Merge pull request #78 from embik/oidc-serviceaccount-validation

kcp-ci-bot · web-flow · commit efcb5684dd20 · 2025-08-01T14:24:04.000+02:00
Add validation to FrontProxy to ensure that OIDC requires ServiceAccount auth
diff --git a/config/crd/bases/operator.kcp.io_frontproxies.yaml b/config/crd/bases/operator.kcp.io_frontproxies.yaml
@@ -77,8 +77,9 @@ spec:
                   type: object
                 type: array
               auth:
-                description: 'Optional: Auth configures various aspects of Authentication
-                  and Authorization for this front-proxy instance.'
+                description: |-
+                  Optional: Auth configures various aspects of Authentication and Authorization for this front-proxy instance.
+                  If OIDC is enabled, it also requires enabling ServiceAccount authentication (as front-proxy will start validating JWT tokens, which includes ServiceAccount tokens).
                 properties:
                   dropGroups:
                     description: 'Optional: DropGroups configures groups to be dropped
@@ -144,6 +145,9 @@ spec:
                     - enabled
                     type: object
                 type: object
+                x-kubernetes-validations:
+                - message: OIDC requires ServiceAccount auth to be enabled.
+                  rule: '!has(self.oidc) || (has(self.serviceAccount) && self.serviceAccount.enabled)'
               certificateTemplates:
                 additionalProperties:
                   properties:
diff --git a/config/samples/operator.kcp.io_v1alpha1_frontproxy.yaml b/config/samples/operator.kcp.io_v1alpha1_frontproxy.yaml
@@ -6,6 +6,9 @@ metadata:
     app.kubernetes.io/managed-by: kustomize
   name: frontproxy-sample
 spec:
+  auth:
+    serviceAccount:
+      enabled: true
   rootShard:
     ref:
       name: shard-sample
diff --git a/config/samples/v1alpha1_kubeconfig_admin.yaml b/config/samples/v1alpha1_kubeconfig_admin.yaml
diff --git a/sdk/apis/operator/v1alpha1/frontproxy_types.go b/sdk/apis/operator/v1alpha1/frontproxy_types.go
@@ -30,6 +30,8 @@ type FrontProxySpec struct {
 	// Resources overrides the default resource requests and limits.
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
 	// Optional: Auth configures various aspects of Authentication and Authorization for this front-proxy instance.
+	// If OIDC is enabled, it also requires enabling ServiceAccount authentication (as front-proxy will start validating JWT tokens, which includes ServiceAccount tokens).
+	// +kubebuilder:validation:XValidation:rule="!has(self.oidc) || (has(self.serviceAccount) && self.serviceAccount.enabled)",message="OIDC requires ServiceAccount auth to be enabled."
 	Auth *AuthSpec `json:"auth,omitempty"`
 	// Optional: AdditionalPathMappings configures // TODO ?
 	AdditionalPathMappings []PathMappingEntry `json:"additionalPathMappings,omitempty"`
