feat: Add OIDC support

.vscode/launch.json

@@ -0,0 +1,23 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "type": "lldb",
+            "request": "launch",
+            "name": "Debug executable 'stackable-druid-operator'",
+            "cargo": {
+                "args": [
+                    "build",
+                    "--bin=stackable-druid-operator",
+                    "--package=stackable-druid-operator"
+                ],
+                "filter": {
+                    "name": "stackable-druid-operator",
+                    "kind": "bin"
+                }
+            },
+            "args": ["run"],
+            "cwd": "${workspaceFolder}"
+        }
+    ]
+}

CHANGELOG.md

@@ -7,15 +7,16 @@ All notable changes to this project will be documented in this file.
 ### Added
 
 - Add support for specifying additional extensions to load ([#547], [#563]).
+- Add support for OIDC as authentication method ([#573]).
 
 ### Changed
 
 - Bump `stackable-operator` from `0.64.0` to `0.70.0` ([#585]).
 - Bump `product-config` from `0.6.0` to `0.7.0` ([#585]).
 - Bump other dependencies ([#587]).
 
-[#585]: https://github.com/stackabletech/airflow-operator/pull/585
-[#587]: https://github.com/stackabletech/airflow-operator/pull/587
+[#585]: https://github.com/stackabletech/druid-operator/pull/585
+[#587]: https://github.com/stackabletech/druid-operator/pull/587
 
 ### Fixed
 
@@ -27,6 +28,7 @@ All notable changes to this project will be documented in this file.
 [#557]: https://github.com/stackabletech/druid-operator/pull/557
 [#563]: https://github.com/stackabletech/druid-operator/pull/563
 [#572]: https://github.com/stackabletech/druid-operator/pull/572
+[#573]: https://github.com/stackabletech/druid-operator/pull/573
 
 ## [24.3.0] - 2024-03-20
 

deploy/helm/druid-operator/crds/crds.yaml

@@ -7203,14 +7203,33 @@ spec:
                     authentication:
                       default: []
                       description: |-
-                        List of [AuthenticationClasses](https://docs.stackable.tech/home/nightly/concepts/authentication) to use for authenticating users. TLS and LDAP authentication are supported. More information in the [Druid operator security documentation](https://docs.stackable.tech/home/nightly/druid/usage-guide/security#_authentication).
+                        List of [AuthenticationClasses](https://docs.stackable.tech/home/nightly/concepts/authentication) to use for authenticating users. TLS, LDAP and OIDC authentication are supported. More information in the [Druid operator security documentation](https://docs.stackable.tech/home/nightly/druid/usage-guide/security#_authentication).
 
                         For TLS: Please note that the SecretClass used to authenticate users needs to be the same as the SecretClass used for internal communication.
                       items:
                         properties:
                           authenticationClass:
-                            description: 'The name of an [AuthenticationClass](https://docs.stackable.tech/home/nightly/concepts/authentication) object. When using TLS authentication, the `clientCertSecretClass` must be identical to the `serverAndInternalSecretClass` in the `clusterConfig.tls` settings of Druid. This is a limitation of Druid: Only one CA certificate can be used for both internal authentication between processes as well as authentication of users.'
+                            description: A name/key which references an authentication class. To get the concrete [`AuthenticationClass`], we must resolve it. This resolution can be achieved by using [`ClientAuthenticationDetails::resolve_class`].
                             type: string
+                          oidc:
+                            description: |-
+                              This field contains authentication provider specific configuration.
+
+                              Use [`ClientAuthenticationDetails::oidc_or_error`] to get the value or report an error to the user.
+                            nullable: true
+                            properties:
+                              clientCredentialsSecret:
+                                description: A reference to the OIDC client credentials secret. The secret contains the client id and secret.
+                                type: string
+                              extraScopes:
+                                default: []
+                                description: An optional list of extra scopes which get merged with the scopes defined in the [`AuthenticationClass`].
+                                items:
+                                  type: string
+                                type: array
+                            required:
+                              - clientCredentialsSecret
+                            type: object
                         required:
                           - authenticationClass
                         type: object

docs/modules/druid/examples/druid-oidc-authentication.yaml

@@ -0,0 +1,37 @@
+# yamllint disable-file
+
+# tag::authclass[]
+apiVersion: authentication.stackable.tech/v1alpha1
+kind: AuthenticationClass
+metadata:
+  name: oidc-auth
+spec:
+  provider:
+    oidc:
+  [...]
+#end::authclass[]
+
+# tag::druid[]
+apiVersion: druid.stackable.tech/v1alpha1
+kind: DruidCluster
+metadata:
+  name: druid
+spec:
+  clusterConfig:
+    authentication:
+      - authenticationClass: oidc-auth
+        oidc:
+          clientCredentialsSecret: druid-oidc-client
+  [...]
+# end::druid[]
+
+# tag::secret[]
+apiVersion: v1
+kind: Secret
+metadata:
+  name: druid-oidc-client
+stringData:
+  clientId: <client-id>
+  clientSecret: <client-secret>
+
+# end::secret[]

docs/modules/druid/pages/usage-guide/security.adoc

@@ -72,12 +72,35 @@ include::example$druid-ldap-authentication.yaml[tag=druid]
 ----
 
 Check out the xref:tutorials:authentication_with_openldap.adoc[] tutorial to see a complete example of how to set LDAP authentication for another Stackable operator.
-You can also consult the home:reference:authenticationclass.adoc[] reference, or
+You can also consult the xref:home:reference:authenticationclass.adoc[] reference, or
 https://github.com/stackabletech/druid-operator/tree/main/tests/templates/kuttl/ldap-authentication[the LDAP test] suite.
 
+=== OIDC
+
+Druid supports xref:concepts:authentication.adoc[authentication] of users of the web console against a OIDC provider.
+This requires setting up a xref:concepts:authentication.adoc#authenticationclass[AuthenticationClass] for the OIDC provider:
+
+[source,yaml]
+----
+include::example$druid-oidc-authentication.yaml[tag=authclass]
+----
+
+Reference the AuthenticationClass and a secret containing OIDC client credentials in your DruidCluster resource:
+
+[source,yaml]
+----
+include::example$druid-oidc-authentication.yaml[tag=druid]
+----
+
+The secret containing the OIDC client credentials should be structured like this:
+[source,yaml]
+----
+include::example$druid-oidc-authentication.yaml[tag=secret]
+----
+
 === Current Limitations and Upcoming Work
 
-At the moment you can either use TLS authentication or LDAP authentication. Both methods together are not supported.
+At the moment you can either use TLS, LDAP or OIDC authentication but not a combination of authentication methods.
 
 Using an LDAP server **without** bind credentials is not supported. This limitation is due to Druid not supporting this scenario. See https://github.com/stackabletech/druid-operator/issues/383[our issue] for details.
 

rust/crd/Cargo.toml

@@ -23,3 +23,4 @@ lazy_static.workspace = true
 [dev-dependencies]
 rstest.workspace = true
 serde_yaml.workspace = true
+tokio.workspace = true