Keystone RBAC integration and loadbalancer IP whitelisting

* Document how to setup keystone RBAC * Add IP whitelisting to loadbalancers
azimuth-cloud · Oct 12, 2023 · 32c90d7 · 32c90d7
1 parent b643ff3
commit 32c90d7
Show file tree

Hide file tree

Showing 4 changed files with 127 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -24,3 +24,83 @@ Currently, the following charts are available:
 | --- | --- |
 | [cluster-addons](./charts/cluster-addons) | Deploys addons into a Kubernetes cluster, e.g. CNI. |
 | [openstack-cluster](./charts/openstack-cluster) | Deploys a Kubernetes cluster on an OpenStack cloud. |
+
+
+
+## Keystone Authentication Webhook
+
+Deploy cluster with Keystone RBAC enabled.
+
+Override the following settings in `values.yaml`:
+
+# Restrict loadbalancer access to select IPs
+#  apiServer.allowedCidrs
+#   - 192.168.0.0/16  # needed for cluster to init
+#   - 10.10.0.0/16  # IPv4 Internal Network
+#   - 123.123.123.123 # some other IPs
+controlPlane.kubeadmConfigSpec.initConfiguration:
+  patches:
+    directory: /etc/kubernetes/patches
+controlPlane.kubeadmConfigSpec.clusterConfiguration.apiServer.extraArgs:
+  cloud-provider: external
+  authorization-mode: Node,Webhook,RBAC
+  authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+  authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+controlPlane.kubeadmConfigSpec.clusterConfiguration.preKubeadmCommands:
+  - mkdir -p /etc/kubernetes/webhooks
+  - mkdir -p /etc/kubernetes/patches
+controlPlane.kubeadmConfigSpec.joinConfiguration:
+  patches:
+    directory: /etc/kubernetes/patches
+controlPlane.kubeadmConfigSpec.files:
+  - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml
+    permissions: "0644"
+    owner: root:root
+    content: |
+      spec:
+        containers:
+        -  name: kube-apiserver
+           volumeMounts:
+           - mountPath: /etc/kubernetes/webhooks
+             name: kube-webhooks
+             readOnly: true
+        volumes:
+        - hostPath:
+            path: /etc/kubernetes/webhooks
+            type: DirectoryOrCreate
+          name: kube-webhooks
+  - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+    content: |
+      ---
+      apiVersion: v1
+      kind: Config
+      preferences: {}
+      clusters:
+        - cluster:
+            insecure-skip-tls-verify: true
+            server: https://127.0.0.1:8443/webhook
+          name: webhook
+      users:
+        - name: webhook
+      contexts:
+        - context:
+            cluster: webhook
+            user: webhook
+          name: webhook
+      current-context: webhook
+    owner: root:root
+    permissions: "0644"
+
+nodeGroupDefaults.kubeadmConfigSpec.preKubeadmCommands:
+  - mkdir -p /etc/kubernetes/webhooks
+  - mkdir -p /etc/kubernetes/patches
+
+
+In `addons.yaml` you will need to configure the k8s-keystone-auth subchart:
+
+    k8sKeystoneAuth:
+      enabled: true
+      chart:
+        repo: https://helm/chart/url
+        name: k8s-keystone-auth
+        version: x.x.x
diff --git a/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml b/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml
@@ -0,0 +1,33 @@
+{{- if and .Values.openstack.enabled .Values.openstack.k8sKeystoneAuth.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config
+  labels:
+    {{- include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }}
+    addons.stackhpc.com/watch: ""
+stringData:
+  overrides: |
+    {{- toYaml .Values.openstack.k8sKeystoneAuth.values | nindent 4 }}
+
+---
+apiVersion: addons.stackhpc.com/v1alpha1
+kind: HelmRelease
+metadata:
+  name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}
+  labels: {{ include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }}
+  annotations:
+    # Tell Argo to ignore the non-controller owner references for this object
+    argocd.argoproj.io/sync-options: "ControllerReferencesOnly=true"
+spec:
+  clusterName: {{ include "cluster-addons.clusterName" . }}
+  bootstrap: true
+  chart: {{ toYaml .Values.openstack.k8sKeystoneAuth.chart | nindent 4 }}
+  targetNamespace: {{ .Values.openstack.k8sKeystoneAuth.targetNamespace }}
+  releaseName: k8s-keystone-auth
+  valuesSources:
+    - secret:
+        name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config
+        key: overrides
+{{- end }}
diff --git a/charts/cluster-addons/values.yaml b/charts/cluster-addons/values.yaml
@@ -109,6 +109,14 @@ openstack:
       # The allowed topologies for the storage class
       allowedTopologies:
 
+  k8sKeystoneAuth:
+    enabled: false
+    targetNamespace: kube-system
+    chart:
+      repo: https://helmchart/stable
+      name: k8s-keystone-auth
+      version: 0.0.13
+
 # Settings for the metrics server
 # https://github.com/kubernetes-sigs/metrics-server#helm-chart
 metricsServer:

diff --git a/charts/openstack-cluster/templates/cluster-openstack.yaml b/charts/openstack-cluster/templates/cluster-openstack.yaml
@@ -45,6 +45,12 @@ spec:
     enabled: true
   {{- if .loadBalancerProvider }}
     provider: {{ .loadBalancerProvider }}
+    {{- if .allowedCidrs }}
+    allowedCidrs:
+      {{- range .allowedCidrs }}
+      - {{ . }}
+      {{- end}}
+    {{- end }}
   {{- end }}
   {{- end }}