feat: support generic OIDC provider (#1644) (#1648)

Co-authored-by: Sergei Starostin <[email protected]>

Author: matttrach

docs/resources/auth_config_generic_oidc.md

@@ -0,0 +1,69 @@
+---
+page_title: "rancher2_auth_config_generic_oidc Resource"
+---
+
+# rancher2\_auth\_config\_generic\_oidc Resource
+
+Provides a Rancher v2 Auth Config Generic OIDC resource. This can be used to configure and enable the Generic OIDC authentication provider for Rancher v2.
+
+In addition to the built-in local auth, only one external auth config provider can be enabled at a time.
+
+## Example Usage
+
+This example configures Rancher to use GitLab as a Generic OIDC provider.
+
+```hcl
+resource "rancher2_auth_config_generic_oidc" "generic_oidc" {
+  name          = "genericoidc"
+  client_id     = "<GITLAB_APPLICATION_ID>"
+  client_secret = "<GITLAB_CLIENT_SECRET>"
+  issuer        = "https://gitlab.com"
+  rancher_url   = "https://<RANCHER_URL>/verify-auth"
+
+  # OIDC claim mapping
+  scopes               = "openid profile email read_api"
+  groups_field         = "groups"
+  
+  # For the 'genericoidc' provider, group processing must be explicitly enabled.
+  group_search_enabled = true
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `client_id` - (Required/Sensitive) The OIDC Client ID.
+* `client_secret` - (Required/Sensitive) The OIDC Client Secret.
+* `issuer` - (Required) The OIDC issuer URL.
+* `rancher_url` - (Required) The URL of the Rancher server. This is used as the redirect URI for the OIDC provider.
+* `access_mode` - (Optional) Access mode for auth. `required`, `restricted`, `unrestricted` are supported. Default `unrestricted` (string)
+* `allowed_principal_ids` - (Optional) Allowed principal IDs for auth. Required if `access_mode` is `required` or `restricted`. Ex: `genericoidc_user://<USER_ID>` `genericoidc_group://<GROUP_ID>` (list)
+* `auth_endpoint` - (Optional/Computed) The OIDC Auth Endpoint URL.
+* `certificate` - (Optional/Sensitive) A PEM-encoded CA certificate for the OIDC provider.
+* `enabled` - (Optional) Enable the auth config provider. Default `true` (bool)
+* `groups_field` - (Optional/Computed) The name of the OIDC claim to use for the user's group memberships. Default `groups` (string)
+* `group_search_enabled` - (Optional) Enable group search. Default `false` (bool)
+* `jwks_url` - (Optional/Computed) The OIDC JWKS URL.
+* `private_key` - (Optional/Sensitive) A PEM-encoded private key for the OIDC provider.
+* `scopes` - (Optional/Computed) The OIDC scopes to request. Defaults to `openid profile email` (string)
+* `token_endpoint` - (Optional/Computed) The OIDC Token Endpoint URL.
+* `userinfo_endpoint` - (Optional/Computed) The OIDC User Info Endpoint URL.
+* `annotations` - (Optional/Computed) Annotations of the resource (map)
+* `labels` - (Optional/Computed) Labels of the resource (map)
+
+## Attributes Reference
+
+The following attributes are exported:
+
+* `id` - (Computed) The ID of the resource (string)
+* `name` - (Computed) The name of the resource (string)
+* `type` - (Computed) The type of the resource (string)
+
+## Import
+
+Generic OIDC auth config can be imported using its name.
+
+```
+$ terraform import rancher2_auth_config_generic_oidc.generic_oidc genericoidc
+```

rancher2/config.go

@@ -1256,6 +1256,8 @@ func getAuthConfigObject(kind string) (interface{}, error) {
 		return &managementClient.GithubConfig{}, nil
 	case managementClient.KeyCloakConfigType:
 		return &managementClient.KeyCloakConfig{}, nil
+	case managementClient.GenericOIDCConfigType:
+		return &managementClient.GenericOIDCConfig{}, nil
 	case managementClient.OKTAConfigType:
 		return &managementClient.OKTAConfig{}, nil
 	case managementClient.OpenLdapConfigType:

rancher2/provider.go

@@ -115,6 +115,7 @@ func Provider() terraform.ResourceProvider {
 			"rancher2_auth_config_github":                            resourceRancher2AuthConfigGithub(),
 			"rancher2_auth_config_keycloak":                          resourceRancher2AuthConfigKeyCloak(),
 			"rancher2_auth_config_okta":                              resourceRancher2AuthConfigOKTA(),
+			"rancher2_auth_config_generic_oidc":                      resourceRancher2AuthConfigGenericOIDC(),
 			"rancher2_auth_config_openldap":                          resourceRancher2AuthConfigOpenLdap(),
 			"rancher2_auth_config_ping":                              resourceRancher2AuthConfigPing(),
 			"rancher2_bootstrap":                                     resourceRancher2Bootstrap(),

rancher2/resource_rancher2_auth_config_generic_oidc.go

@@ -0,0 +1,119 @@
+package rancher2
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	managementClient "github.com/rancher/rancher/pkg/client/generated/management/v3"
+)
+
+func resourceRancher2AuthConfigGenericOIDC() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceRancher2AuthConfigGenericOIDCCreate,
+		Read:   resourceRancher2AuthConfigGenericOIDCRead,
+		Update: resourceRancher2AuthConfigGenericOIDCUpdate,
+		Delete: resourceRancher2AuthConfigGenericOIDCDelete,
+
+		Schema: authConfigGenericOIDCFields(),
+	}
+}
+
+func resourceRancher2AuthConfigGenericOIDCCreate(d *schema.ResourceData, meta interface{}) error {
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGenericOIDCName)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed to get Auth Config %s: %s", AuthConfigGenericOIDCName, err)
+	}
+
+	log.Printf("[INFO] Creating Auth Config %s", AuthConfigGenericOIDCName)
+
+	authOIDC, err := expandAuthConfigGenericOIDC(d)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Failed expanding Auth Config %s: %s", AuthConfigGenericOIDCName, err)
+	}
+
+	// Checking if other auth config is enabled
+	if authOIDC.Enabled {
+		err = meta.(*Config).CheckAuthConfigEnabled(AuthConfigGenericOIDCName)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Checking to enable Auth Config %s: %s", AuthConfigGenericOIDCName, err)
+		}
+	}
+
+	newAuth := &managementClient.OIDCConfig{}
+	err = meta.(*Config).UpdateAuthConfig(auth.Links["self"], authOIDC, newAuth)
+	if err != nil {
+		return fmt.Errorf("[ERROR] Updating Auth Config %s: %s", AuthConfigGenericOIDCName, err)
+	}
+
+	return resourceRancher2AuthConfigGenericOIDCRead(d, meta)
+}
+
+func resourceRancher2AuthConfigGenericOIDCRead(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Refreshing Auth Config %s", AuthConfigGenericOIDCName)
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGenericOIDCName)
+	if err != nil {
+		if IsNotFound(err) {
+			log.Printf("[INFO] Auth Config %s not found.", AuthConfigGenericOIDCName)
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	authOIDC, err := meta.(*Config).GetAuthConfig(auth)
+	if err != nil {
+		return err
+	}
+
+	err = flattenAuthConfigGenericOIDC(d, authOIDC.(*managementClient.OIDCConfig))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func resourceRancher2AuthConfigGenericOIDCUpdate(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Updating Auth Config %s", AuthConfigGenericOIDCName)
+	return resourceRancher2AuthConfigGenericOIDCCreate(d, meta)
+}
+
+func resourceRancher2AuthConfigGenericOIDCDelete(d *schema.ResourceData, meta interface{}) error {
+	log.Printf("[INFO] Disabling Auth Config %s", AuthConfigGenericOIDCName)
+
+	client, err := meta.(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGenericOIDCName)
+	if err != nil {
+		if IsNotFound(err) {
+			log.Printf("[INFO] Auth Config %s not found.", AuthConfigGenericOIDCName)
+			d.SetId("")
+			return nil
+		}
+		return err
+	}
+
+	if auth.Enabled == true {
+		err = client.Post(auth.Actions["disable"], nil, nil)
+		if err != nil {
+			return fmt.Errorf("[ERROR] Disabling Auth Config %s: %s", AuthConfigGenericOIDCName, err)
+		}
+	}
+
+	d.SetId("")
+	return nil
+}

rancher2/resource_rancher2_auth_config_generic_oidc_test.go

@@ -0,0 +1,121 @@
+package rancher2
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+)
+
+const (
+	testAccRancher2AuthConfigGenericOIDCName = "genericoidc"
+	testAccRancher2AuthConfigGenericOIDCType = "rancher2_auth_config_generic_oidc"
+)
+
+var (
+	testAccProviders                                 map[string]terraform.ResourceProvider
+	testAccProvider                                  *schema.Provider
+	testAccRancher2AuthConfigGenericOIDCClientID     = os.Getenv("RANCHER_OIDC_CLIENT_ID")
+	testAccRancher2AuthConfigGenericOIDCClientSecret = os.Getenv("RANCHER_OIDC_CLIENT_SECRET")
+	testAccRancher2AuthConfigGenericOIDCIssuerURL    = os.Getenv("RANCHER_OIDC_ISSUER_URL")
+	testAccRancher2AuthConfigGenericOIDCRancherURL   = os.Getenv("RANCHER_URL")
+)
+
+func init() {
+	testAccProvider = Provider().(*schema.Provider)
+	testAccProviders = map[string]terraform.ResourceProvider{
+		"rancher2": testAccProvider,
+	}
+}
+
+func testAccCheckRancher2AuthConfigGenericOIDCExists(name string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[name]
+		if !ok {
+			return fmt.Errorf("Not found: %s", name)
+		}
+
+		if rs.Primary.ID == "" {
+			return fmt.Errorf("No Auth Config Generic OIDC ID is set")
+		}
+
+		// Reading the auth config can be slow, add a delay.
+		time.Sleep(2 * time.Second)
+
+		return nil
+	}
+}
+
+func testAccCheckRancher2AuthConfigGenericOIDCConfig() resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		client, err := testAccProvider.Meta().(*Config).ManagementClient()
+		if err != nil {
+			return err
+		}
+
+		auth, err := client.AuthConfig.ByID(AuthConfigGenericOIDCName)
+		if err != nil {
+			return fmt.Errorf("Failed to get Auth Config %s: %s", AuthConfigGenericOIDCName, err)
+		}
+
+		if auth.Enabled != true {
+			return fmt.Errorf("Auth Config %s is not enabled", AuthConfigGenericOIDCName)
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckRancher2AuthConfigGenericOIDCDisabled(s *terraform.State) error {
+	client, err := testAccProvider.Meta().(*Config).ManagementClient()
+	if err != nil {
+		return err
+	}
+
+	auth, err := client.AuthConfig.ByID(AuthConfigGenericOIDCName)
+	if err != nil {
+		if IsNotFound(err) {
+			return nil
+		}
+		return err
+	}
+
+	if auth.Enabled == true {
+		return fmt.Errorf("Auth Config %s is still enabled", AuthConfigGenericOIDCName)
+	}
+
+	return nil
+}
+
+func testAccRancher2AuthConfigGenericOIDCConfig() string {
+	return fmt.Sprintf(`
+resource "rancher2_auth_config_generic_oidc" "genericoidc" {
+  client_id            = "%s"
+  client_secret        = "%s"
+  issuer               = "%s"
+  rancher_url          = "%s/verify-auth"
+  enabled              = true
+  scopes               = "openid profile email"
+  groups_field         = "groups"
+  group_search_enabled = true
+}
+`, testAccRancher2AuthConfigGenericOIDCClientID, testAccRancher2AuthConfigGenericOIDCClientSecret, testAccRancher2AuthConfigGenericOIDCIssuerURL, testAccRancher2AuthConfigGenericOIDCRancherURL)
+}
+
+func testAccRancher2AuthConfigGenericOIDCUpdateConfig() string {
+	return fmt.Sprintf(`
+resource "rancher2_auth_config_generic_oidc" "genericoidc" {
+  client_id            = "%s"
+  client_secret        = "%s"
+  issuer               = "%s"
+  rancher_url          = "%s/verify-auth"
+  enabled              = true
+  scopes               = "openid profile"
+  groups_field         = "group"
+  group_search_enabled = false
+}
+`, testAccRancher2AuthConfigGenericOIDCClientID, testAccRancher2AuthConfigGenericOIDCClientSecret, testAccRancher2AuthConfigGenericOIDCIssuerURL, testAccRancher2AuthConfigGenericOIDCRancherURL)
+}