[WIP] Add mTLS and OAuth authentication to event REST API

[jzding]

Assisted by Cursor AI

This PR introduces enterprise-grade authentication support for the cloud-event-proxy, enabling secure communication for both event consumers and producers in production OpenShift environments.

🚀 Key Features

Authentication Methods

• ✅ mTLS (Mutual TLS) - Client certificate authentication with CA validation
• ✅ OAuth JWT - Token-based authentication with OpenShift OAuth server integration
• ✅ ServiceAccount Tokens - Native Kubernetes pod-to-pod authentication
• ✅ Flexible Configuration - JSON-based configuration with multiple authentication options

Client-Side Implementation

• 🔧 Authentication Package - Complete pkg/auth/ implementation for client authentication
• 🔧 Enhanced REST Client - Authenticated HTTP client with mTLS and OAuth support
• 🔧 Configuration Management - Comprehensive config loading and validation
• 🔧 Seamless Integration - Authentication flows integrated into existing codebase

🏗️ Architecture Overview

Core Components

• pkg/auth/client.go - HTTP client with authentication capabilities (172 lines)
• pkg/auth/config.go - Configuration management and validation (195 lines)
• Enhanced pkg/restclient/client.go - Authenticated REST client integration
• Updated pkg/common/common.go - Authentication flow integration

Consumer Implementation

• examples/consumer/main.go - Complete authenticated consumer example (91+ lines added)
• examples/auth-examples/auth-examples.go - Comprehensive authentication examples (316 lines)
• Authentication Configuration - Example configs and templates

📦 OpenShift Integration

Automated Deployment

• examples/manifests/auth/setup-secrets.sh - Automated authentication setup (111 lines)
• Service CA Integration - Automatic certificate generation and management
• Dynamic Configuration - Environment-based cluster name configuration
• RBAC Setup - Complete permissions configuration

Deployment Manifests

• examples/manifests/consumer.yaml - Enhanced consumer deployment with authentication
• examples/manifests/auth/configmap.yaml - Dynamic authentication configuration
• examples/manifests/auth/client-cert-service.yaml - Service CA certificate generation
• Complete RBAC - ServiceAccount, Role, and RoleBinding configurations

📚 Comprehensive Documentation

Implementation Guides

• AUTHENTICATION_IMPLEMENTATION.md - Complete implementation guide (337 lines)
• examples/consumer/README.md - Consumer authentication guide (383 lines)
• examples/manifests/README.md - Deployment guide with authentication (307 lines)
• examples/manifests/auth/README.md - Authentication setup instructions (196 lines)

Updated Main Documentation

• Enhanced README.md - Authentication overview and integration guide (140+ lines added)
• Certificate Examples - Manual certificate setup guide
• Configuration Examples - Multiple authentication scenarios

🔧 Build and Development

Enhanced Makefile

deploy-consumer: kustomize ## Deploy consumer with authentication
undeploy-consumer: kustomize ## Undeploy consumer

Development Support

• Updated .gitignore - Binary exclusions for clean development
• Enhanced Testing - Updated unit tests for authentication integration
• Ginkgo Compatibility - Fixed functional tests for Ginkgo v1

🛡️ Security Features

Comprehensive Validation

• JWT Token Validation - Signature, expiration, and audience verification
• Certificate Validation - Full TLS certificate chain validation
• Multi-Issuer Support - OpenShift OAuth and ServiceAccount tokens
• Secure Configuration - Encrypted communication with proper TLS setup

OpenShift Service CA Integration

• Automatic Certificates - Service CA annotation-based certificate generation
• CA Bundle Injection - Automatic CA bundle injection via ConfigMaps
• Zero Configuration - No manual certificate management required
• Automatic Rotation - Built-in certificate rotation support

🚀 Usage Examples

Basic Authentication Configuration

{
  "enableMTLS": true,
  "useServiceCA": true,
  "clientCertPath": "/etc/cloud-event-consumer/client-certs/tls.crt",
  "clientKeyPath": "/etc/cloud-event-consumer/client-certs/tls.key",
  "caCertPath": "/etc/cloud-event-consumer/ca-bundle/service-ca.crt",
  "enableOAuth": true,
  "useOpenShiftOAuth": true,
  "oauthIssuer": "https://oauth-openshift.apps.cluster.example.com",
  "serviceAccountName": "consumer-sa"
}

Automated Deployment

# Deploy with default cluster name
make deploy-consumer

# Deploy with custom cluster name
export CLUSTER_NAME=your-cluster.example.com
make deploy-consumer

🔄 Backward Compatibility

• ✅ Optional Authentication - Existing deployments continue to work unchanged
• ✅ Graceful Fallback - Clear error messages for configuration issues
• ✅ Zero Breaking Changes - All existing APIs maintain compatibility
• ✅ Progressive Enhancement - Authentication can be enabled incrementally

📊 Impact

• Lines Added: 5,841 (including vendor dependencies)
• New Dependencies: github.com/golang-jwt/jwt/v5 for secure JWT validation
• Documentation: 1,423+ lines of comprehensive guides and examples
• Examples: Complete consumer implementation with authentication
• Deployment: Automated OpenShift deployment with Service CA integration

🎯 Use Cases

This authentication system enables:

• Secure PTP Event Consumption in production OpenShift clusters
• Multi-tenant Cloud Event Processing with proper access control
• Enterprise Integration with existing OpenShift authentication infrastructure
• Compliance Requirements for secure inter-service communication

🧪 Testing

The implementation includes:

• ✅ Updated unit tests for authentication integration
• ✅ Functional test compatibility with Ginkgo v1
• ✅ Example applications for testing authentication flows
• ✅ Comprehensive error handling and logging

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jzding

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jzding]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jzding]

/ok-to-test

[jzding]

/ok-to-test

[jzding]

/test e2e-aws

[jzding]

/ok-to-test

[jzding]

/ok-to-test

[jzding]

/ok-to-test

[openshift-ci]

@jzding: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws	66c5ea4	link	true	/test e2e-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.