Implementation: Support for Bearer token auth between Service Catalog and brokers (#1053)

* Support for Bearer token auth between Service Catalog and brokers

* Switching back to ObjectReference

Author: nilebox

contrib/examples/apiserver/broker.yaml

@@ -4,10 +4,13 @@ metadata:
   name: test-broker
 spec:
   url: http://beefco.de
-  # put the basic auth for the broker in a secret, and reference the secret here.
-  # service-catalog will use the contents of the secret. The secret should have "username"
-  # and "password" keys
+  # Put the basic auth for the broker in a secret, and reference the secret here.
+  # Service Catalog will use the contents of the secret. The secret should have "username"
+  # and "password" keys.
+  # Alternatively you can use bearer token auth for which the secret should have a
+  # "token" key with bearer token.
   authInfo:
-    basicAuthSecret:
-      namespace: some-namespace
-      name: secret-name
+    basic:
+      secretRef:
+        namespace: some-namespace
+        name: secret-name

pkg/apis/servicecatalog/checksum/checksum_test.go

@@ -70,9 +70,11 @@ func TestBrokerSpecChecksum(t *testing.T) {
 	spec := servicecatalog.BrokerSpec{
 		URL: "https://kubernetes.default.svc:443/brokers/template.k8s.io",
 		AuthInfo: &servicecatalog.BrokerAuthInfo{
-			BasicAuthSecret: &v1.ObjectReference{
-				Namespace: "test-ns",
-				Name:      "test-secret",
+			Basic: &servicecatalog.BasicAuthConfig{
+				SecretRef: &v1.ObjectReference{
+					Namespace: "test-ns",
+					Name:      "test-secret",
+				},
 			},
 		},
 	}

pkg/apis/servicecatalog/types.go

@@ -56,15 +56,51 @@ type BrokerSpec struct {
 // BrokerAuthInfo is a union type that contains information on one of the authentication methods
 // the the service catalog and brokers may support, according to the OpenServiceBroker API
 // specification (https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md).
-//
-// Note that we currently restrict a single broker to have only one of these fields
-// set on it.
 type BrokerAuthInfo struct {
+	// Basic provides configuration for basic authentication.
+	Basic *BasicAuthConfig
+	// BearerTokenAuthConfig provides configuration to send an opaque value as a bearer token.
+	// The value is referenced from the 'token' field of the given secret.  This value should only
+	// contain the token value and not the `Bearer` scheme.
+	Bearer *BearerTokenAuthConfig
+
+	// DEPRECATED: use `Basic` field for configuring basic authentication instead.
 	// BasicAuthSecret is a reference to a Secret containing auth information the
 	// catalog should use to authenticate to this Broker using basic auth.
 	BasicAuthSecret *v1.ObjectReference
 }
 
+// BasicAuthConfig provides config for the basic authentication.
+type BasicAuthConfig struct {
+	// SecretRef is a reference to a Secret containing information the
+	// catalog should use to authenticate to this Broker.
+	//
+	// Required at least one of the fields:
+	// - Secret.Data["username"] - username used for authentication
+	// - Secret.Data["password"] - password or token needed for authentication
+	SecretRef *v1.ObjectReference
+}
+
+// BearerTokenAuthConfig provides config for the bearer token authentication.
+type BearerTokenAuthConfig struct {
+	// SecretRef is a reference to a Secret containing information the
+	// catalog should use to authenticate to this Broker.
+	//
+	// Required field:
+	// - Secret.Data["token"] - bearer token for authentication
+	SecretRef *v1.ObjectReference
+}
+
+const (
+	// BasicAuthUsernameKey is the key of the username for SecretTypeBasicAuth secrets
+	BasicAuthUsernameKey = "username"
+	// BasicAuthPasswordKey is the key of the password or token for SecretTypeBasicAuth secrets
+	BasicAuthPasswordKey = "password"
+
+	// BearerTokenKey is the key of the bearer token for SecretTypeBearerTokenAuth secrets
+	BearerTokenKey = "token"
+)
+
 // BrokerStatus represents the current status of a Broker.
 type BrokerStatus struct {
 	Conditions []BrokerCondition