Merge pull request #1585 from fluxcd/bucket-sts-endpoint-ldap

Add LDAP provider for Bucket STS API

Author: matheuscscp

Diff for: api/v1beta2/bucket_types.go

@@ -49,8 +49,11 @@ const (
 
 // BucketSpec specifies the required configuration to produce an Artifact for
 // an object storage bucket.
-// +kubebuilder:validation:XValidation:rule="self.provider == 'aws' || !has(self.sts)", message="STS configuration is only supported for the 'aws' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider == 'aws' || self.provider == 'generic' || !has(self.sts)", message="STS configuration is only supported for the 'aws' and 'generic' Bucket providers"
 // +kubebuilder:validation:XValidation:rule="self.provider != 'aws' || !has(self.sts) || self.sts.provider == 'aws'", message="'aws' is the only supported STS provider for the 'aws' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="self.provider != 'generic' || !has(self.sts) || self.sts.provider == 'ldap'", message="'ldap' is the only supported STS provider for the 'generic' Bucket provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.secretRef)", message="spec.sts.secretRef is not required for the 'aws' STS provider"
+// +kubebuilder:validation:XValidation:rule="!has(self.sts) || self.sts.provider != 'aws' || !has(self.sts.certSecretRef)", message="spec.sts.certSecretRef is not required for the 'aws' STS provider"
 type BucketSpec struct {
 	// Provider of the object storage bucket.
 	// Defaults to 'generic', which expects an S3 (API) compatible object
@@ -72,7 +75,7 @@ type BucketSpec struct {
 	// Service for fetching temporary credentials to authenticate in a
 	// Bucket provider.
 	//
-	// This field is only supported for the `aws` provider.
+	// This field is only supported for the `aws` and `generic` providers.
 	// +optional
 	STS *BucketSTSSpec `json:"sts,omitempty"`
 
@@ -153,7 +156,7 @@ type BucketSpec struct {
 // provider.
 type BucketSTSSpec struct {
 	// Provider of the Security Token Service.
-	// +kubebuilder:validation:Enum=aws
+	// +kubebuilder:validation:Enum=aws;ldap
 	// +required
 	Provider string `json:"provider"`
 
@@ -162,6 +165,29 @@ type BucketSTSSpec struct {
 	// +required
 	// +kubebuilder:validation:Pattern="^(http|https)://.*$"
 	Endpoint string `json:"endpoint"`
+
+	// SecretRef specifies the Secret containing authentication credentials
+	// for the STS endpoint. This Secret must contain the fields `username`
+	// and `password` and is supported only for the `ldap` provider.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// CertSecretRef can be given the name of a Secret containing
+	// either or both of
+	//
+	// - a PEM-encoded client certificate (`tls.crt`) and private
+	// key (`tls.key`);
+	// - a PEM-encoded CA certificate (`ca.crt`)
+	//
+	// and whichever are supplied, will be used for connecting to the
+	// STS endpoint. The client cert and key are useful if you are
+	// authenticating with a certificate; the CA cert is useful if
+	// you are using a self-signed server certificate. The Secret must
+	// be of type `Opaque` or `kubernetes.io/tls`.
+	//
+	// This field is only supported for the `ldap` provider.
+	// +optional
+	CertSecretRef *meta.LocalObjectReference `json:"certSecretRef,omitempty"`
 }
 
 // BucketStatus records the observed state of a Bucket.

Diff for: api/v1beta2/sts_types.go

@@ -20,4 +20,7 @@ const (
 	// STSProviderAmazon represents the AWS provider for Security Token Service.
 	// Provides support for fetching temporary credentials from an AWS STS endpoint.
 	STSProviderAmazon string = "aws"
+	// STSProviderLDAP represents the LDAP provider for Security Token Service.
+	// Provides support for fetching temporary credentials from an LDAP endpoint.
+	STSProviderLDAP string = "ldap"
 )

Diff for: api/v1beta2/zz_generated.deepcopy.go

@@ -424,8 +424,34 @@ spec:
                   Bucket provider.
 
 
-                  This field is only supported for the `aws` provider.
+                  This field is only supported for the `aws` and `generic` providers.
                 properties:
+                  certSecretRef:
+                    description: |-
+                      CertSecretRef can be given the name of a Secret containing
+                      either or both of
+
+
+                      - a PEM-encoded client certificate (`tls.crt`) and private
+                      key (`tls.key`);
+                      - a PEM-encoded CA certificate (`ca.crt`)
+
+
+                      and whichever are supplied, will be used for connecting to the
+                      STS endpoint. The client cert and key are useful if you are
+                      authenticating with a certificate; the CA cert is useful if
+                      you are using a self-signed server certificate. The Secret must
+                      be of type `Opaque` or `kubernetes.io/tls`.
+
+
+                      This field is only supported for the `ldap` provider.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
                   endpoint:
                     description: |-
                       Endpoint is the HTTP/S endpoint of the Security Token Service from
@@ -436,7 +462,20 @@ spec:
                     description: Provider of the Security Token Service.
                     enum:
                     - aws
+                    - ldap
                     type: string
+                  secretRef:
+                    description: |-
+                      SecretRef specifies the Secret containing authentication credentials
+                      for the STS endpoint. This Secret must contain the fields `username`
+                      and `password` and is supported only for the `ldap` provider.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
                 required:
                 - endpoint
                 - provider
@@ -457,12 +496,21 @@ spec:
             - interval
             type: object
             x-kubernetes-validations:
-            - message: STS configuration is only supported for the 'aws' Bucket provider
-              rule: self.provider == 'aws' || !has(self.sts)
+            - message: STS configuration is only supported for the 'aws' and 'generic'
+                Bucket providers
+              rule: self.provider == 'aws' || self.provider == 'generic' || !has(self.sts)
             - message: '''aws'' is the only supported STS provider for the ''aws''
                 Bucket provider'
               rule: self.provider != 'aws' || !has(self.sts) || self.sts.provider
                 == 'aws'
+            - message: '''ldap'' is the only supported STS provider for the ''generic''
+                Bucket provider'
+              rule: self.provider != 'generic' || !has(self.sts) || self.sts.provider
+                == 'ldap'
+            - message: spec.sts.secretRef is not required for the 'aws' STS provider
+              rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.secretRef)'
+            - message: spec.sts.certSecretRef is not required for the 'aws' STS provider
+              rule: '!has(self.sts) || self.sts.provider != ''aws'' || !has(self.sts.certSecretRef)'
           status:
             default:
               observedGeneration: -1

Diff for: config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml

@@ -126,7 +126,7 @@ BucketSTSSpec
 <p>STS specifies the required configuration to use a Security Token
 Service for fetching temporary credentials to authenticate in a
 Bucket provider.</p>
-<p>This field is only supported for the <code>aws</code> provider.</p>
+<p>This field is only supported for the <code>aws</code> and <code>generic</code> providers.</p>
 </td>
 </tr>
 <tr>
@@ -1497,6 +1497,48 @@ string
 where temporary credentials will be fetched.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>secretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SecretRef specifies the Secret containing authentication credentials
+for the STS endpoint. This Secret must contain the fields <code>username</code>
+and <code>password</code> and is supported only for the <code>ldap</code> provider.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>certSecretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CertSecretRef can be given the name of a Secret containing
+either or both of</p>
+<ul>
+<li>a PEM-encoded client certificate (<code>tls.crt</code>) and private
+key (<code>tls.key</code>);</li>
+<li>a PEM-encoded CA certificate (<code>ca.crt</code>)</li>
+</ul>
+<p>and whichever are supplied, will be used for connecting to the
+STS endpoint. The client cert and key are useful if you are
+authenticating with a certificate; the CA cert is useful if
+you are using a self-signed server certificate. The Secret must
+be of type <code>Opaque</code> or <code>kubernetes.io/tls</code>.</p>
+<p>This field is only supported for the <code>ldap</code> provider.</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>
@@ -1569,7 +1611,7 @@ BucketSTSSpec
 <p>STS specifies the required configuration to use a Security Token
 Service for fetching temporary credentials to authenticate in a
 Bucket provider.</p>
-<p>This field is only supported for the <code>aws</code> provider.</p>
+<p>This field is only supported for the <code>aws</code> and <code>generic</code> providers.</p>
 </td>
 </tr>
 <tr>

Diff for: docs/api/v1beta2/source.md

@@ -756,15 +756,75 @@ configuration. A Security Token Service (STS) is a web service that issues
 temporary security credentials. By adding this field, one may specify the
 STS endpoint from where temporary credentials will be fetched.
 
+This field is only supported for the `aws` and `generic` bucket [providers](#provider).
+
 If using `.spec.sts`, the following fields are required:
 
 - `.spec.sts.provider`, the Security Token Service provider. The only supported
-  option is `aws`.
+  option for the `generic` bucket provider is `ldap`. The only supported option
+  for the `aws` bucket provider is `aws`.
 - `.spec.sts.endpoint`, the HTTP/S endpoint of the Security Token Service. In
-  the case of AWS, this can be `https://sts.amazonaws.com`, or a Regional STS
-  Endpoint, or an Interface Endpoint created inside a VPC.
+  the case of `aws` this can be `https://sts.amazonaws.com`, or a Regional STS
+  Endpoint, or an Interface Endpoint created inside a VPC. In the case of
+  `ldap` this must be the LDAP server endpoint.
+
+When using the `ldap` provider, the following fields may also be specified:
+
+- `.spec.sts.secretRef.name`, the name of the Secret containing the LDAP
+  credentials. The Secret must contain the following keys:
+  - `username`, the username to authenticate with.
+  - `password`, the password to authenticate with.
+- `.spec.sts.certSecretRef.name`, the name of the Secret containing the
+  TLS configuration for communicating with the STS endpoint. The contents
+  of this Secret must follow the same structure of
+  [`.spec.certSecretRef.name`](#cert-secret-reference).
+
+If [`.spec.proxySecretRef.name`](#proxy-secret-reference) is specified,
+the proxy configuration will be used for commucating with the STS endpoint.
+
+Example for the `ldap` provider:
 
-This field is only supported for the `aws` bucket provider.
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: example
+  namespace: example
+spec:
+  interval: 5m
+  bucketName: example
+  provider: generic
+  endpoint: minio.example.com
+  sts:
+    provider: ldap
+    endpoint: https://ldap.example.com
+    secretRef:
+      name: ldap-credentials
+    certSecretRef:
+      name: ldap-tls
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-credentials
+  namespace: example
+type: Opaque
+stringData:
+  username: <username>
+  password: <password>
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ldap-tls
+  namespace: example
+type: kubernetes.io/tls # or Opaque
+stringData:
+  tls.crt: <PEM-encoded cert>
+  tls.key: <PEM-encoded key>
+  ca.crt: <PEM-encoded cert>
+```
 
 ### Bucket name