feat(operator): Add support for authn/authz

operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java

@@ -20,4 +20,11 @@ public class EnvironmentVariables {
     public static final String KAFKASQL_SSL_TRUSTSTORE_TYPE = KAFKA_PREFIX + "SSL_TRUSTSTORE_TYPE";
     public static final String KAFKASQL_SSL_TRUSTSTORE_LOCATION = KAFKA_PREFIX + "SSL_TRUSTSTORE_LOCATION";
     public static final String KAFKASQL_SSL_TRUSTSTORE_PASSWORD = KAFKA_PREFIX + "SSL_TRUSTSTORE_PASSWORD";
+
+    // Auth related environment variables
+    public static final String APICURIO_REGISTRY_AUTH_ENABLED = "QUARKUS_OIDC_TENANT_ENABLED";
+    public static final String APICURIO_REGISTRY_APP_CLIENT_ID = "QUARKUS_OIDC_CLIENT_ID";
+    public static final String APICURIO_REGISTRY_UI_CLIENT_ID = "APICURIO_UI_AUTH_OIDC_CLIENT_ID";
+    public static final String APICURIO_REGISTRY_AUTH_SERVER_URL = "QUARKUS_OIDC_AUTH_SERVER_URL";
+
 }

operator/controller/src/main/java/io/apicurio/registry/operator/resource/app/AppDeploymentResource.java

@@ -4,6 +4,7 @@
 import io.apicurio.registry.operator.OperatorException;
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3Spec;
+import io.apicurio.registry.operator.api.v1.spec.AppAuthSpec;
 import io.apicurio.registry.operator.api.v1.spec.AppFeaturesSpec;
 import io.apicurio.registry.operator.api.v1.spec.AppSpec;
 import io.apicurio.registry.operator.api.v1.spec.StorageSpec;
@@ -67,11 +68,22 @@ protected Deployment desired(ApicurioRegistry3 primary, Context<ApicurioRegistry
                 .map(AppSpec::getFeatures)
                 .map(AppFeaturesSpec::getAllowDeletes)
                 .orElse(Boolean.FALSE);
+
         if (allowDeletes) {
             addEnvVar(envVars, new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REST_DELETION_ARTIFACT_VERSION_ENABLED).withValue("true").build());
             addEnvVar(envVars, new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REST_DELETION_ARTIFACT_ENABLED).withValue("true").build());
             addEnvVar(envVars, new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REST_DELETION_GROUP_ENABLED).withValue("true").build());
         }
+        boolean authEnabled = Optional.ofNullable(primary.getSpec().getApp())
+                .map(AppSpec::getAppAuthSpec)
+                .map(AppAuthSpec::getAuthEnabled)
+                .orElse(Boolean.FALSE);
+
+        //Configure auth when it's enabled
+        if (authEnabled) {
+            configureAuth(envVars, requireNonNull(ofNullable(primary.getSpec().getApp())
+                    .map(AppSpec::getAppAuthSpec).orElse(null)));
+        }
 
         // Configure the CORS_ALLOWED_ORIGINS env var based on the ingress host
         Cors.configureAllowedOrigins(primary, envVars);
@@ -151,4 +163,16 @@ public static Container getContainerFromPodTemplateSpec(PodTemplateSpec pts, Str
         }
         return null;
     }
+
+    private static void configureAuth(Map<String, EnvVar> envVars, AppAuthSpec appAuthSpec) {
+        addEnvVar(envVars, new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REGISTRY_AUTH_ENABLED)
+                .withValue(appAuthSpec.getAuthEnabled().toString()).build());
+        addEnvVar(envVars, new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REGISTRY_APP_CLIENT_ID)
+                .withValue(appAuthSpec.getAppClientId()).build());
+        addEnvVar(envVars, new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REGISTRY_UI_CLIENT_ID)
+                .withValue(appAuthSpec.getUiClientId()).build());
+        addEnvVar(envVars,
+                new EnvVarBuilder().withName(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL)
+                        .withValue(appAuthSpec.getAuthServerUrl()).build());
+    }
 }

operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java

@@ -0,0 +1,99 @@
+package io.apicurio.registry.operator.it;
+
+import io.apicurio.registry.operator.EnvironmentVariables;
+import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
+import io.fabric8.kubernetes.api.model.HasMetadata;
+import io.fabric8.kubernetes.client.utils.Serialization;
+import io.quarkus.test.junit.QuarkusTest;
+import org.awaitility.Awaitility;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.time.Duration;
+import java.util.List;
+
+import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME;
+import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_UI_CONTAINER_NAME;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_APP;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_UI;
+import static io.apicurio.registry.operator.resource.ResourceFactory.deserialize;
+import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.getContainerFromDeployment;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.awaitility.Awaitility.await;
+
+@QuarkusTest
+public class KeycloakITTest extends ITBase {
+
+    private static final Logger log = LoggerFactory.getLogger(KeycloakITTest.class);
+
+    @BeforeAll
+    public static void init() {
+        Awaitility.setDefaultTimeout(Duration.ofSeconds(60));
+    }
+
+    @Test
+    void testKeycloakPlain() {
+        // Preparation, deploy Keycloak
+        List<HasMetadata> resources = Serialization
+                .unmarshal(KeycloakITTest.class.getResourceAsStream("/k8s/examples/auth/keycloak.yaml"));
+
+        resources.forEach(r -> {
+            log.info("Creating Keycloak resource kind {} in namespace {}", r.getKind(), namespace);
+            client.resource(r).inNamespace(namespace).createOrReplace();
+            await().ignoreExceptions().until(() -> {
+                assertThat(client.resource(r).inNamespace(namespace).get()).isNotNull();
+                return true;
+            });
+        });
+
+        await().ignoreExceptions().untilAsserted(() -> {
+            assertThat(client.apps().deployments().withName("keycloak").get().getStatus().getReadyReplicas())
+                    .isEqualTo(1);
+        });
+
+        // Deploy Registry
+        var registry = deserialize("k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml",
+                ApicurioRegistry3.class);
+
+        registry.getMetadata().setNamespace(namespace);
+
+        var appAuthSpec = registry.getSpec().getApp().getAppAuthSpec();
+
+        Assertions.assertEquals("registry-api", appAuthSpec.getAppClientId());
+        Assertions.assertEquals("apicurio-registry", appAuthSpec.getUiClientId());
+        Assertions.assertEquals(true, appAuthSpec.getAuthEnabled());
+        Assertions.assertEquals("http://keycloak:8090/realms/registry", appAuthSpec.getAuthServerUrl());
+
+        client.resource(registry).create();
+
+        // Assertions, checks registry deployments exist
+        checkDeploymentExists(registry, COMPONENT_APP, 1);
+        checkDeploymentExists(registry, COMPONENT_UI, 1);
+
+        // App deployment auth related assertions
+        var appEnv = getContainerFromDeployment(
+                client.apps().deployments().inNamespace(namespace)
+                        .withName(registry.getMetadata().getName() + "-app-deployment").get(),
+                REGISTRY_APP_CONTAINER_NAME).getEnv();
+
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_ENABLED + "=" + "true");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_APP_CLIENT_ID + "=" + "registry-api");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_UI_CLIENT_ID + "=" + "apicurio-registry");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "="
+                        + "http://keycloak:8090/realms/registry");
+
+        // App deployment auth related assertions
+        var uiEnv = getContainerFromDeployment(
+                client.apps().deployments().inNamespace(namespace)
+                        .withName(registry.getMetadata().getName() + "-ui-deployment").get(),
+                REGISTRY_UI_CONTAINER_NAME).getEnv();
+
+    }
+}