[Feature] [Platform] OpenID Integration - API Extension (#1893)

Author: ajanikow

CHANGELOG.md

@@ -8,6 +8,7 @@
 - (Maintenance) Fix Helm & JWT CVE's
 - (Feature) (Platform) Improve CLI Values
 - (Feature) (Platform) Envoy Cache Introduction
+- (Feature) (Platform) OpenID Integration - API Extension
 
 ## [1.2.48](https://github.com/arangodb/kube-arangodb/tree/1.2.48) (2025-05-08)
 - (Maintenance) Extend Documentation

docs/api/ArangoDeployment.V1.md

@@ -3137,6 +3137,49 @@ Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.
 
 ***
 
+### .spec.gateway.authentication.secret.checksum
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L61)</sup>
+
+UID keeps the information about object Checksum
+
+***
+
+### .spec.gateway.authentication.secret.name
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L52)</sup>
+
+Name of the object
+
+***
+
+### .spec.gateway.authentication.secret.namespace
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L55)</sup>
+
+Namespace of the object. Should default to the namespace of the parent object
+
+***
+
+### .spec.gateway.authentication.secret.uid
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/shared/v1/object.go#L58)</sup>
+
+UID keeps the information about object UID
+
+***
+
+### .spec.gateway.authentication.type
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway_authentication.go#L51)</sup>
+
+Type defines the Authentication Type
+
+Possible Values: 
+* `"OpenID"` (default) - Configure OpenID Authentication Type
+
+***
+
 ### .spec.gateway.cookiesSupport
 
 Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L49)</sup>
@@ -3147,10 +3190,20 @@ Default Value: `true`
 
 ***
 
-### .spec.gateway.defaultTargetAuthentication
+### .spec.gateway.createUsers
 
 Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L53)</sup>
 
+CreateUsers defines if authenticated users will be created in ArangoDB
+
+Default Value: `false`
+
+***
+
+### .spec.gateway.defaultTargetAuthentication
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L57)</sup>
+
 DefaultTargetAuthentication defines if default endpoints check authentication via envoy (Cookie and Header based auth)
 
 Default Value: `true`
@@ -3190,7 +3243,7 @@ By default, the image is determined by the operator.
 
 ### .spec.gateway.timeout
 
-Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L58)</sup>
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.48/pkg/apis/deployment/v1/deployment_spec_gateway.go#L62)</sup>
 
 Timeout defines default timeout for the upstream actions (if not overridden)
 

pkg/apis/deployment/v1/deployment_spec.go

@@ -684,10 +684,16 @@ func (s DeploymentSpec) GetCoreContainers(group ServerGroup) utils.StringList {
 		return utils.StringList{shared.ServerContainerName}
 	}
 
-	result := make(utils.StringList, 0, len(groupSpec.SidecarCoreNames)+1)
+	result := make(utils.StringList, 0, len(groupSpec.SidecarCoreNames)+3)
 	if !utils.StringList(groupSpec.SidecarCoreNames).Has(shared.ServerContainerName) {
 		result = append(result, shared.ServerContainerName)
 	}
+	if !utils.StringList(groupSpec.SidecarCoreNames).Has(shared.ExporterContainerName) {
+		result = append(result, shared.ExporterContainerName)
+	}
+	if !utils.StringList(groupSpec.SidecarCoreNames).Has(shared.IntegrationContainerName) {
+		result = append(result, shared.IntegrationContainerName)
+	}
 	result = append(result, groupSpec.SidecarCoreNames...)
 
 	return result

pkg/apis/deployment/v1/deployment_spec_gateway.go

@@ -48,6 +48,10 @@ type DeploymentSpecGateway struct {
 	// +doc/default: true
 	CookiesSupport *bool `json:"cookiesSupport,omitempty"`
 
+	// CreateUsers defines if authenticated users will be created in ArangoDB
+	// +doc/default: false
+	CreateUsers *bool `json:"createUsers,omitempty"`
+
 	// DefaultTargetAuthentication defines if default endpoints check authentication via envoy (Cookie and Header based auth)
 	// +doc/default: true
 	DefaultTargetAuthentication *bool `json:"defaultTargetAuthentication,omitempty"`
@@ -56,6 +60,9 @@ type DeploymentSpecGateway struct {
 	// +doc/type: string
 	// +doc/default: 1m0s
 	Timeout *meta.Duration `json:"timeout,omitempty"`
+
+	// Authentication defines the Authentication spec
+	Authentication *DeploymentSpecGatewayAuthentication `json:"authentication,omitempty"`
 }
 
 // IsEnabled returns whether the gateway is enabled.
@@ -76,6 +83,15 @@ func (d *DeploymentSpecGateway) IsCookiesSupportEnabled() bool {
 	return *d.CookiesSupport
 }
 
+// IsCreateUsersEnabled returns whether the authenticated users will be created in ArangoDB.
+func (d *DeploymentSpecGateway) IsCreateUsersEnabled() bool {
+	if d == nil || d.CreateUsers == nil {
+		return false
+	}
+
+	return *d.CreateUsers
+}
+
 // IsDefaultTargetAuthenticationEnabled returns whether the default target should have verified authentication.
 func (d *DeploymentSpecGateway) IsDefaultTargetAuthenticationEnabled() bool {
 	if d == nil || d.DefaultTargetAuthentication == nil {

pkg/apis/deployment/v1/deployment_spec_gateway_authentication.go

@@ -0,0 +1,66 @@
+//
+// DISCLAIMER
+//
+// Copyright 2025 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1
+
+import (
+	shared "github.com/arangodb/kube-arangodb/pkg/apis/shared"
+	sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"
+	"github.com/arangodb/kube-arangodb/pkg/util/errors"
+)
+
+type DeploymentSpecGatewayAuthenticationType string
+
+func (d *DeploymentSpecGatewayAuthenticationType) Validate() error {
+	if d == nil {
+		return nil
+	}
+
+	switch v := *d; v {
+	case DeploymentSpecGatewayAuthenticationTypeOpenID:
+		return nil
+	default:
+		return errors.Errorf("Invalid AuthenticationType `%s`", v)
+	}
+}
+
+const (
+	DeploymentSpecGatewayAuthenticationTypeOpenID DeploymentSpecGatewayAuthenticationType = "OpenID"
+)
+
+type DeploymentSpecGatewayAuthentication struct {
+	// Type defines the Authentication Type
+	// +doc/enum: OpenID|Configure OpenID Authentication Type
+	Type DeploymentSpecGatewayAuthenticationType `json:"type"`
+
+	// Secret defines the secret with the integration configuration
+	Secret *sharedApi.Object `json:"secret,omitempty"`
+}
+
+func (d *DeploymentSpecGatewayAuthentication) Validate() error {
+	if d == nil {
+		return nil
+	}
+
+	return shared.WithErrors(
+		shared.PrefixResourceError("type", d.Type.Validate()),
+		shared.PrefixResourceError("secret", d.Secret.Validate()),
+	)
+}

pkg/apis/deployment/v1/deployment_spec_test.go

@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2025 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -151,7 +151,7 @@ func TestDeploymentSpec_GetCoreContainers(t *testing.T) {
 			args: args{
 				group: ServerGroupDBServers,
 			},
-			want: utils.StringList{"server", "other"},
+			want: utils.StringList{"server", "exporter", "integration", "other"},
 		},
 		"one predefined container and one sidecar container": {
 			fields: fields{
@@ -162,7 +162,7 @@ func TestDeploymentSpec_GetCoreContainers(t *testing.T) {
 			args: args{
 				group: ServerGroupDBServers,
 			},
-			want: utils.StringList{"server", "other"},
+			want: utils.StringList{"exporter", "integration", "server", "other"},
 		},
 		"zero core containers": {
 			fields: fields{
@@ -184,7 +184,7 @@ func TestDeploymentSpec_GetCoreContainers(t *testing.T) {
 			args: args{
 				group: ServerGroupDBServers,
 			},
-			want: utils.StringList{"server", "other1", "other2"},
+			want: utils.StringList{"server", "exporter", "integration", "other1", "other2"},
 		},
 	}
 	for testName, test := range tests {

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -684,10 +684,16 @@ func (s DeploymentSpec) GetCoreContainers(group ServerGroup) utils.StringList {
 		return utils.StringList{shared.ServerContainerName}
 	}
 
-	result := make(utils.StringList, 0, len(groupSpec.SidecarCoreNames)+1)
+	result := make(utils.StringList, 0, len(groupSpec.SidecarCoreNames)+3)
 	if !utils.StringList(groupSpec.SidecarCoreNames).Has(shared.ServerContainerName) {
 		result = append(result, shared.ServerContainerName)
 	}
+	if !utils.StringList(groupSpec.SidecarCoreNames).Has(shared.ExporterContainerName) {
+		result = append(result, shared.ExporterContainerName)
+	}
+	if !utils.StringList(groupSpec.SidecarCoreNames).Has(shared.IntegrationContainerName) {
+		result = append(result, shared.IntegrationContainerName)
+	}
 	result = append(result, groupSpec.SidecarCoreNames...)
 
 	return result

pkg/apis/deployment/v2alpha1/deployment_spec.go

@@ -48,6 +48,10 @@ type DeploymentSpecGateway struct {
 	// +doc/default: true
 	CookiesSupport *bool `json:"cookiesSupport,omitempty"`
 
+	// CreateUsers defines if authenticated users will be created in ArangoDB
+	// +doc/default: false
+	CreateUsers *bool `json:"createUsers,omitempty"`
+
 	// DefaultTargetAuthentication defines if default endpoints check authentication via envoy (Cookie and Header based auth)
 	// +doc/default: true
 	DefaultTargetAuthentication *bool `json:"defaultTargetAuthentication,omitempty"`
@@ -56,6 +60,9 @@ type DeploymentSpecGateway struct {
 	// +doc/type: string
 	// +doc/default: 1m0s
 	Timeout *meta.Duration `json:"timeout,omitempty"`
+
+	// Authentication defines the Authentication spec
+	Authentication *DeploymentSpecGatewayAuthentication `json:"authentication,omitempty"`
 }
 
 // IsEnabled returns whether the gateway is enabled.
@@ -76,6 +83,15 @@ func (d *DeploymentSpecGateway) IsCookiesSupportEnabled() bool {
 	return *d.CookiesSupport
 }
 
+// IsCreateUsersEnabled returns whether the authenticated users will be created in ArangoDB.
+func (d *DeploymentSpecGateway) IsCreateUsersEnabled() bool {
+	if d == nil || d.CreateUsers == nil {
+		return false
+	}
+
+	return *d.CreateUsers
+}
+
 // IsDefaultTargetAuthenticationEnabled returns whether the default target should have verified authentication.
 func (d *DeploymentSpecGateway) IsDefaultTargetAuthenticationEnabled() bool {
 	if d == nil || d.DefaultTargetAuthentication == nil {