From 06008a0eac2c2fa99351afb27e8c9e0fdde66e5b Mon Sep 17 00:00:00 2001 From: Travis Holton Date: Mon, 26 Jun 2023 07:12:41 +1200 Subject: [PATCH] Add configuration for keystone webhook * Add components to add keystone webhook to apiserver * Add api arguments for webhook authN/authZ and patch file * Created keystone webhook patch * Add k8s-keystone-auth addon configuration * Pass values as overrides --- .../openstack/k8s-keystone-auth.yaml | 33 ++++++++++++ charts/cluster-addons/values.yaml | 8 +++ .../openstack-cluster/templates/_helpers.tpl | 4 ++ .../templates/cluster-openstack.yaml | 6 +++ .../control-plane/kubeadm-control-plane.yaml | 21 ++++++++ charts/openstack-cluster/values.yaml | 52 +++++++++++++++++++ 6 files changed, 124 insertions(+) create mode 100644 charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml diff --git a/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml b/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml new file mode 100644 index 000000000..bc26021c3 --- /dev/null +++ b/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.openstack.enabled .Values.openstack.k8sKeystoneAuth.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config + labels: + {{- include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }} + addons.stackhpc.com/watch: "" +stringData: + overrides: | + {{- toYaml .Values.openstack.k8sKeystoneAuth.values | nindent 4 }} + +--- +apiVersion: addons.stackhpc.com/v1alpha1 +kind: HelmRelease +metadata: + name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }} + labels: {{ include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }} + annotations: + # Tell Argo to ignore the non-controller owner references for this object + argocd.argoproj.io/sync-options: "ControllerReferencesOnly=true" +spec: + clusterName: {{ include "cluster-addons.clusterName" . }} + bootstrap: true + chart: {{ toYaml .Values.openstack.k8sKeystoneAuth.chart | nindent 4 }} + targetNamespace: {{ .Values.openstack.k8sKeystoneAuth.targetNamespace }} + releaseName: k8s-keystone-auth + valuesSources: + - secret: + name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config + key: overrides +{{- end }} diff --git a/charts/cluster-addons/values.yaml b/charts/cluster-addons/values.yaml index 818779d44..53acf6102 100644 --- a/charts/cluster-addons/values.yaml +++ b/charts/cluster-addons/values.yaml @@ -118,6 +118,14 @@ openstack: # The allowed topologies for the storage class allowedTopologies: + k8sKeystoneAuth: + enabled: false + targetNamespace: kube-system + chart: + repo: https://helmchart/stable + name: k8s-keystone-auth + version: 0.0.13 + # Settings for the metrics server # https://github.com/kubernetes-sigs/metrics-server#helm-chart metricsServer: diff --git a/charts/openstack-cluster/templates/_helpers.tpl b/charts/openstack-cluster/templates/_helpers.tpl index e8e9a888f..d68633f8a 100644 --- a/charts/openstack-cluster/templates/_helpers.tpl +++ b/charts/openstack-cluster/templates/_helpers.tpl @@ -141,6 +141,7 @@ mirrors and additional packages. */}} {{- define "openstack-cluster.kubeadmConfigSpec" -}} {{- $ctx := index . 0 }} +{{- $keystoneAuthWebhookPreKubeadmCommands := $ctx.Values.keystoneAuthWebhookPreKubeadmCommands }} {{- $registryMirrors := $ctx.Values.registryMirrors }} {{- $additionalPackages := $ctx.Values.additionalPackages }} {{- $trustedCAs := $ctx.Values.trustedCAs }} @@ -213,6 +214,9 @@ preKubeadmCommands: {{- range $preKubeadmCommands }} - {{ . }} {{- end }} + {{- range $keystoneAuthWebhookPreKubeadmCommands }} + - {{ . }} + {{- end }} {{- end }} {{- end }} diff --git a/charts/openstack-cluster/templates/cluster-openstack.yaml b/charts/openstack-cluster/templates/cluster-openstack.yaml index 3c7766b3e..bea29684f 100644 --- a/charts/openstack-cluster/templates/cluster-openstack.yaml +++ b/charts/openstack-cluster/templates/cluster-openstack.yaml @@ -45,6 +45,12 @@ spec: enabled: true {{- if .loadBalancerProvider }} provider: {{ .loadBalancerProvider }} + {{- if .allowedCidrs }} + allowedCidrs: + {{- range .allowedCidrs }} + - {{ . }} + {{- end}} + {{- end }} {{- end }} {{- end }} diff --git a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml index ddc9d8c14..18bbac4b8 100644 --- a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml +++ b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml @@ -7,13 +7,23 @@ option of InitConfiguration and specifying a KubeProxyConfiguration. {{- $kubeadmConfigSpec := omit (index . 1) "initConfiguration" + "joinConfiguration" + "clusterConfiguration" "kubeProxyConfiguration" "files" "preKubeadmCommands" }} {{- $initConfiguration := omit (index . 1 | dig "initConfiguration" dict) "skipPhases" }} +{{- $clusterConfiguration := omit (index . 1 | dig "clusterConfiguration" dict) "skipPhases" }} +{{- $joinConfiguration := omit (index . 1 | dig "joinConfiguration" dict) "skipPhases" }} {{- $skipPhases := index . 1 | dig "initConfiguration" "skipPhases" list }} {{- $kubeProxyConfiguration := index . 1 | dig "kubeProxyConfiguration" dict }} +{{- $keystoneAuthWebhook := $ctx.Values.keystoneAuthWebhook }} +{{- if $keystoneAuthWebhook }} +{{- $initConfiguration := mergeOverwrite $initConfiguration $ctx.Values.keystonePatchConfig }} +{{- $clusterConfiguration := mergeOverwrite $clusterConfiguration $ctx.Values.keystoneClusterConfiguration }} +{{- $joinConfiguration := mergeOverwrite $joinConfiguration $ctx.Values.keystonePatchConfig }} +{{- end}} {{- $files := index . 1 | dig "files" list }} {{- $preKubeadmCommands := index . 1 | dig "preKubeadmCommands" list }} @@ -24,14 +34,25 @@ option of InitConfiguration and specifying a KubeProxyConfiguration. {{- with $kubeadmConfigSpec }} {{- toYaml . }} {{- end }} +{{- with $clusterConfiguration }} +clusterConfiguration: {{ toYaml $clusterConfiguration | nindent 2 }} +{{- end }} {{- with $initConfiguration }} initConfiguration: {{ toYaml $initConfiguration | nindent 2 }} {{- end }} +{{- with $joinConfiguration }} +joinConfiguration: {{ toYaml $joinConfiguration | nindent 2 }} +{{- end }} {{- if or $files $skipPhases $kubeProxyConfiguration }} files: {{- range $files }} - {{ toYaml . | nindent 4 }} {{- end }} + {{- if $keystoneAuthWebhook }} + {{- range $ctx.Values.keystoneAuthWebhookFiles }} + - {{ toYaml . | nindent 4 }} + {{- end}} + {{- end }} {{- if $skipPhases }} - path: /run/kubeadm/skip-phases.yaml content: | diff --git a/charts/openstack-cluster/values.yaml b/charts/openstack-cluster/values.yaml index 8fe9fa189..a144aab2c 100644 --- a/charts/openstack-cluster/values.yaml +++ b/charts/openstack-cluster/values.yaml @@ -21,6 +21,58 @@ cloudName: openstack # This should match the version of kubelet and kubeadm in the image kubernetesVersion: +keystoneAuthWebhook: false +keystoneAuthWebhookPreKubeadmCommands: + - mkdir -p /etc/kubernetes/webhooks + - mkdir -p /etc/kubernetes/patches +keystonePatchConfig: + patches: + directory: /etc/kubernetes/patches +keystoneClusterConfiguration: + apiServer: + extraArgs: + cloud-provider: external + authorization-mode: Node,Webhook,RBAC + authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml + authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml +keystoneAuthWebhookFiles: + - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml + permissions: "0644" + owner: root:root + content: | + spec: + containers: + - name: kube-apiserver + volumeMounts: + - mountPath: /etc/kubernetes/webhooks + name: kube-webhooks + readOnly: true + volumes: + - hostPath: + path: /etc/kubernetes/webhooks + type: DirectoryOrCreate + name: kube-webhooks + - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml + content: | + --- + apiVersion: v1 + kind: Config + preferences: {} + clusters: + - cluster: + insecure-skip-tls-verify: true + server: https://127.0.0.1:8443/webhook + name: webhook + users: + - name: webhook + contexts: + - context: + cluster: webhook + user: webhook + name: webhook + current-context: webhook + owner: root:root + permissions: "0644" # The name of the image to use for cluster machines machineImage: # OR