feat(config): add support for authorization config

api/v1beta1/temporalcluster_types.go

@@ -878,6 +878,44 @@ type FilestoreArchiver struct {
 	DirPermissions string `json:"dirPermissions"`
 }
 
+// AuthorizationSpec defines the specifications for authorization in the temporal cluster. It contains fields
+// that configure how JWT tokens are validated, how permissions are managed, and how claims are mapped.
+type AuthorizationSpec struct {
+	// JWTKeyProvider specifies the signing key provider used for validating JWT tokens.
+	// +optional
+	JWTKeyProvider AuthorizationSpecJWTKeyProvider `json:"jwtKeyProvider"`
+
+	// PermissionsClaimName is the name of the claim within the JWT token that contains the user's permissions.
+	// +optional
+	PermissionsClaimName string `json:"permissionsClaimName"`
+
+	// Authorizer defines the authorization mechanism to be used. It can be left as an empty string to
+	// use a no-operation authorizer (noopAuthorizer), or set to "default" to use the temporal's default
+	// authorizer (defaultAuthorizer).
+	// +optional
+	Authorizer string `json:"authorizer"`
+
+	// ClaimMapper specifies the claim mapping mechanism used for handling JWT claims. Similar to the Authorizer,
+	// it can be left as an empty string to use a no-operation claim mapper (noopClaimMapper), or set to "default"
+	// to use the default JWT claim mapper (defaultJWTClaimMapper).
+	// +optional
+	ClaimMapper string `json:"claimMapper"`
+}
+
+// AuthorizationSpecJWTKeyProvider defines the configuration for a JWT key provider within the AuthorizationSpec.
+// It specifies where to source the JWT keys from and how often they should be refreshed.
+type AuthorizationSpecJWTKeyProvider struct {
+	// KeySourceURIs is a list of URIs where the JWT signing keys can be obtained. These URIs are used by the
+	// authorization system to fetch the public keys necessary for validating JWT tokens.
+	// +optional
+	KeySourceURIs []string `json:"keySourceURIs"`
+
+	// RefreshInterval defines the time interval at which temporal should refresh the JWT signing keys from
+	// the specified URIs.
+	// +optional
+	RefreshInterval *metav1.Duration `json:"refreshInterval"`
+}
+
 // S3Archiver is the S3 archival provider configuration.
 type S3Archiver struct {
 	// Region is the aws s3 region.
@@ -970,6 +1008,9 @@ type TemporalClusterSpec struct {
 	// Archival allows Workflow Execution Event Histories and Visibility data backups for the temporal cluster.
 	// +optional
 	Archival *ClusterArchivalSpec `json:"archival,omitempty"`
+	// Authorization allows authorization configuration for the temporal cluster.
+	// +optional
+	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
 }
 
 // ServiceStatus reports a service status.

config/crd/bases/temporal.io_temporalclusters.yaml

@@ -288,6 +288,31 @@ spec:
                         - paused
                       type: object
                   type: object
+                authorization:
+                  description: Authorization
+                  properties:
+                    authorizer:
+                      description: Authorizer defines the authorization mechanism to be used. It can be left as an empty string to use a no-operation authorizer (noopAuthorizer), or set to "default" to use the temporal's default authorizer (defaultAuthorizer).
+                      type: string
+                    claimMapper:
+                      description: ClaimMapper specifies the claim mapping mechanism used for handling JWT claims. Similar to the Authorizer, it can be left as an empty string to use a no-operation claim mapper (noopClaimMapper), or set to "default" to use the default JWT claim mapper (defaultJWTClaimMapper).
+                      type: string
+                    jwtKeyProvider:
+                      description: JWTKeyProvider specifies the signing key provider used for validating JWT tokens.
+                      properties:
+                        keySourceURIs:
+                          description: KeySourceURIs is a list of URIs where the JWT signing keys can be obtained. These URIs are used by the authorization system to fetch the public keys necessary for validating JWT tokens.
+                          items:
+                            type: string
+                          type: array
+                        refreshInterval:
+                          description: RefreshInterval defines the time interval at which temporal should refresh the JWT signing keys from the specified URIs.
+                          type: string
+                      type: object
+                    permissionsClaimName:
+                      description: PermissionsClaimName is the name of the claim within the JWT token that contains the user's permissions.
+                      type: string
+                  type: object
                 dynamicConfig:
                   description: DynamicConfig allows advanced configuration for the temporal cluster.
                   properties:

docs/api/v1beta1.md

@@ -268,6 +268,19 @@ ClusterArchivalSpec
 <p>Archival allows Workflow Execution Event Histories and Visibility data backups for the temporal cluster.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>authorization</code><br>
+<em>
+<a href="#temporal.io/v1beta1.AuthorizationSpec">
+AuthorizationSpec
+</a>
+</em>
+</td>
+<td>
+<p>Authorization</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -608,6 +621,132 @@ string
 </table>
 </div>
 </div>
+<h3 id="temporal.io/v1beta1.AuthorizationSpec">AuthorizationSpec
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#temporal.io/v1beta1.TemporalClusterSpec">TemporalClusterSpec</a>)
+</p>
+<p>AuthorizationSpec defines the specifications for authorization in the temporal cluster. It contains fields
+that configure how JWT tokens are validated, how permissions are managed, and how claims are mapped.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>jwtKeyProvider</code><br>
+<em>
+<a href="#temporal.io/v1beta1.AuthorizationSpecJWTKeyProvider">
+AuthorizationSpecJWTKeyProvider
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>JWTKeyProvider specifies the signing key provider used for validating JWT tokens.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>permissionsClaimName</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>PermissionsClaimName is the name of the claim within the JWT token that contains the user&rsquo;s permissions.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>authorizer</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Authorizer defines the authorization mechanism to be used. It can be left as an empty string to
+use a no-operation authorizer (noopAuthorizer), or set to &ldquo;default&rdquo; to use the temporal&rsquo;s default
+authorizer (defaultAuthorizer).</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>claimMapper</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>ClaimMapper specifies the claim mapping mechanism used for handling JWT claims. Similar to the Authorizer,
+it can be left as an empty string to use a no-operation claim mapper (noopClaimMapper), or set to &ldquo;default&rdquo;
+to use the default JWT claim mapper (defaultJWTClaimMapper).</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+<h3 id="temporal.io/v1beta1.AuthorizationSpecJWTKeyProvider">AuthorizationSpecJWTKeyProvider
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#temporal.io/v1beta1.AuthorizationSpec">AuthorizationSpec</a>)
+</p>
+<p>AuthorizationSpecJWTKeyProvider defines the configuration for a JWT key provider within the AuthorizationSpec.
+It specifies where to source the JWT keys from and how often they should be refreshed.</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>keySourceURIs</code><br>
+<em>
+[]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>KeySourceURIs is a list of URIs where the JWT signing keys can be obtained. These URIs are used by the
+authorization system to fetch the public keys necessary for validating JWT tokens.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>refreshInterval</code><br>
+<em>
+<a href="https://pkg.go.dev/k8s.io/apimachinery/pkg/apis/meta/v1#Duration">
+Kubernetes meta/v1.Duration
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>RefreshInterval defines the time interval at which temporal should refresh the JWT signing keys from
+the specified URIs.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="temporal.io/v1beta1.CassandraConsistencySpec">CassandraConsistencySpec
 </h3>
 <p>
@@ -3665,6 +3804,19 @@ ClusterArchivalSpec
 <p>Archival allows Workflow Execution Event Histories and Visibility data backups for the temporal cluster.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>authorization</code><br>
+<em>
+<a href="#temporal.io/v1beta1.AuthorizationSpec">
+AuthorizationSpec
+</a>
+</em>
+</td>
+<td>
+<p>Authorization</p>
+</td>
+</tr>
 </tbody>
 </table>
 </div>

internal/resource/config/configmap_builder.go

@@ -29,6 +29,7 @@ import (
 	"github.com/alexandrevilain/temporal-operator/internal/resource/meta"
 	"github.com/alexandrevilain/temporal-operator/internal/resource/mtls/certmanager"
 	archivalutil "github.com/alexandrevilain/temporal-operator/pkg/temporal/archival"
+	"github.com/alexandrevilain/temporal-operator/pkg/temporal/authorization"
 	"github.com/alexandrevilain/temporal-operator/pkg/temporal/log"
 	"github.com/alexandrevilain/temporal-operator/pkg/temporal/persistence"
 	"github.com/alexandrevilain/temporal-operator/pkg/version"
@@ -213,6 +214,7 @@ func (b *ConfigmapBuilder) Update(object client.Object) error {
 				MaxJoinDuration:  30 * time.Second,
 				BroadcastAddress: "{{ default .Env.POD_IP \"0.0.0.0\" }}",
 			},
+			Authorization: authorization.ToTemporalAuthorization(b.instance.Spec.Authorization),
 		},
 		Persistence: *persistenceConfig,
 		Log:         log.NewSQLConfigFromDatastoreSpec(b.instance.Spec.Log),

pkg/temporal/authorization/authorization.go

@@ -0,0 +1,40 @@
+// Licensed to Alexandre VILAIN under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Alexandre VILAIN licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package authorization
+
+import (
+	"github.com/alexandrevilain/temporal-operator/api/v1beta1"
+	"go.temporal.io/server/common/config"
+)
+
+// ToTemporalAuthorization transforms v1beta1.AuthorizationSpec to temporal's authorization config.
+func ToTemporalAuthorization(authorization *v1beta1.AuthorizationSpec) config.Authorization {
+	if authorization == nil {
+		return config.Authorization{}
+	}
+
+	return config.Authorization{
+		JWTKeyProvider: config.JWTKeyProvider{
+			KeySourceURIs:   authorization.JWTKeyProvider.KeySourceURIs,
+			RefreshInterval: authorization.JWTKeyProvider.RefreshInterval.Duration,
+		},
+		PermissionsClaimName: authorization.PermissionsClaimName,
+		Authorizer:           authorization.Authorizer,
+		ClaimMapper:          authorization.ClaimMapper,
+	}
+}