feat: Add authentication and gatewayconfig resource (#2564)

dbasunag · web-flow · commit 5dbd29705a4f · 2025-11-10T13:47:51.000Z
* support token creation for service account

* updated doc strings etc.

* address review comments

* feat: Add authentication and gatewayconfig resource

* Address tox failure
diff --git a/class_generator/schema/__cluster_version__.txt b/class_generator/schema/__cluster_version__.txt
@@ -1 +1 @@
-v1.33.2
+v1.33.5
diff --git a/ocp_resources/authentication_config_openshift_io.py b/ocp_resources/authentication_config_openshift_io.py
@@ -0,0 +1,105 @@
+# Generated using https://github.com/RedHatQE/openshift-python-wrapper/blob/main/scripts/resource/README.md
+
+
+from typing import Any
+from ocp_resources.resource import Resource
+
+
+class Authentication(Resource):
+    """
+        Authentication specifies cluster-wide settings for authentication (like OAuth and
+    webhook token authenticators). The canonical name of an instance is `cluster`.
+
+    Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+    """
+
+    api_group: str = Resource.ApiGroup.CONFIG_OPENSHIFT_IO
+
+    def __init__(
+        self,
+        oauth_metadata: dict[str, Any] | None = None,
+        oidc_providers: list[Any] | None = None,
+        service_account_issuer: str | None = None,
+        type: str | None = None,
+        webhook_token_authenticator: dict[str, Any] | None = None,
+        webhook_token_authenticators: list[Any] | None = None,
+        **kwargs: Any,
+    ) -> None:
+        r"""
+        Args:
+            oauth_metadata (dict[str, Any]): oauthMetadata contains the discovery endpoint data for OAuth 2.0
+              Authorization Server Metadata for an external OAuth server. This
+              discovery document can be viewed from its served location: oc get
+              --raw '/.well-known/oauth-authorization-server' For further
+              details, see the IETF Draft: https://tools.ietf.org/html/draft-
+              ietf-oauth-discovery-04#section-2 If oauthMetadata.name is non-
+              empty, this value has precedence over any metadata reference
+              stored in status. The key "oauthMetadata" is used to locate the
+              data. If specified and the config map or expected key is not
+              found, no metadata is served. If the specified metadata is not
+              valid, no metadata is served. The namespace for this config map is
+              openshift-config.
+
+            oidc_providers (list[Any]): oidcProviders are OIDC identity providers that can issue tokens for
+              this cluster Can only be set if "Type" is set to "OIDC".  At most
+              one provider can be configured.
+
+            service_account_issuer (str): serviceAccountIssuer is the identifier of the bound service account
+              token issuer. The default is https://kubernetes.default.svc
+              WARNING: Updating this field will not result in immediate
+              invalidation of all bound tokens with the previous issuer value.
+              Instead, the tokens issued by previous service account issuer will
+              continue to be trusted for a time period chosen by the platform
+              (currently set to 24h). This time period is subject to change over
+              time. This allows internal components to transition to use new
+              service account issuer without service distruption.
+
+            type (str): type identifies the cluster managed, user facing authentication mode
+              in use. Specifically, it manages the component that responds to
+              login attempts. The default is IntegratedOAuth.
+
+            webhook_token_authenticator (dict[str, Any]): webhookTokenAuthenticator configures a remote token reviewer. These
+              remote authentication webhooks can be used to verify bearer tokens
+              via the tokenreviews.authentication.k8s.io REST API. This is
+              required to honor bearer tokens that are provisioned by an
+              external authentication service.  Can only be set if "Type" is set
+              to "None".
+
+            webhook_token_authenticators (list[Any]): webhookTokenAuthenticators is DEPRECATED, setting it has no effect.
+
+        """
+        super().__init__(**kwargs)
+
+        self.oauth_metadata = oauth_metadata
+        self.oidc_providers = oidc_providers
+        self.service_account_issuer = service_account_issuer
+        self.type = type
+        self.webhook_token_authenticator = webhook_token_authenticator
+        self.webhook_token_authenticators = webhook_token_authenticators
+
+    def to_dict(self) -> None:
+        super().to_dict()
+
+        if not self.kind_dict and not self.yaml_file:
+            self.res["spec"] = {}
+            _spec = self.res["spec"]
+
+            if self.oauth_metadata is not None:
+                _spec["oauthMetadata"] = self.oauth_metadata
+
+            if self.oidc_providers is not None:
+                _spec["oidcProviders"] = self.oidc_providers
+
+            if self.service_account_issuer is not None:
+                _spec["serviceAccountIssuer"] = self.service_account_issuer
+
+            if self.type is not None:
+                _spec["type"] = self.type
+
+            if self.webhook_token_authenticator is not None:
+                _spec["webhookTokenAuthenticator"] = self.webhook_token_authenticator
+
+            if self.webhook_token_authenticators is not None:
+                _spec["webhookTokenAuthenticators"] = self.webhook_token_authenticators
+
+    # End of generated code
diff --git a/ocp_resources/authentication_operator_openshift_io.py b/ocp_resources/authentication_operator_openshift_io.py
@@ -0,0 +1,86 @@
+# Generated using https://github.com/RedHatQE/openshift-python-wrapper/blob/main/scripts/resource/README.md
+
+
+from typing import Any
+from ocp_resources.resource import Resource
+
+
+class Authentication(Resource):
+    """
+        Authentication provides information to configure an operator to manage authentication.
+
+    Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
+    """
+
+    api_group: str = Resource.ApiGroup.OPERATOR_OPENSHIFT_IO
+
+    def __init__(
+        self,
+        log_level: str | None = None,
+        management_state: str | None = None,
+        observed_config: dict[str, Any] | None = None,
+        operator_log_level: str | None = None,
+        unsupported_config_overrides: dict[str, Any] | None = None,
+        **kwargs: Any,
+    ) -> None:
+        r"""
+        Args:
+            log_level (str): logLevel is an intent based logging for an overall component.  It does
+              not give fine grained control, but it is a simple way to manage
+              coarse grained logging choices that operators have to interpret
+              for their operands.  Valid values are: "Normal", "Debug", "Trace",
+              "TraceAll". Defaults to "Normal".
+
+            management_state (str): managementState indicates whether and how the operator should manage
+              the component
+
+            observed_config (dict[str, Any]): observedConfig holds a sparse config that controller has observed from
+              the cluster state.  It exists in spec because it is an input to
+              the level for the operator
+
+            operator_log_level (str): operatorLogLevel is an intent based logging for the operator itself.
+              It does not give fine grained control, but it is a simple way to
+              manage coarse grained logging choices that operators have to
+              interpret for themselves.  Valid values are: "Normal", "Debug",
+              "Trace", "TraceAll". Defaults to "Normal".
+
+            unsupported_config_overrides (dict[str, Any]): unsupportedConfigOverrides overrides the final configuration that was
+              computed by the operator. Red Hat does not support the use of this
+              field. Misuse of this field could lead to unexpected behavior or
+              conflict with other configuration options. Seek guidance from the
+              Red Hat support before using this field. Use of this property
+              blocks cluster upgrades, it must be removed before upgrading your
+              cluster.
+
+        """
+        super().__init__(**kwargs)
+
+        self.log_level = log_level
+        self.management_state = management_state
+        self.observed_config = observed_config
+        self.operator_log_level = operator_log_level
+        self.unsupported_config_overrides = unsupported_config_overrides
+
+    def to_dict(self) -> None:
+        super().to_dict()
+
+        if not self.kind_dict and not self.yaml_file:
+            self.res["spec"] = {}
+            _spec = self.res["spec"]
+
+            if self.log_level is not None:
+                _spec["logLevel"] = self.log_level
+
+            if self.management_state is not None:
+                _spec["managementState"] = self.management_state
+
+            if self.observed_config is not None:
+                _spec["observedConfig"] = self.observed_config
+
+            if self.operator_log_level is not None:
+                _spec["operatorLogLevel"] = self.operator_log_level
+
+            if self.unsupported_config_overrides is not None:
+                _spec["unsupportedConfigOverrides"] = self.unsupported_config_overrides
+
+    # End of generated code
diff --git a/ocp_resources/gateway_config.py b/ocp_resources/gateway_config.py
@@ -0,0 +1,61 @@
+# Generated using https://github.com/RedHatQE/openshift-python-wrapper/blob/main/scripts/resource/README.md
+
+
+from typing import Any
+from ocp_resources.resource import Resource
+
+
+class GatewayConfig(Resource):
+    """
+    GatewayConfig is the Schema for the gatewayconfigs API
+    """
+
+    api_group: str = Resource.ApiGroup.SERVICES_PLATFORM_OPENDATAHUB_IO
+
+    def __init__(
+        self,
+        certificate: dict[str, Any] | None = None,
+        cookie: dict[str, Any] | None = None,
+        domain: str | None = None,
+        oidc: dict[str, Any] | None = None,
+        **kwargs: Any,
+    ) -> None:
+        r"""
+        Args:
+            certificate (dict[str, Any]): Certificate management
+
+            cookie (dict[str, Any]): Cookie configuration for OAuth2 proxy (applies to both OIDC and
+              OpenShift OAuth)
+
+            domain (str): Domain configuration for the GatewayConfig Example: apps.example.com
+
+            oidc (dict[str, Any]): OIDC configuration (used when cluster is in OIDC authentication mode)
+
+        """
+        super().__init__(**kwargs)
+
+        self.certificate = certificate
+        self.cookie = cookie
+        self.domain = domain
+        self.oidc = oidc
+
+    def to_dict(self) -> None:
+        super().to_dict()
+
+        if not self.kind_dict and not self.yaml_file:
+            self.res["spec"] = {}
+            _spec = self.res["spec"]
+
+            if self.certificate is not None:
+                _spec["certificate"] = self.certificate
+
+            if self.cookie is not None:
+                _spec["cookie"] = self.cookie
+
+            if self.domain is not None:
+                _spec["domain"] = self.domain
+
+            if self.oidc is not None:
+                _spec["oidc"] = self.oidc
+
+    # End of generated code
diff --git a/ocp_resources/resource.py b/ocp_resources/resource.py
@@ -556,6 +556,7 @@ class ApiGroup:
         SECURITY_ISTIO_IO: str = "security.istio.io"
         SECURITY_OPENSHIFT_IO: str = "security.openshift.io"
         SELF_NODE_REMEDIATION_MEDIK8S_IO: str = "self-node-remediation.medik8s.io"
+        SERVICES_PLATFORM_OPENDATAHUB_IO: str = "services.platform.opendatahub.io"
         SERVING_KNATIVE_DEV: str = "serving.knative.dev"
         SERVING_KSERVE_IO: str = "serving.kserve.io"
         SNAPSHOT_KUBEVIRT_IO: str = "snapshot.kubevirt.io"
