Initial access config support

api/v1alpha1/tunnelbinding_types.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"github.com/cloudflare/cloudflare-go"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -118,6 +119,159 @@ type TunnelBindingStatus struct {
 	Services  []ServiceInfo `json:"services"`
 }
 
+type AccessConfig struct {
+	// Enable handling of access configuration
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:=false
+	Enabled bool `json:"enabled"`
+	// Application type self_hosted,saas
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:validation:Enum:="";"self_hosted";"saas"
+	//+kubebuilder:default:="self_hosted"
+	Type string `json:"type"`
+	// List of access policies
+	//+kubebuilder:validation:Optional
+	AccessPolicies []AccessPolicy `json:"accessPolicies"`
+	// Application settings
+	//+kubebuilder:validation:Optional
+	Settings AccessConfigSettings `json:"settings"`
+}
+
+type AccessConfigSettings struct {
+	// Authentication settins
+	//+kubebuilder:validation:Optional
+	Authentication AccessConfigAuthentication `json:"authentication"`
+	// Appearance settins
+	//+kubebuilder:validation:Optional
+	Appearance AccessConfigAppearance `json:"appearance"`
+	// Cookie settings
+	//+kubebuilder:validation:Optional
+	Cookies AccessConfigCookies `json:"cookies"`
+	// Additional settings
+	//+kubebuilder:validation:Optional
+	Additional AccessConfigAdditional `json:"additional"`
+}
+
+type AccessConfigAuthentication struct {
+	// The list of identiy providers which application is allowed to use. If empty all idps are allowed
+	//+kubebuilder:validation:Optional
+	AllowedIdps []string `json:"allowedIdps"`
+	// Skip identity provider selection if only one is configured
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:=false
+	InstantAuth bool `json:"instantAuth"`
+	// The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:="24h"
+	SessionDuration string `json:"sessionDuration"`
+	// The custom URL a user is redirected to when they are denied access to the application.
+	//+kubebuilder:validation:Optional
+	CustomDenyUrl string `json:"customDenyUrl"`
+	// The custom error message shown to a user when they are denied access to the application.
+	//+kubebuilder:validation:Optional
+	CustomDenyMessage string `json:"customDenyMessage"`
+}
+
+type AccessConfigAppearance struct {
+	// Wether to show app in the launcher. Defaults to true.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:=true
+	AppLauncherVisibility bool `json:"appLauncherVisibility"`
+	// Custom logo url
+	//+kubebuilder:validation:Optional
+	CustomLogo string `json:"customLogo"`
+}
+
+type AccessConfigCookies struct {
+	// Sets the SameSite cookie setting, which provides increased security against CSRF attacks. [none,strict,lax]
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:validation:Enum:="";"none";"strict";"lax"
+	SameSiteAttribute string `json:"sameSiteAttribute"`
+	// Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:=true
+	EnableHttpOnly bool `json:"enableHttpOnly"`
+	// Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:=false
+	EnableBindingCookie bool `json:"enableBindingCookie"`
+}
+
+type AccessConfigAdditional struct {
+	// Cloudflare will render an SSH terminal or VNC session for this application in a web browser. [ssh,vnc]
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:validation:Enum:="";"vnc";"ssh"
+	BrowserRendering string `json:"browserRendering"`
+}
+
+type AccessPolicy struct {
+	// The name of the Access policy.
+	//+kubebuilder:validation:Required
+	Name string `json:"name"`
+	// Decision if a policy is met
+	//+kubebuilder:validation:Required
+	//+kubebuilder:validation:Enum:="allow";"deny";"non_identity";"bypass"
+	Action string `json:"action"`
+	// Array of Access group names. Access groups are not managed by this operator
+	//+kubebuilder:validation:Optional
+	Include []string `json:"include"`
+	// Array of Access group names. Access groups are not managed by this operator
+	//+kubebuilder:validation:Optional
+	Exclude []string `json:"exclude"`
+	// Array of Access group names. Access groups are not managed by this operator
+	//+kubebuilder:validation:Optional
+	Require []string `json:"require"`
+	// The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:="24h"
+	SessionDuration string `json:"sessionDuration"`
+	// Require users to enter a justification when they log in to the application.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:=false
+	PurposeJustificationRequired bool `json:"purposeJustificationRequired"`
+	// A custom message that will appear on the purpose justification screen.
+	//+kubebuilder:validation:Optional
+	//+kubebuilder:default:="Please enter a justification for entering this protected domain."
+	PurposeJustificationPrompt string `json:"purposeJustificationPrompt"`
+}
+
+func (c *AccessConfig) NewAccessApplication(hostname string) cloudflare.AccessApplication {
+
+	return cloudflare.AccessApplication{
+		// GatewayRules:            []cloudflare.AccessApplicationGatewayRule{},
+		AllowedIdps:       c.Settings.Authentication.AllowedIdps,
+		CustomDenyMessage: c.Settings.Authentication.CustomDenyMessage,
+		LogoURL:           c.Settings.Appearance.CustomLogo,
+		// AUD:                     "",
+		Domain:                  hostname,
+		Type:                    cloudflare.AccessApplicationType(c.Type),
+		SessionDuration:         c.Settings.Authentication.SessionDuration,
+		SameSiteCookieAttribute: c.Settings.Cookies.SameSiteAttribute,
+		CustomDenyURL:           c.Settings.Authentication.CustomDenyUrl,
+		Name:                    hostname,
+		// PrivateAddress:          "",
+		// CorsHeaders: &cloudflare.AccessApplicationCorsHeaders{
+		// 	AllowedMethods:   []string{},
+		// 	AllowedOrigins:   []string{},
+		// 	AllowedHeaders:   []string{},
+		// 	AllowAllMethods:  false,
+		// 	AllowAllHeaders:  false,
+		// 	AllowAllOrigins:  false,
+		// 	AllowCredentials: false,
+		// 	MaxAge:           0,
+		// },
+		// CreatedAt:               &time.Time{},
+		// UpdatedAt:               &time.Time{},
+		// SaasApplication:         &cloudflare.SaasApplication{},
+		AutoRedirectToIdentity: &c.Settings.Authentication.InstantAuth,
+		// SkipInterstitial:        new(bool),
+		AppLauncherVisible:      &c.Settings.Appearance.AppLauncherVisibility,
+		EnableBindingCookie:     &c.Settings.Cookies.EnableBindingCookie,
+		HttpOnlyCookieAttribute: &c.Settings.Cookies.EnableHttpOnly,
+		// ServiceAuth401Redirect:  new(bool),
+	}
+}
+
 //+kubebuilder:object:root=true
 //+kubebuilder:subresource:status
 //+kubebuilder:printcolumn:name="FQDNs",type=string,JSONPath=`.status.hostnames`
@@ -129,7 +283,9 @@ type TunnelBinding struct {
 
 	Subjects  []TunnelBindingSubject `json:"subjects"`
 	TunnelRef TunnelRef              `json:"tunnelRef"`
-	Status    TunnelBindingStatus    `json:"status,omitempty"`
+	//+kubebuilder:validation:Optional
+	AccessConfig AccessConfig        `json:"accessConfig"`
+	Status       TunnelBindingStatus `json:"status,omitempty"`
 }
 
 //+kubebuilder:object:root=true

config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml

@@ -1,10 +1,9 @@
-
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.7.0
+    controller-gen.kubebuilder.io/version: v0.8.0
   creationTimestamp: null
   name: clustertunnels.networking.cfargotunnel.com
 spec: