Add configuration for keystone webhook

* Add components to add keystone webhook to apiserver * Add api arguments for webhook authN/authZ and patch file * Created keystone webhook patch * Add k8s-keystone-auth addon configuration * Pass values as overrides
azimuth-cloud · Oct 1, 2023 · 06008a0 · 06008a0
1 parent 5996f85
commit 06008a0
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 0 deletions.
diff --git a/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml b/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.openstack.enabled .Values.openstack.k8sKeystoneAuth.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config
+  labels:
+    {{- include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }}
+    addons.stackhpc.com/watch: ""
+stringData:
+  overrides: |
+    {{- toYaml .Values.openstack.k8sKeystoneAuth.values | nindent 4 }}
+
+---
+apiVersion: addons.stackhpc.com/v1alpha1
+kind: HelmRelease
+metadata:
+  name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}
+  labels: {{ include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }}
+  annotations:
+    # Tell Argo to ignore the non-controller owner references for this object
+    argocd.argoproj.io/sync-options: "ControllerReferencesOnly=true"
+spec:
+  clusterName: {{ include "cluster-addons.clusterName" . }}
+  bootstrap: true
+  chart: {{ toYaml .Values.openstack.k8sKeystoneAuth.chart | nindent 4 }}
+  targetNamespace: {{ .Values.openstack.k8sKeystoneAuth.targetNamespace }}
+  releaseName: k8s-keystone-auth
+  valuesSources:
+    - secret:
+        name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config
+        key: overrides
+{{- end }}
diff --git a/charts/cluster-addons/values.yaml b/charts/cluster-addons/values.yaml
@@ -118,6 +118,14 @@ openstack:
       # The allowed topologies for the storage class
       allowedTopologies:
 
+  k8sKeystoneAuth:
+    enabled: false
+    targetNamespace: kube-system
+    chart:
+      repo: https://helmchart/stable
+      name: k8s-keystone-auth
+      version: 0.0.13
+
 # Settings for the metrics server
 # https://github.com/kubernetes-sigs/metrics-server#helm-chart
 metricsServer:

diff --git a/charts/openstack-cluster/templates/_helpers.tpl b/charts/openstack-cluster/templates/_helpers.tpl
@@ -141,6 +141,7 @@ mirrors and additional packages.
 */}}
 {{- define "openstack-cluster.kubeadmConfigSpec" -}}
 {{- $ctx := index . 0 }}
+{{- $keystoneAuthWebhookPreKubeadmCommands := $ctx.Values.keystoneAuthWebhookPreKubeadmCommands }}
 {{- $registryMirrors := $ctx.Values.registryMirrors }}
 {{- $additionalPackages := $ctx.Values.additionalPackages }}
 {{- $trustedCAs := $ctx.Values.trustedCAs }}
@@ -213,6 +214,9 @@ preKubeadmCommands:
   {{- range $preKubeadmCommands }}
   - {{ . }}
   {{- end }}
+  {{- range $keystoneAuthWebhookPreKubeadmCommands }}
+  - {{ . }}
+  {{- end }}
 {{- end }}
 {{- end }}
 

diff --git a/charts/openstack-cluster/templates/cluster-openstack.yaml b/charts/openstack-cluster/templates/cluster-openstack.yaml
@@ -45,6 +45,12 @@ spec:
     enabled: true
   {{- if .loadBalancerProvider }}
     provider: {{ .loadBalancerProvider }}
+    {{- if .allowedCidrs }}
+    allowedCidrs:
+      {{- range .allowedCidrs }}
+      - {{ . }}
+      {{- end}}
+    {{- end }}
   {{- end }}
   {{- end }}
 

diff --git a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
@@ -7,13 +7,23 @@ option of InitConfiguration and specifying a KubeProxyConfiguration.
 {{- $kubeadmConfigSpec := omit
   (index . 1)
   "initConfiguration"
+  "joinConfiguration"
+  "clusterConfiguration"
   "kubeProxyConfiguration"
   "files"
   "preKubeadmCommands"
 }}
 {{- $initConfiguration := omit (index . 1 | dig "initConfiguration" dict) "skipPhases" }}
+{{- $clusterConfiguration := omit (index . 1 | dig "clusterConfiguration" dict) "skipPhases" }}
+{{- $joinConfiguration := omit (index . 1 | dig "joinConfiguration" dict) "skipPhases" }}
 {{- $skipPhases := index . 1 | dig "initConfiguration" "skipPhases" list }}
 {{- $kubeProxyConfiguration := index . 1 | dig "kubeProxyConfiguration" dict }}
+{{- $keystoneAuthWebhook := $ctx.Values.keystoneAuthWebhook }}
+{{- if $keystoneAuthWebhook }}
+{{- $initConfiguration := mergeOverwrite $initConfiguration $ctx.Values.keystonePatchConfig }}
+{{- $clusterConfiguration := mergeOverwrite $clusterConfiguration $ctx.Values.keystoneClusterConfiguration }}
+{{- $joinConfiguration := mergeOverwrite $joinConfiguration $ctx.Values.keystonePatchConfig }}
+{{- end}}
 {{- $files := index . 1 | dig "files" list }}
 {{- $preKubeadmCommands := index . 1 | dig "preKubeadmCommands" list }}
 
@@ -24,14 +34,25 @@ option of InitConfiguration and specifying a KubeProxyConfiguration.
 {{- with $kubeadmConfigSpec }}
 {{- toYaml . }}
 {{- end }}
+{{- with $clusterConfiguration }}
+clusterConfiguration: {{ toYaml $clusterConfiguration | nindent 2 }}
+{{- end }}
 {{- with $initConfiguration }}
 initConfiguration: {{ toYaml $initConfiguration | nindent 2 }}
 {{- end }}
+{{- with $joinConfiguration }}
+joinConfiguration: {{ toYaml $joinConfiguration | nindent 2 }}
+{{- end }}
 {{- if or $files $skipPhases $kubeProxyConfiguration }}
 files:
   {{- range $files }}
   - {{ toYaml . | nindent 4 }}
   {{- end }}
+  {{- if $keystoneAuthWebhook }}
+  {{- range $ctx.Values.keystoneAuthWebhookFiles }}
+  - {{ toYaml . | nindent 4 }}
+  {{- end}}
+  {{- end }}
   {{- if $skipPhases }}
   - path: /run/kubeadm/skip-phases.yaml
     content: |

diff --git a/charts/openstack-cluster/values.yaml b/charts/openstack-cluster/values.yaml
@@ -21,6 +21,58 @@ cloudName: openstack
 # This should match the version of kubelet and kubeadm in the image
 kubernetesVersion:
 
+keystoneAuthWebhook: false
+keystoneAuthWebhookPreKubeadmCommands:
+  - mkdir -p /etc/kubernetes/webhooks
+  - mkdir -p /etc/kubernetes/patches
+keystonePatchConfig:
+  patches:
+    directory: /etc/kubernetes/patches
+keystoneClusterConfiguration:
+  apiServer:
+    extraArgs:
+      cloud-provider: external
+      authorization-mode: Node,Webhook,RBAC
+      authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+      authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+keystoneAuthWebhookFiles:
+  - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml
+    permissions: "0644"
+    owner: root:root
+    content: |
+      spec:
+        containers:
+        -  name: kube-apiserver
+           volumeMounts:
+           - mountPath: /etc/kubernetes/webhooks
+             name: kube-webhooks
+             readOnly: true
+        volumes:
+        - hostPath:
+            path: /etc/kubernetes/webhooks
+            type: DirectoryOrCreate
+          name: kube-webhooks
+  - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+    content: |
+      ---
+      apiVersion: v1
+      kind: Config
+      preferences: {}
+      clusters:
+        - cluster:
+            insecure-skip-tls-verify: true
+            server: https://127.0.0.1:8443/webhook
+          name: webhook
+      users:
+        - name: webhook
+      contexts:
+        - context:
+            cluster: webhook
+            user: webhook
+          name: webhook
+      current-context: webhook
+    owner: root:root
+    permissions: "0644"
 # The name of the image to use for cluster machines
 machineImage:
 # OR