExternalAuths = append(out.ExternalAuths, provider) - } -} - func normalizeIdentityUserAssignedIdentities(p map[string]*generated.UserAssignedIdentity, out *map[string]*arm.UserAssignedIdentity) { if *out == nil { *out = make(map[string]*arm.UserAssignedIdentity)