Describe the bug
It's about the usage of the Group CR. There is some inconsistency between OIDC and API-key based authentication approach.
When a Group is bound to OIDC authentication, I must set a products selector under accessLevel, but it can be empty:
apiVersion: portal.gloo.solo.io/v1beta1
kind: Group
metadata:
name: users
namespace: default
spec:
accessLevel:
apis:
- environments:
names:
- dev
namespaces:
- '*'
usagePlans:
- trusted
products: {} # filling in this field is NOT mandatory
portals:
- name: ecommerce-portal
namespace: default
oidcGroup:
groupName: users
displayName: corporate users
But when it's about a Group using api-keys, then filling in this products is required:
apiVersion: portal.gloo.solo.io/v1beta1
kind: Group
metadata:
name: developers
namespace: gloo-portal
spec:
accessLevel:
apis:
- environments:
names:
- dev
namespaces:
- '*'
usagePlans:
- basic2
products: # configuring this field is now MANDATORY
namespaces:
- '*'
portals:
- name: ecommerce-portal
namespace: default
displayName: ecommerce developers
userSelector:
matchLabels:
groups.portal.gloo.solo.io/gloo-portal.developers: "true"
namespaces:
- '*'
Describe the bug It's about the usage of the Group CR. There is some inconsistency between OIDC and API-key based authentication approach. When a Group is bound to OIDC authentication, I must set a
products
selector underaccessLevel
, but it can be empty:But when it's about a Group using api-keys, then filling in this
products
is required:Gloo Portal v1.1.0-beta4