ADR035: User info fetcher CRD changes

  • Status: accepted

  • Date: 2024-01-22

Technical Story: https://github.com/stackabletech/opa-operator/issues/478

Context and Problem Statement

From the documentation for user-info-fetcher:

The User info fetcher allows for additional information to be obtained from the configured backend (for example, Keycloak). You can then write Rego rules for OpenPolicyAgent which make an HTTP request to the User info fetcher and make use of the additional information returned for the username or user id.

We need to design a CRD change for users to enable the UIF.

Considered Options

Stand-alone CRD

We could create a new CRD, e.g. UserInfoFetcher and have a controller for it that creates a DaemonSet. An OpaCluster would then be able to link to a UserInfoFetcher discovery ConfigMap.

  • Good, because a UIF instance can be shared across multiple OPA clusters → Simple and improved caching

  • Bad, because OPA clusters would need to authenticate against UIF clusters.

  • Bad, because UIF might need some form of authorization as well

Integrate in OpaCluster

Add a new section to OpaCluster that allows users to spin up a UIF as a sidecar within the Opa DaemonSet’s Pods.

The CRD is mostly copied from the oidc AuthenticationClass introduced in ADR032: OIDC Support with the addition of needed credentials for Keycloak as well as the admin and user realms and a very simplistic cache. The cache might be extended in the future (e.g. to set the maximum number of cache entries or exempt particular users from being cached), which can be done in a non-breaking fashion below spec.clusterConfig.userInfo.backend.keycloak.cache.`

apiVersion: opa.stackable.tech/v1alpha1
kind: OpaCluster
metadata:
  name: opa
spec:
  image:
    productVersion: 0.57.0
  clusterConfig:
    userInfo:
      backend:
        keycloak:
          hostname: keycloak.my-namespace.svc.cluster.local
          port: 8443
          tls:
            verification:
              server:
                caCert:
                  secretClass: tls
          clientCredentialsSecret: user-info-fetcher-client-credentials
          adminRealm: master
          userRealm: master
          cache: # optional, enabled by default
            entryTimeToLive: 60s # optional, defaults to 60s
  servers:
    roleGroups:
      default: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: user-info-fetcher-client-credentials
stringData:
  clientId: user-info-fetcher
  clientSecret: user-info-fetcher-client-secret

  • Good, because only accessible via the loopback network interface to OPA clusters → No authentication or authorization needed.

Decision Outcome

Chosen option: "Integrate in OpaCluster", because we wanted to avoid the whole authentication and authorization story.