Implement feedback

Author: SimonKienzler

README.md

@@ -205,7 +205,7 @@ spec:
             successThreshold: 1
             timeoutSeconds: 5
           env:
-            - name: STACKIT_SERVICE_ACCOUNT_TOKEN
+            - name: AUTH_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: external-dns-stackit-webhook
@@ -219,6 +219,8 @@ The configuration of the STACKIT webhook can be accomplished through command lin
 Below are the options that are available.
 
 - `--project-id`/`PROJECT_ID` (required): Specifies the project id of the STACKIT project.
+- `--auth-token`/`AUTH_TOKEN` (required if `auth-key-path` is not set): Defines the authentication token for the STACKIT API. Mutually exclusive with 'auth-key-path'.
+- `--auth-key-path`/`AUTH_KEY_PATH` (required if `auth-token` is not set): Defines the file path of the service account key for the STACKIT API. Mutually exclusive with 'auth-token'.
 - `--worker`/`WORKER`  (optional): Specifies the number of workers to employ for querying the API. Given that we
   need to iterate over all zones and records, it can be parallelized. However, it is important to avoid
   setting this number excessively high to prevent receiving 429 rate limiting from the API (default 10).
@@ -230,14 +232,6 @@ Below are the options that are available.
 - `--log-level`/`LOG_LEVEL` (optional): Defines the log level (default "info"). Possible values are: debug, info, warn,
   error.
 
-## Authentication
-
-The STACKIT webhook uses the [STACKIT Go SDK](https://github.com/stackitcloud/stackit-sdk-go) and therefore inherits its
-options for authentication: You can use either Token or Key authentication flows. The example above uses the Token flow
-for authentication by providing the `STACKIT_SERVICE_ACCOUNT_TOKEN` environment variable in the `Deployment`. For more
-information on how to provide e.g. a Service Account Key to be used by the SDK, see
-[authentication options for the STACKIT Go SDK](https://github.com/stackitcloud/stackit-sdk-go?tab=readme-ov-file#authentication). 
-
 ## FAQ
 
 ### 1. Issue with Creating Service using External DNS Annotation

cmd/webhook/cmd/root.go

@@ -3,30 +3,30 @@ package cmd
 import (
 	"fmt"
 	"log"
-	"net/http"
 	"strings"
-	"time"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"github.com/stackitcloud/external-dns-stackit-webhook/internal/stackitprovider"
 	"github.com/stackitcloud/external-dns-stackit-webhook/pkg/api"
 	"github.com/stackitcloud/external-dns-stackit-webhook/pkg/metrics"
-	stackitconfig "github.com/stackitcloud/stackit-sdk-go/core/config"
+	"github.com/stackitcloud/external-dns-stackit-webhook/pkg/stackit"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 	"sigs.k8s.io/external-dns/endpoint"
 )
 
 var (
-	apiPort      string
-	baseUrl      string
-	projectID    string
-	worker       int
-	domainFilter []string
-	dryRun       bool
-	logLevel     string
+	apiPort         string
+	authBearerToken string
+	authKeyPath     string
+	baseUrl         string
+	projectID       string
+	worker          int
+	domainFilter    []string
+	dryRun          bool
+	logLevel        string
 )
 
 var rootCmd = &cobra.Command{
@@ -44,6 +44,11 @@ var rootCmd = &cobra.Command{
 
 		endpointDomainFilter := endpoint.DomainFilter{Filters: domainFilter}
 
+		stackitConfigOptions, err := stackit.SetConfigOptions(baseUrl, authBearerToken, authKeyPath)
+		if err != nil {
+			panic(err)
+		}
+
 		stackitProvider, err := stackitprovider.NewStackitDNSProvider(
 			logger.With(zap.String("component", "stackitprovider")),
 			// ExternalDNS provider config
@@ -54,10 +59,7 @@ var rootCmd = &cobra.Command{
 				Workers:      worker,
 			},
 			// STACKIT client SDK config
-			stackitconfig.WithHTTPClient(&http.Client{
-				Timeout: 10 * time.Second,
-			}),
-			stackitconfig.WithEndpoint(baseUrl),
+			stackitConfigOptions...,
 		)
 		if err != nil {
 			panic(err)
@@ -111,6 +113,8 @@ func init() {
 	cobra.OnInitialize(initConfig)
 
 	rootCmd.PersistentFlags().StringVar(&apiPort, "api-port", "8888", "Specifies the port to listen on.")
+	rootCmd.PersistentFlags().StringVar(&authBearerToken, "auth-token", "", "Defines the authentication token for the STACKIT API. Mutually exclusive with 'auth-key-path'.")
+	rootCmd.PersistentFlags().StringVar(&authKeyPath, "auth-key-path", "", "Defines the file path of the service account key for the STACKIT API. Mutually exclusive with 'auth-token'.")
 	rootCmd.PersistentFlags().StringVar(&baseUrl, "base-url", "https://dns.api.stackit.cloud", " Identifies the Base URL for utilizing the API.")
 	rootCmd.PersistentFlags().StringVar(&projectID, "project-id", "", "Specifies the project id of the STACKIT project.")
 	rootCmd.PersistentFlags().IntVar(&worker, "worker", 10, "Specifies the number "+

pkg/stackit/options.go

@@ -0,0 +1,40 @@
+package stackit
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	stackitconfig "github.com/stackitcloud/stackit-sdk-go/core/config"
+)
+
+// SetConfigOptions sets the default config options for the STACKIT
+// client and determines which type of authorization to use, depending on the
+// passed bearerToken and keyPath parameters. If no baseURL or an invalid
+// combination of auth options is given (neither or both), the function returns
+// an error.
+func SetConfigOptions(baseURL, bearerToken, keyPath string) ([]stackitconfig.ConfigurationOption, error) {
+	if len(baseURL) == 0 {
+		return nil, fmt.Errorf("base-url is required")
+	}
+
+	options := []stackitconfig.ConfigurationOption{
+		stackitconfig.WithHTTPClient(&http.Client{
+			Timeout: 10 * time.Second,
+		}),
+		stackitconfig.WithEndpoint(baseURL),
+	}
+
+	bearerTokenSet := len(bearerToken) > 0
+	keyPathSet := len(keyPath) > 0
+
+	if (!bearerTokenSet && !keyPathSet) || (bearerTokenSet && keyPathSet) {
+		return nil, fmt.Errorf("exactly only one of auth-token or auth-key-path is required")
+	}
+
+	if bearerTokenSet {
+		return append(options, stackitconfig.WithToken(bearerToken)), nil
+	}
+
+	return append(options, stackitconfig.WithServiceAccountKeyPath(keyPath)), nil
+}

pkg/stackit/options_test.go

@@ -0,0 +1,47 @@
+package stackit
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMissingBaseURL(t *testing.T) {
+	t.Parallel()
+
+	options, err := SetConfigOptions("", "", "")
+	assert.ErrorContains(t, err, "base-url")
+	assert.Nil(t, options)
+}
+
+func TestBothAuthOptionsMissing(t *testing.T) {
+	t.Parallel()
+
+	options, err := SetConfigOptions("https://example.com", "", "")
+	assert.ErrorContains(t, err, "auth-token or auth-key-path")
+	assert.Nil(t, options)
+}
+
+func TestBothAuthOptionsSet(t *testing.T) {
+	t.Parallel()
+
+	options, err := SetConfigOptions("https://example.com", "token", "key/path")
+	assert.ErrorContains(t, err, "auth-token or auth-key-path")
+	assert.Nil(t, options)
+}
+
+func TestBearerTokenSet(t *testing.T) {
+	t.Parallel()
+
+	options, err := SetConfigOptions("https://example.com", "token", "")
+	assert.NoError(t, err)
+	assert.Len(t, options, 3)
+}
+
+func TestKeyPathSet(t *testing.T) {
+	t.Parallel()
+
+	options, err := SetConfigOptions("https://example.com", "", "key/path")
+	assert.NoError(t, err)
+	assert.Len(t, options, 3)
+}