CLOUDP-314903 [OIDC] CRD Config Propagation to Automation Config

api/v1/mdb/mongodb_types.go

@@ -811,6 +811,7 @@ func (s *Security) IsOIDCEnabled() bool {
 	if s == nil || s.Authentication == nil || !s.Authentication.Enabled {
 		return false
 	}
+
 	return s.Authentication.IsOIDCEnabled()
 }
 

controllers/om/automation_config.go

@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/equality"
 
 	"github.com/mongodb/mongodb-kubernetes/controllers/operator/ldap"
+	"github.com/mongodb/mongodb-kubernetes/controllers/operator/oidc"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/generate"
 	"github.com/mongodb/mongodb-kubernetes/pkg/util/maputil"
@@ -20,10 +21,11 @@ import (
 // configuration which are merged into the `Deployment` object before sending it back to Ops Manager.
 // As of right now only support configuring LogRotate for monitoring and backup via dedicated endpoints.
 type AutomationConfig struct {
-	Auth       *Auth
-	AgentSSL   *AgentSSL
-	Deployment Deployment
-	Ldap       *ldap.Ldap
+	Auth                *Auth
+	AgentSSL            *AgentSSL
+	Deployment          Deployment
+	Ldap                *ldap.Ldap
+	OIDCProviderConfigs []oidc.ProviderConfig
 }
 
 // Apply merges the state of all concrete structs into the Deployment (map[string]interface{})
@@ -58,9 +60,67 @@ func applyInto(a AutomationConfig, into *Deployment) error {
 		}
 		(*into)["ldap"] = mergedLdap
 	}
+
+	if len(a.OIDCProviderConfigs) > 0 {
+		deploymentConfigs := make([]map[string]any, 0)
+		if configs, ok := a.Deployment["oidcProviderConfigs"]; ok {
+			configsSlice := cast.ToSlice(configs)
+			for _, config := range configsSlice {
+				deploymentConfigs = append(deploymentConfigs, config.(map[string]any))
+			}
+		}
+
+		result := make([]map[string]any, 0)
+		for _, config := range a.OIDCProviderConfigs {
+			deploymentConfig := findOrCreateEmptyDeploymentConfig(deploymentConfigs, config.AuthNamePrefix)
+
+			deploymentConfig["authNamePrefix"] = config.AuthNamePrefix
+			deploymentConfig["audience"] = config.Audience
+			deploymentConfig["issuerUri"] = config.IssuerUri
+			deploymentConfig["userClaim"] = config.UserClaim
+			deploymentConfig["supportsHumanFlows"] = config.SupportsHumanFlows
+			deploymentConfig["useAuthorizationClaim"] = config.UseAuthorizationClaim
+
+			if config.ClientId == util.MergoDelete {
+				delete(deploymentConfig, "clientId")
+			} else {
+				deploymentConfig["clientId"] = config.ClientId
+			}
+
+			if len(config.RequestedScopes) == 0 {
+				delete(deploymentConfig, "requestedScopes")
+			} else {
+				deploymentConfig["requestedScopes"] = config.RequestedScopes
+			}
+
+			if config.GroupsClaim == util.MergoDelete {
+				delete(deploymentConfig, "groupsClaim")
+			} else {
+				deploymentConfig["groupsClaim"] = config.GroupsClaim
+			}
+
+			result = append(result, deploymentConfig)
+		}
+
+		(*into)["oidcProviderConfigs"] = result
+	} else {
+		// Clear oidcProviderConfigs if no configs are provided
+		delete(*into, "oidcProviderConfigs")
+	}
+
 	return nil
 }
 
+func findOrCreateEmptyDeploymentConfig(deploymentConfigs []map[string]any, configName string) map[string]any {
+	for _, deploymentConfig := range deploymentConfigs {
+		if configName == deploymentConfig["authNamePrefix"] {
+			return deploymentConfig
+		}
+	}
+
+	return make(map[string]any)
+}
+
 // EqualsWithoutDeployment returns true if two AutomationConfig objects are meaningful equal by following the following conditions:
 // - Not taking AutomationConfig.Deployment into consideration.
 // - Serializing ac A and ac B to ensure that we remove util.MergoDelete before comparing those two.
@@ -432,6 +492,19 @@ func BuildAutomationConfigFromDeployment(deployment Deployment) (*AutomationConf
 		finalAutomationConfig.Ldap = acLdap
 	}
 
+	oidcConfigsArray, ok := deployment["oidcProviderConfigs"]
+	if ok {
+		oidcMarshalled, err := json.Marshal(oidcConfigsArray)
+		if err != nil {
+			return nil, err
+		}
+		providerConfigs := make([]oidc.ProviderConfig, 0)
+		if err := json.Unmarshal(oidcMarshalled, &providerConfigs); err != nil {
+			return nil, err
+		}
+		finalAutomationConfig.OIDCProviderConfigs = providerConfigs
+	}
+
 	return finalAutomationConfig, nil
 }