From 7a003d427d5f666caad9358e4839fb1b80ae08d0 Mon Sep 17 00:00:00 2001 From: DEiselt <55788675+DEiselt@users.noreply.github.com> Date: Thu, 23 May 2024 14:42:29 +0200 Subject: [PATCH] Make kube-apiserver oidc flags configurable (#84) * added: make oidc flags configurable Signed-off-by: Danny Eiselt * feat(oidc-config): copy config to all versions; add upstream descriptions Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --------- Signed-off-by: Danny Eiselt Signed-off-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> Co-authored-by: Jan Schoone <6106846+jschoone@users.noreply.github.com> --- .../templates/cluster-class.yaml | 123 ++++++++++++++++++ .../templates/cluster-class.yaml | 123 ++++++++++++++++++ .../templates/cluster-class.yaml | 83 ++++++++++++ .../templates/cluster-class.yaml | 83 ++++++++++++ 4 files changed, 412 insertions(+) diff --git a/providers/openstack/alpha/1-27/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-27/cluster-class/templates/cluster-class.yaml index fdb0ffb2..036eead0 100644 --- a/providers/openstack/alpha/1-27/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-27/cluster-class/templates/cluster-class.yaml @@ -158,7 +158,82 @@ spec: default: "" example: "capi-keypair" description: "The ssh key to inject in the nodes." + - name: certSANs + required: false + schema: + openAPIV3Schema: + type: array + default: [] + example: ["mydomain.example"] + description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert." + items: + type: string + - name: oidc_config + required: false + schema: + openAPIV3Schema: + type: object + properties: + client_id: + type: string + example: "kubectl" + description: "A client id that all tokens must be issued for." + issuer_url: + type: string + example: "https://dex.k8s.scs.community" + description: "URL of the provider that allows the API server to +discover public signing keys. Only URLs that use the https:// scheme are +accepted. This is typically the provider's discovery URL, changed to have an +empty path" + username_claim: + type: string + example: "preferred_username" + default: "sub" + description: "JWT claim to use as the user name. By default sub, +which is expected to be a unique identifier of the end user. Admins can choose +other claims, such as email or name, depending on their provider. However, +claims other than email will be prefixed with the issuer URL to prevent naming +clashes with other plugins." + groups_claim: + type: string + example: "groups" + default: "groups" + description: "JWT claim to use as the user's group. If the claim +is present it must be an array of strings." + username_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to username claims to prevent +clashes with existing names (such as system: users). For example, the value +oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and +--oidc-username-claim is a value other than email the prefix defaults to ( +Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value +- can be used to disable all prefixing." + groups_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to group claims to prevent clashes +with existing names (such as system: groups). For example, the value oidc: will +create group names like oidc:engineering and oidc:infra." patches: + - name: k8s_version + description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version." + definitions: + - selector: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: OpenStackMachineTemplate + matchResources: + controlPlane: true + machineDeploymentClass: + names: + - {{ .Release.Name }}-{{ .Chart.Version }} + jsonPatches: + - op: replace + path: "/spec/template/spec/image/filter/name" + valueFrom: + template: ubuntu-capi-image-{{ `{{ .builtin.cluster.topology.version }}` }} - name: controller_flavor description: "Sets the openstack instance flavor for the KubeadmControlPlane." enabledIf: {{ `'{{ ne .controller_flavor "" }}'` }} @@ -413,3 +488,51 @@ spec: path: "/spec/template/spec/sshKeyName" valueFrom: variable: ssh_key + - name: certSANs + description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert." + enabledIf: {{ `"{{ if .certSANs }}true{{end}}"` }} + definitions: + - selector: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlaneTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs" + valueFrom: + variable: certSANs + - name: oidc_config + description: "Configure API Server to use external authentication service." + enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }} + definitions: + - selector: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlaneTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id" + valueFrom: + variable: oidc_config.client_id + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url" + valueFrom: + variable: oidc_config.issuer_url + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim" + valueFrom: + variable: oidc_config.username_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim" + valueFrom: + variable: oidc_config.groups_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix" + valueFrom: + variable: oidc_config.username_prefix + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix" + valueFrom: + variable: oidc_config.groups_prefix diff --git a/providers/openstack/alpha/1-28/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-28/cluster-class/templates/cluster-class.yaml index fdb0ffb2..036eead0 100644 --- a/providers/openstack/alpha/1-28/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-28/cluster-class/templates/cluster-class.yaml @@ -158,7 +158,82 @@ spec: default: "" example: "capi-keypair" description: "The ssh key to inject in the nodes." + - name: certSANs + required: false + schema: + openAPIV3Schema: + type: array + default: [] + example: ["mydomain.example"] + description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert." + items: + type: string + - name: oidc_config + required: false + schema: + openAPIV3Schema: + type: object + properties: + client_id: + type: string + example: "kubectl" + description: "A client id that all tokens must be issued for." + issuer_url: + type: string + example: "https://dex.k8s.scs.community" + description: "URL of the provider that allows the API server to +discover public signing keys. Only URLs that use the https:// scheme are +accepted. This is typically the provider's discovery URL, changed to have an +empty path" + username_claim: + type: string + example: "preferred_username" + default: "sub" + description: "JWT claim to use as the user name. By default sub, +which is expected to be a unique identifier of the end user. Admins can choose +other claims, such as email or name, depending on their provider. However, +claims other than email will be prefixed with the issuer URL to prevent naming +clashes with other plugins." + groups_claim: + type: string + example: "groups" + default: "groups" + description: "JWT claim to use as the user's group. If the claim +is present it must be an array of strings." + username_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to username claims to prevent +clashes with existing names (such as system: users). For example, the value +oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and +--oidc-username-claim is a value other than email the prefix defaults to ( +Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value +- can be used to disable all prefixing." + groups_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to group claims to prevent clashes +with existing names (such as system: groups). For example, the value oidc: will +create group names like oidc:engineering and oidc:infra." patches: + - name: k8s_version + description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version." + definitions: + - selector: + apiVersion: infrastructure.cluster.x-k8s.io/v1beta1 + kind: OpenStackMachineTemplate + matchResources: + controlPlane: true + machineDeploymentClass: + names: + - {{ .Release.Name }}-{{ .Chart.Version }} + jsonPatches: + - op: replace + path: "/spec/template/spec/image/filter/name" + valueFrom: + template: ubuntu-capi-image-{{ `{{ .builtin.cluster.topology.version }}` }} - name: controller_flavor description: "Sets the openstack instance flavor for the KubeadmControlPlane." enabledIf: {{ `'{{ ne .controller_flavor "" }}'` }} @@ -413,3 +488,51 @@ spec: path: "/spec/template/spec/sshKeyName" valueFrom: variable: ssh_key + - name: certSANs + description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert." + enabledIf: {{ `"{{ if .certSANs }}true{{end}}"` }} + definitions: + - selector: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlaneTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs" + valueFrom: + variable: certSANs + - name: oidc_config + description: "Configure API Server to use external authentication service." + enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }} + definitions: + - selector: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlaneTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id" + valueFrom: + variable: oidc_config.client_id + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url" + valueFrom: + variable: oidc_config.issuer_url + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim" + valueFrom: + variable: oidc_config.username_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim" + valueFrom: + variable: oidc_config.groups_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix" + valueFrom: + variable: oidc_config.username_prefix + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix" + valueFrom: + variable: oidc_config.groups_prefix diff --git a/providers/openstack/alpha/1-29/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-29/cluster-class/templates/cluster-class.yaml index 5b6ead03..036eead0 100644 --- a/providers/openstack/alpha/1-29/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-29/cluster-class/templates/cluster-class.yaml @@ -168,6 +168,55 @@ spec: description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert." items: type: string + - name: oidc_config + required: false + schema: + openAPIV3Schema: + type: object + properties: + client_id: + type: string + example: "kubectl" + description: "A client id that all tokens must be issued for." + issuer_url: + type: string + example: "https://dex.k8s.scs.community" + description: "URL of the provider that allows the API server to +discover public signing keys. Only URLs that use the https:// scheme are +accepted. This is typically the provider's discovery URL, changed to have an +empty path" + username_claim: + type: string + example: "preferred_username" + default: "sub" + description: "JWT claim to use as the user name. By default sub, +which is expected to be a unique identifier of the end user. Admins can choose +other claims, such as email or name, depending on their provider. However, +claims other than email will be prefixed with the issuer URL to prevent naming +clashes with other plugins." + groups_claim: + type: string + example: "groups" + default: "groups" + description: "JWT claim to use as the user's group. If the claim +is present it must be an array of strings." + username_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to username claims to prevent +clashes with existing names (such as system: users). For example, the value +oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and +--oidc-username-claim is a value other than email the prefix defaults to ( +Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value +- can be used to disable all prefixing." + groups_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to group claims to prevent clashes +with existing names (such as system: groups). For example, the value oidc: will +create group names like oidc:engineering and oidc:infra." patches: - name: k8s_version description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version." @@ -453,3 +502,37 @@ spec: path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs" valueFrom: variable: certSANs + - name: oidc_config + description: "Configure API Server to use external authentication service." + enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }} + definitions: + - selector: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlaneTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id" + valueFrom: + variable: oidc_config.client_id + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url" + valueFrom: + variable: oidc_config.issuer_url + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim" + valueFrom: + variable: oidc_config.username_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim" + valueFrom: + variable: oidc_config.groups_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix" + valueFrom: + variable: oidc_config.username_prefix + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix" + valueFrom: + variable: oidc_config.groups_prefix diff --git a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml index 5b6ead03..036eead0 100644 --- a/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml +++ b/providers/openstack/alpha/1-30/cluster-class/templates/cluster-class.yaml @@ -168,6 +168,55 @@ spec: description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert." items: type: string + - name: oidc_config + required: false + schema: + openAPIV3Schema: + type: object + properties: + client_id: + type: string + example: "kubectl" + description: "A client id that all tokens must be issued for." + issuer_url: + type: string + example: "https://dex.k8s.scs.community" + description: "URL of the provider that allows the API server to +discover public signing keys. Only URLs that use the https:// scheme are +accepted. This is typically the provider's discovery URL, changed to have an +empty path" + username_claim: + type: string + example: "preferred_username" + default: "sub" + description: "JWT claim to use as the user name. By default sub, +which is expected to be a unique identifier of the end user. Admins can choose +other claims, such as email or name, depending on their provider. However, +claims other than email will be prefixed with the issuer URL to prevent naming +clashes with other plugins." + groups_claim: + type: string + example: "groups" + default: "groups" + description: "JWT claim to use as the user's group. If the claim +is present it must be an array of strings." + username_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to username claims to prevent +clashes with existing names (such as system: users). For example, the value +oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and +--oidc-username-claim is a value other than email the prefix defaults to ( +Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value +- can be used to disable all prefixing." + groups_prefix: + type: string + example: "oidc:" + default: "oidc:" + description: "Prefix prepended to group claims to prevent clashes +with existing names (such as system: groups). For example, the value oidc: will +create group names like oidc:engineering and oidc:infra." patches: - name: k8s_version description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version." @@ -453,3 +502,37 @@ spec: path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs" valueFrom: variable: certSANs + - name: oidc_config + description: "Configure API Server to use external authentication service." + enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }} + definitions: + - selector: + apiVersion: controlplane.cluster.x-k8s.io/v1beta1 + kind: KubeadmControlPlaneTemplate + matchResources: + controlPlane: true + jsonPatches: + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id" + valueFrom: + variable: oidc_config.client_id + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url" + valueFrom: + variable: oidc_config.issuer_url + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim" + valueFrom: + variable: oidc_config.username_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim" + valueFrom: + variable: oidc_config.groups_claim + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix" + valueFrom: + variable: oidc_config.username_prefix + - op: add + path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix" + valueFrom: + variable: oidc_config.groups_prefix