Pr 2174

frontend/pkg/frontend/const.go

@@ -26,6 +26,7 @@ const (
 	PathSegmentDeploymentName    = "deploymentname"
 	PathSegmentLocation          = "location"
 	PathSegmentNodePoolName      = "nodepoolname"
+	PathSegmentExternalAuthName  = "externalauthname"
 	PathSegmentOperationID       = "operationid"
 	PathSegmentResourceGroupName = "resourcegroupname"
 	PathSegmentResourceName      = "resourcename"

frontend/pkg/frontend/external_auth.go

@@ -0,0 +1,71 @@
+// Copyright 2025 Microsoft Corporation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package frontend
+
+import (
+	"net/http"
+
+	"github.com/Azure/ARO-HCP/internal/api/arm"
+	"github.com/Azure/ARO-HCP/internal/database"
+)
+
+func (f *Frontend) CreateOrUpdateExternalAuth(writer http.ResponseWriter, request *http.Request) {
+	var err error
+
+	// This handles both PUT and PATCH requests. PATCH requests will
+	// never create a new resource. The only other notable difference
+	// is the target struct that request bodies are overlayed onto:
+	//
+	// PUT requests overlay the request body onto a default resource
+	// struct, which only has API-specified non-zero default values.
+	// This means all required properties must be specified in the
+	// request body, whether creating or updating a resource.
+	//
+	// PATCH requests overlay the request body onto a resource struct
+	// that represents an existing resource to be updated.
+
+	ctx := request.Context()
+	logger := LoggerFromContext(ctx)
+
+	resourceID, err := ResourceIDFromContext(ctx)
+	if err != nil {
+		logger.Error(err.Error())
+		arm.WriteInternalServerError(writer)
+		return
+	}
+
+	_, resourceDoc, err := f.dbClient.GetResourceDoc(ctx, resourceID)
+	if err != nil && !database.IsResponseError(err, http.StatusNotFound) {
+		logger.Error(err.Error())
+		arm.WriteInternalServerError(writer)
+		return
+	}
+
+	var updating = (resourceDoc != nil)
+
+	if updating {
+		f.updateExternalAuth()
+	} else {
+		createExternalAuth()
+	}
+}
+
+func createExternalAuth() {
+	// var err error
+}
+
+func (f *Frontend) updateExternalAuth() {
+	// var err error
+}

frontend/pkg/frontend/routes.go

@@ -30,6 +30,7 @@ const (
 	WildcardDeploymentName    = "{" + PathSegmentDeploymentName + "}"
 	WildcardLocation          = "{" + PathSegmentLocation + "}"
 	WildcardNodePoolName      = "{" + PathSegmentNodePoolName + "}"
+	WildcardExternalAuthName  = "{" + PathSegmentExternalAuthName + "}"
 	WildcardOperationID       = "{" + PathSegmentOperationID + "}"
 	WildcardResourceGroupName = "{" + PathSegmentResourceGroupName + "}"
 	WildcardResourceName      = "{" + PathSegmentResourceName + "}"
@@ -40,6 +41,7 @@ const (
 	PatternProviders         = "providers/" + api.ProviderNamespace
 	PatternClusters          = api.ClusterResourceTypeName + "/" + WildcardResourceName
 	PatternNodePools         = api.NodePoolResourceTypeName + "/" + WildcardNodePoolName
+	PatternExternalAuth      = api.ExternalAuthResourceTypeName + "/" + WildcardExternalAuthName
 	PatternDeployments       = "deployments/" + WildcardDeploymentName
 	PatternResourceGroups    = "resourcegroups/" + WildcardResourceGroupName
 	PatternOperationResults  = api.OperationResultResourceTypeName + "/" + WildcardOperationID
@@ -144,6 +146,20 @@ func (f *Frontend) routes(r prometheus.Registerer) *MiddlewareMux {
 		MuxPattern(http.MethodGet, PatternSubscriptions, PatternProviders, PatternLocations, PatternClusterVersions),
 		postMuxMiddleware.HandlerFunc(f.ArmResourceRead))
 
+	// External Auth
+	mux.Handle(
+		MuxPattern(http.MethodGet, PatternSubscriptions, PatternResourceGroups, PatternProviders, PatternClusters, PatternExternalAuth),
+		postMuxMiddleware.HandlerFunc(f.ArmResourceRead))
+	mux.Handle(
+		MuxPattern(http.MethodPut, PatternSubscriptions, PatternResourceGroups, PatternProviders, PatternClusters, PatternExternalAuth),
+		postMuxMiddleware.HandlerFunc(f.CreateOrUpdateExternalAuth))
+	mux.Handle(
+		MuxPattern(http.MethodPatch, PatternSubscriptions, PatternResourceGroups, PatternProviders, PatternClusters, PatternExternalAuth),
+		postMuxMiddleware.HandlerFunc(f.CreateOrUpdateExternalAuth))
+	mux.Handle(
+		MuxPattern(http.MethodDelete, PatternSubscriptions, PatternResourceGroups, PatternProviders, PatternClusters, PatternExternalAuth),
+		postMuxMiddleware.HandlerFunc(f.ArmResourceDelete))
+
 	// Operation endpoints
 	postMuxMiddleware = NewMiddleware(
 		MiddlewareResourceID,

internal/api/arm/resource.go

@@ -149,3 +149,19 @@ func ListProvisioningStates() iter.Seq[ProvisioningState] {
 		ProvisioningStateUpdating,
 	})
 }
+
+type ExternalAuthProvisioningState string
+
+const (
+	// Terminal states, defined by ARM
+	ExternalAuthProvisioningStateCanceled  ExternalAuthProvisioningState = "Canceled"
+	ExternalAuthProvisioningStateFailed    ExternalAuthProvisioningState = "Failed"
+	ExternalAuthProvisioningStateSucceeded ExternalAuthProvisioningState = "Succeeded"
+
+	// Non-terminal states, defined by ARO-HCP
+	ExternalAuthProvisioningStateAccepted       ExternalAuthProvisioningState = "Accepted"
+	ExternalAuthProvisioningStateAwaitingSecret ExternalAuthProvisioningState = "AwaitingSecret"
+	ExternalAuthProvisioningStateDeleting       ExternalAuthProvisioningState = "Deleting"
+	ExternalAuthProvisioningStateProvisioning   ExternalAuthProvisioningState = "Provisioning"
+	ExternalAuthProvisioningStateUpdating       ExternalAuthProvisioningState = "Updating"
+)

internal/api/enums.go

@@ -72,3 +72,42 @@ const (
 	// EtcdDataEncryptionKeyManagementModeTypePlatformManaged - Platform managed encryption key management mode type.
 	EtcdDataEncryptionKeyManagementModeTypePlatformManaged EtcdDataEncryptionKeyManagementModeType = "PlatformManaged"
 )
+
+type TokenValidationRuleType string
+
+const (
+	// TokenValidationRuleTypeRequiredClaim - the Kubernetes API server will be configured to validate that the
+	// incoming JWT contains the required claim and that its value matches the required value.
+	TokenValidationRuleTypeRequiredClaim TokenValidationRuleType = "RequiredClaim"
+)
+
+type ExternalAuthClientType string
+
+const (
+	// ExternalAuthClientTypeConfidential - the client is confidential.
+	ExternalAuthClientTypeConfidential ExternalAuthClientType = "Confidential"
+	// ExternalAuthClientTypePublic - the client is public.
+	ExternalAuthClientTypePublic ExternalAuthClientType = "Public"
+)
+
+type ExternalAuthConditionType string
+
+const (
+	// ExternalAuthConditionTypeAvailable - the resource is in an available state.
+	ExternalAuthConditionTypeAvailable ExternalAuthConditionType = "Available"
+	// ExternalAuthConditionType - the resource is in a degraded state.
+	ExternalAuthConditionTypeDegraded ExternalAuthConditionType = "Degraded"
+	// ExternalAuthConditionTypeProgressing - the resource is in a progressing state.
+	ExternalAuthConditionTypeProgressing ExternalAuthConditionType = "Progressing"
+)
+
+type ConditionStatusType string
+
+const (
+	// ConditionStatusType - the condition status is true.
+	ConditionStatusTypeTrue ConditionStatusType = "True"
+	// ExternalAuthConditionTypeFalse - the condition status is false.
+	ConditionStatusTypeFalse ConditionStatusType = "False"
+	// ConditionStatusTypeUnknown - the condition status is unknown.
+	ConditionStatusTypeUnknown ConditionStatusType = "Unknown"
+)