From c56928cfeb88e667a9e6a8b14d457ad54581023a Mon Sep 17 00:00:00 2001 From: Travis Holton Date: Fri, 13 Oct 2023 08:09:54 +1300 Subject: [PATCH] Authentication/Authorization webhook integration * Set up webhook for k8s-keystone-auth and other plugins in the future --- charts/cluster-addons/README.md | 15 ++++ .../openstack/k8s-keystone-auth.yaml | 33 +++++++ charts/cluster-addons/values.yaml | 8 ++ charts/openstack-cluster/README.md | 11 +++ .../openstack-cluster/templates/_helpers.tpl | 90 +++++++++++++++++++ .../control-plane/kubeadm-control-plane.yaml | 1 + .../node-group/kubeadm-config-template.yaml | 3 +- charts/openstack-cluster/values.yaml | 5 ++ 8 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml diff --git a/charts/cluster-addons/README.md b/charts/cluster-addons/README.md index aee49f320..4c449658c 100644 --- a/charts/cluster-addons/README.md +++ b/charts/cluster-addons/README.md @@ -163,3 +163,18 @@ By default, Grafana is only available from within the cluster and must be access ```sh kubectl -n monitoring-system port-forward svc/kube-prometheus-stack-grafana 3000:80 ``` + +## Keystone Authentication Webhook + +The [k8s-keystone-auth](https://github.com/heytrav/helm-charts/tree/main/charts/k8s-keystone-auth) +webhook can be installed by enabling the `k8sKeystoneAuth` subchart. Note that you will need to provide +the **auth url** and **project id** for the Openstack tenant where you are deploying your cluster. + +```yaml + k8sKeystoneAuth: + enabled: true + values: + openstackAuthUrl: $OS_AUTH_URL + projectId: $OS_PROJECT_ID + +``` diff --git a/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml b/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml new file mode 100644 index 000000000..bc26021c3 --- /dev/null +++ b/charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.openstack.enabled .Values.openstack.k8sKeystoneAuth.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config + labels: + {{- include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }} + addons.stackhpc.com/watch: "" +stringData: + overrides: | + {{- toYaml .Values.openstack.k8sKeystoneAuth.values | nindent 4 }} + +--- +apiVersion: addons.stackhpc.com/v1alpha1 +kind: HelmRelease +metadata: + name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }} + labels: {{ include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }} + annotations: + # Tell Argo to ignore the non-controller owner references for this object + argocd.argoproj.io/sync-options: "ControllerReferencesOnly=true" +spec: + clusterName: {{ include "cluster-addons.clusterName" . }} + bootstrap: true + chart: {{ toYaml .Values.openstack.k8sKeystoneAuth.chart | nindent 4 }} + targetNamespace: {{ .Values.openstack.k8sKeystoneAuth.targetNamespace }} + releaseName: k8s-keystone-auth + valuesSources: + - secret: + name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config + key: overrides +{{- end }} diff --git a/charts/cluster-addons/values.yaml b/charts/cluster-addons/values.yaml index 1fab7a6f6..e705f8bd7 100644 --- a/charts/cluster-addons/values.yaml +++ b/charts/cluster-addons/values.yaml @@ -109,6 +109,14 @@ openstack: # The allowed topologies for the storage class allowedTopologies: + k8sKeystoneAuth: + enabled: false + targetNamespace: kube-system + chart: + repo: https://heytrav.github.io/helm-charts + name: k8s-keystone-auth + version: 0.0.8 + # Settings for the metrics server # https://github.com/kubernetes-sigs/metrics-server#helm-chart metricsServer: diff --git a/charts/openstack-cluster/README.md b/charts/openstack-cluster/README.md index 7473e4818..71fecd2ff 100644 --- a/charts/openstack-cluster/README.md +++ b/charts/openstack-cluster/README.md @@ -230,3 +230,14 @@ To deploy clusters which use Ignition such as Flatcar, you will need to override ```yaml osDistro: flatcar ``` + +## Keystone Authentication Webhook + +To deploy with the k8s-keystone-auth webhook enabled, set `authWebhook` +to "k8s-keystone-auth". + +``` +authWebhook: k8s-keystone-auth +``` + +See cluster-addons README for instructions on installing the `k8s-keystone-auth` subchart. diff --git a/charts/openstack-cluster/templates/_helpers.tpl b/charts/openstack-cluster/templates/_helpers.tpl index e7773aa51..6ed98623a 100644 --- a/charts/openstack-cluster/templates/_helpers.tpl +++ b/charts/openstack-cluster/templates/_helpers.tpl @@ -319,3 +319,93 @@ ignition: {{- include "openstack-cluster.flatcarKubeadmConfigSpec" $ctx }} {{- end }} {{- end }} + +{{/* +Create folders necessary for webhook integration. +*/}} +{{- define "openstack-cluster.webhookPatches" }} + preKubeadmCommands: + - mkdir -p /etc/kubernetes/webhooks + - mkdir -p /etc/kubernetes/patches +{{- end }} + +{{/* +Supplement kubeadmConfig with apiServer config and webhook patches as needed. Authentication +webhooks and policies for audit logging can be added here. +*/}} +{{- define "openstack-cluster.patchConfigSpec" -}} +{{- $ctx := index . 0 }} +{{- $authWebhook := $ctx.Values.authWebhook }} + clusterConfiguration: + apiServer: + extraArgs: + cloud-provider: external +{{- if $authWebhook }} + authorization-mode: Node,Webhook,RBAC +{{- if eq $authWebhook "k8s-keystone-auth" }} + authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml + authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml +{{/* +Add else if blocks with other webhooks and apiServer arguments (i.e. audit logging) +in future +*/}} +{{- end }} + initConfiguration: + patches: + directory: /etc/kubernetes/patches + joinConfiguration: + patches: + directory: /etc/kubernetes/patches +{{- include "openstack-cluster.webhookPatches" $ctx }} +{{- if eq $authWebhook "k8s-keystone-auth" }} +{{- include "openstack-cluster.k8sKeystoneAuthWebhook" $ctx }} +{{/* +Add else if blocks with other webhooks or policy files in future. +*/}} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Produces integration for k8s-keystone-auth webhook on apiserver +*/}} +{{- define "openstack-cluster.k8sKeystoneAuthWebhook" }} + files: + - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml + permissions: "0644" + owner: root:root + content: | + spec: + containers: + - name: kube-apiserver + volumeMounts: + - mountPath: /etc/kubernetes/webhooks + name: kube-webhooks + readOnly: true + volumes: + - hostPath: + path: /etc/kubernetes/webhooks + type: DirectoryOrCreate + name: kube-webhooks + - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml + content: | + --- + apiVersion: v1 + kind: Config + preferences: {} + clusters: + - cluster: + insecure-skip-tls-verify: true + server: https://127.0.0.1:8443/webhook + name: webhook + users: + - name: webhook + contexts: + - context: + cluster: webhook + user: webhook + name: webhook + current-context: webhook + owner: root:root + permissions: "0644" +{{- end }} diff --git a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml index e13fe1554..0944f753a 100644 --- a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml +++ b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml @@ -58,6 +58,7 @@ spec: (include "openstack-cluster.controlplane.kubeadmConfigSpec.nodeLabels" . | fromYaml) (include "openstack-cluster.kubeadmConfigSpec" (list . .Values.controlPlane.kubeadmConfigSpec) | fromYaml) (include "openstack-cluster.osDistroKubeadmConfigSpec" (list . ) | fromYaml) + (include "openstack-cluster.patchConfigSpec" (list .) | fromYaml) (include "openstack-cluster.controlplane.kubeadmConfigSpec.kubeProxyConfiguration" (list .Values.controlPlane.kubeadmConfigSpec .Values.osDistro) | fromYaml) | include "openstack-cluster.mergeConcatMany" | fromYaml diff --git a/charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml b/charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml index 9ab2b61b0..737168156 100644 --- a/charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml +++ b/charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml @@ -26,7 +26,8 @@ joinConfiguration: {{ include "openstack-cluster.nodeRegistration.nodeLabels" $n list (include "openstack-cluster.nodegroup.kct.spec.nodeLabels" (list $ctx $nodeGroup) | fromYaml) (include "openstack-cluster.kubeadmConfigSpec" (list $ctx $nodeGroup.kubeadmConfigSpec) | fromYaml) - (omit (include "openstack-cluster.osDistroKubeadmConfigSpec" (list $ctx) | fromYaml) "initConfiguration") | + (omit (include "openstack-cluster.osDistroKubeadmConfigSpec" (list $ctx) | fromYaml) "initConfiguration") + (pick (include "openstack-cluster.patchConfigSpec" (list $ctx ) | fromYaml) "preKubeadmCommands") | include "openstack-cluster.mergeConcatMany" | fromYaml | toYaml diff --git a/charts/openstack-cluster/values.yaml b/charts/openstack-cluster/values.yaml index 78fbe7387..fffd91ef2 100644 --- a/charts/openstack-cluster/values.yaml +++ b/charts/openstack-cluster/values.yaml @@ -122,6 +122,11 @@ apiServer: # Set osDistro used. ubuntu, flatcar, etc. osDistro: ubuntu +# +# API server authentication/authorization webhook. Set this to +# integrate into KubeadmControlPlane and KubeadmConfigTemplate +# possible values: k8s-keystone-auth +# authWebhook: k8s-keystone-auth # Settings for the control plane controlPlane: