CLOUDP-314903 [OIDC] CRD Config Propagation to Automation Config (#60)

# Summary

### Core Functionality Enhancements:
* Added a new authentication mechanism, `MongoDB-OIDC`, to the list of
supported mechanisms in the `authentication_mechanism.go` file.
* Introduced the `OIDCProviderConfigs` field in the `AutomationConfig`
struct and implemented logic to merge and apply OIDC configurations into
the deployment in the `automation_config.go` file.
* Removed default value for `groupClaim` because the value `groups` can
result in hard to debug misconfiguration.

### API and Configuration Updates:
* Added the `IsOIDCEnabled()` method in the `Security` struct and
`AuthResource` interface to check if OIDC is enabled.
* Updated the `Options` struct in the `authentication.go` file to
include `OIDCProviderConfigs`.

### Test Coverage:
* Added comprehensive test cases for OIDC provider configurations in
`automation_config_test.go`, including scenarios for merging, clearing,
and modifying configurations.
* Updated the `TestAutomationConfigEquality` test to include OIDC
provider configurations.

### JSON Configuration Example:
* Updated the `automation_config.json` test data file to include sample
OIDC provider configurations for testing purposes.


## Proof of Work

<!-- Enter your proof that it works here.-->

## Checklist
- [ ] Have you linked a jira ticket and/or is the ticket in the title?
- [ ] Have you checked whether your jira ticket required DOCSP changes?
- [ ] Have you checked for release_note changes?

## Reminder (Please remove this when merging)
- Please try to Approve or Reject Changes the PR, keep PRs in review as
short as possible
- Our Short Guide for PRs:
[Link](https://docs.google.com/document/d/1T93KUtdvONq43vfTfUt8l92uo4e4SEEvFbIEKOxGr44/edit?tab=t.0)
- Remember the following Communication Standards - use comment prefixes
for clarity:
  * **blocking**: Must be addressed before approval.
  * **follow-up**: Can be addressed in a later PR or ticket.
  * **q**: Clarifying question.
  * **nit**: Non-blocking suggestions.
  * **note**: Side-note, non-actionable. Example: Praise 
  * --> no prefix is considered a question

---------

Co-authored-by: Lucian Tosa <[email protected]>
Co-authored-by: Lucian Tosa <[email protected]>
Co-authored-by: Anand <[email protected]>
Co-authored-by: Anand Singh <[email protected]>

Author: 3 people

api/v1/mdb/mongodb_types.go

@@ -1097,9 +1097,8 @@ type OIDCProviderConfig struct {
 	// The identifier of the claim that includes the principal's IdP user group membership information.
 	// Accept the default value unless your IdP uses a different claim, or you need a custom claim.
 	// Required when selected GroupMembership as the authorization type, ignored otherwise
-	// +kubebuilder:default=groups
 	// +kubebuilder:validation:Optional
-	GroupsClaim string `json:"groupsClaim,omitempty"`
+	GroupsClaim *string `json:"groupsClaim"`
 
 	// Configure single-sign-on for human user access to Ops Manager deployments with Workforce Identity Federation.
 	// For programmatic, application access to Ops Manager deployments use Workload Identity Federation.
@@ -1111,7 +1110,7 @@ type OIDCProviderConfig struct {
 	// registered with an external Identity Provider.
 	// Required when selected Workforce Identity Federation authorization method
 	// +kubebuilder:validation:Optional
-	ClientId string `json:"clientId,omitempty"`
+	ClientId *string `json:"clientId"`
 
 	// Tokens that give users permission to request data from the authorization endpoint.
 	// Only used for Workforce Identity Federation authorization method

api/v1/mdb/mongodb_validation.go

@@ -256,11 +256,11 @@ func oidcProviderConfigIssuerURIValidator(config OIDCProviderConfig) func(DbComm
 func oidcProviderConfigClientIdValidator(config OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
 	return func(_ DbCommonSpec) v1.ValidationResult {
 		if config.AuthorizationMethod == OIDCAuthorizationMethodWorkforceIdentityFederation {
-			if config.ClientId == "" {
+			if config.ClientId == nil || *config.ClientId == "" {
 				return v1.ValidationError("ClientId has to be specified in OIDC provider config %q with Workforce Identity Federation", config.ConfigurationName)
 			}
 		} else if config.AuthorizationMethod == OIDCAuthorizationMethodWorkloadIdentityFederation {
-			if config.ClientId != "" {
+			if config.ClientId != nil {
 				return v1.ValidationWarning("ClientId will be ignored in OIDC provider config %q with Workload Identity Federation", config.ConfigurationName)
 			}
 		}
@@ -284,11 +284,11 @@ func oidcProviderConfigRequestedScopesValidator(config OIDCProviderConfig) func(
 func oidcProviderConfigAuthorizationTypeValidator(config OIDCProviderConfig) func(DbCommonSpec) v1.ValidationResult {
 	return func(_ DbCommonSpec) v1.ValidationResult {
 		if config.AuthorizationType == OIDCAuthorizationTypeGroupMembership {
-			if config.GroupsClaim == "" {
+			if config.GroupsClaim == nil || *config.GroupsClaim == "" {
 				return v1.ValidationError("GroupsClaim has to be specified in OIDC provider config %q when using Group Membership authorization", config.ConfigurationName)
 			}
 		} else if config.AuthorizationType == OIDCAuthorizationTypeUserID {
-			if config.GroupsClaim != "" {
+			if config.GroupsClaim != nil {
 				return v1.ValidationWarning("GroupsClaim will be ignored in OIDC provider config %q when using User ID authorization", config.ConfigurationName)
 			}
 		}
@@ -298,16 +298,14 @@ func oidcProviderConfigAuthorizationTypeValidator(config OIDCProviderConfig) fun
 }
 
 func oidcAuthRequiresEnterprise(d DbCommonSpec) v1.ValidationResult {
-	authSpec := d.Security.Authentication
-	if authSpec != nil && authSpec.IsOIDCEnabled() && !strings.HasSuffix(d.Version, "-ent") {
+	if d.Security.Authentication.IsOIDCEnabled() && !strings.HasSuffix(d.Version, "-ent") {
 		return v1.ValidationError("Cannot enable OIDC authentication with MongoDB Community Builds")
 	}
 	return v1.ValidationSuccess()
 }
 
 func ldapAuthRequiresEnterprise(d DbCommonSpec) v1.ValidationResult {
-	authSpec := d.Security.Authentication
-	if authSpec != nil && authSpec.IsLDAPEnabled() && !strings.HasSuffix(d.Version, "-ent") {
+	if d.Security.Authentication.IsLDAPEnabled() && !strings.HasSuffix(d.Version, "-ent") {
 		return v1.ValidationError("Cannot enable LDAP authentication with MongoDB Community Builds")
 	}
 	return v1.ValidationSuccess()

api/v1/mdb/mongodb_validation_test.go

@@ -258,13 +258,13 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "provider",
 						IssuerURI:           "https://example1.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId1",
+						ClientId:            ptr.To("clientId1"),
 					},
 					{
 						ConfigurationName:   "provider",
 						IssuerURI:           "https://example2.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId2",
+						ClientId:            ptr.To("clientId2"),
 					},
 				},
 			},
@@ -281,13 +281,13 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "test-provider1",
 						IssuerURI:           "https://example1.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId1",
+						ClientId:            ptr.To("clientId1"),
 					},
 					{
 						ConfigurationName:   "test-provider2",
 						IssuerURI:           "https://example2.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId2",
+						ClientId:            ptr.To("clientId2"),
 					},
 				},
 			},
@@ -304,7 +304,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "test-provider-workforce1",
 						IssuerURI:           "https://example1.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkforceIdentityFederation,
-						ClientId:            "clientId1",
+						ClientId:            ptr.To("clientId1"),
 					},
 					{
 						ConfigurationName:   "test-provider-workload2",
@@ -376,7 +376,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName:   "test-provider",
 						IssuerURI:           "https://example.com",
 						AuthorizationMethod: OIDCAuthorizationMethodWorkloadIdentityFederation,
-						ClientId:            "clientId",
+						ClientId:            ptr.To("clientId"),
 					},
 				},
 			},
@@ -410,7 +410,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName: "test-provider1",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeGroupMembership,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 					},
 					{
 						ConfigurationName: "test-provider2",
@@ -432,7 +432,7 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName: "test-provider1",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeUserID,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 						UserClaim:         "sub",
 					},
 					{
@@ -456,13 +456,13 @@ func TestOIDCAuthValidation(t *testing.T) {
 						ConfigurationName: "test-provider1",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeGroupMembership,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 					},
 					{
 						ConfigurationName: "test-provider2",
 						IssuerURI:         "https://example.com",
 						AuthorizationType: OIDCAuthorizationTypeGroupMembership,
-						GroupsClaim:       "groups",
+						GroupsClaim:       ptr.To("groups"),
 					},
 				},
 			},

api/v1/mdb/zz_generated.deepcopy.go

@@ -1566,7 +1566,6 @@ spec:
                               pattern: ^[a-zA-Z0-9-_]+$
                               type: string
                             groupsClaim:
-                              default: groups
                               description: |-
                                 The identifier of the claim that includes the principal's IdP user group membership information.
                                 Accept the default value unless your IdP uses a different claim, or you need a custom claim.

config/crd/bases/mongodb.com_mongodb.yaml

@@ -826,7 +826,6 @@ spec:
                               pattern: ^[a-zA-Z0-9-_]+$
                               type: string
                             groupsClaim:
-                              default: groups
                               description: |-
                                 The identifier of the claim that includes the principal's IdP user group membership information.
                                 Accept the default value unless your IdP uses a different claim, or you need a custom claim.

config/crd/bases/mongodb.com_mongodbmulticluster.yaml

@@ -888,7 +888,6 @@ spec:
                                   pattern: ^[a-zA-Z0-9-_]+$
                                   type: string
                                 groupsClaim:
-                                  default: groups
                                   description: |-
                                     The identifier of the claim that includes the principal's IdP user group membership information.
                                     Accept the default value unless your IdP uses a different claim, or you need a custom claim.

config/crd/bases/mongodb.com_opsmanagers.yaml

@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/equality"
 
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/ldap"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/oidc"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/generate"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/maputil"
@@ -20,10 +21,11 @@ import (
 // configuration which are merged into the `Deployment` object before sending it back to Ops Manager.
 // As of right now only support configuring LogRotate for monitoring and backup via dedicated endpoints.
 type AutomationConfig struct {
-	Auth       *Auth
-	AgentSSL   *AgentSSL
-	Deployment Deployment
-	Ldap       *ldap.Ldap
+	Auth                *Auth
+	AgentSSL            *AgentSSL
+	Deployment          Deployment
+	Ldap                *ldap.Ldap
+	OIDCProviderConfigs []oidc.ProviderConfig
 }
 
 // Apply merges the state of all concrete structs into the Deployment (map[string]interface{})
@@ -58,9 +60,66 @@ func applyInto(a AutomationConfig, into *Deployment) error {
 		}
 		(*into)["ldap"] = mergedLdap
 	}
+
+	if len(a.OIDCProviderConfigs) > 0 {
+		updateOIDCProviderConfigs(a, into)
+	} else {
+		// Clear oidcProviderConfigs if no configs are provided
+		delete(*into, "oidcProviderConfigs")
+	}
+
 	return nil
 }
 
+func updateOIDCProviderConfigs(a AutomationConfig, into *Deployment) {
+	deploymentConfigs := make(map[string]map[string]any)
+	if configs, ok := a.Deployment["oidcProviderConfigs"]; ok {
+		configsSliceAny := cast.ToSlice(configs)
+		for _, configAny := range configsSliceAny {
+			config := configAny.(map[string]any)
+			configName := config["authNamePrefix"].(string)
+			deploymentConfigs[configName] = config
+		}
+	}
+
+	result := make([]map[string]any, 0)
+	for _, config := range a.OIDCProviderConfigs {
+		deploymentConfig, ok := deploymentConfigs[config.AuthNamePrefix]
+		if !ok {
+			deploymentConfig = make(map[string]any)
+		}
+
+		deploymentConfig["authNamePrefix"] = config.AuthNamePrefix
+		deploymentConfig["audience"] = config.Audience
+		deploymentConfig["issuerUri"] = config.IssuerUri
+		deploymentConfig["userClaim"] = config.UserClaim
+		deploymentConfig["supportsHumanFlows"] = config.SupportsHumanFlows
+		deploymentConfig["useAuthorizationClaim"] = config.UseAuthorizationClaim
+
+		if config.ClientId == nil {
+			delete(deploymentConfig, "clientId")
+		} else {
+			deploymentConfig["clientId"] = config.ClientId
+		}
+
+		if len(config.RequestedScopes) == 0 {
+			delete(deploymentConfig, "requestedScopes")
+		} else {
+			deploymentConfig["requestedScopes"] = config.RequestedScopes
+		}
+
+		if config.GroupsClaim == nil {
+			delete(deploymentConfig, "groupsClaim")
+		} else {
+			deploymentConfig["groupsClaim"] = config.GroupsClaim
+		}
+
+		result = append(result, deploymentConfig)
+	}
+
+	(*into)["oidcProviderConfigs"] = result
+}
+
 // EqualsWithoutDeployment returns true if two AutomationConfig objects are meaningful equal by following the following conditions:
 // - Not taking AutomationConfig.Deployment into consideration.
 // - Serializing ac A and ac B to ensure that we remove util.MergoDelete before comparing those two.
@@ -432,6 +491,19 @@ func BuildAutomationConfigFromDeployment(deployment Deployment) (*AutomationConf
 		finalAutomationConfig.Ldap = acLdap
 	}
 
+	oidcConfigsArray, ok := deployment["oidcProviderConfigs"]
+	if ok {
+		oidcMarshalled, err := json.Marshal(oidcConfigsArray)
+		if err != nil {
+			return nil, err
+		}
+		providerConfigs := make([]oidc.ProviderConfig, 0)
+		if err := json.Unmarshal(oidcMarshalled, &providerConfigs); err != nil {
+			return nil, err
+		}
+		finalAutomationConfig.OIDCProviderConfigs = providerConfigs
+	}
+
 	return finalAutomationConfig, nil
 }