Keystone and general webhook integration

* Separate webhook config that could be used for other things * k8s-keystone-auth setup
azimuth-cloud · Oct 25, 2023 · d1fb9a2 · d1fb9a2
1 parent 8570c39
commit d1fb9a2
Show file tree

Hide file tree

Showing 6 changed files with 93 additions and 63 deletions.
diff --git a/charts/cluster-addons/values.yaml b/charts/cluster-addons/values.yaml
@@ -115,7 +115,7 @@ openstack:
     chart:
       repo: https://heytrav.github.io/helm-charts
       name: k8s-keystone-auth
-      version: 0.0.3
+      version: 0.0.4
 
 # Settings for the metrics server
 # https://github.com/kubernetes-sigs/metrics-server#helm-chart

diff --git a/charts/openstack-cluster/README.md b/charts/openstack-cluster/README.md
@@ -225,66 +225,13 @@ kubectl --kubeconfig=./kubeconfig.my-cluster get po -A
 
 ## Keystone Authentication Webhook
 
-Deploy cluster with Keystone RBAC enabled.
-
-Override the following settings in `values.yaml`:
-
-controlPlane.kubeadmConfigSpec.initConfiguration:
-  patches:
-    directory: /etc/kubernetes/patches
-controlPlane.kubeadmConfigSpec.clusterConfiguration.apiServer.extraArgs:
-  cloud-provider: external
-  authorization-mode: Node,Webhook,RBAC
-  authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
-  authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
-controlPlane.kubeadmConfigSpec.clusterConfiguration.preKubeadmCommands:
-  - mkdir -p /etc/kubernetes/webhooks
-  - mkdir -p /etc/kubernetes/patches
-controlPlane.kubeadmConfigSpec.joinConfiguration:
-  patches:
-    directory: /etc/kubernetes/patches
-controlPlane.kubeadmConfigSpec.files:
-  - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml
-    permissions: "0644"
-    owner: root:root
-    content: |
-      spec:
-        containers:
-        -  name: kube-apiserver
-           volumeMounts:
-           - mountPath: /etc/kubernetes/webhooks
-             name: kube-webhooks
-             readOnly: true
-        volumes:
-        - hostPath:
-            path: /etc/kubernetes/webhooks
-            type: DirectoryOrCreate
-          name: kube-webhooks
-  - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
-    content: |
-      ---
-      apiVersion: v1
-      kind: Config
-      preferences: {}
-      clusters:
-        - cluster:
-            insecure-skip-tls-verify: true
-            server: https://127.0.0.1:8443/webhook
-          name: webhook
-      users:
-        - name: webhook
-      contexts:
-        - context:
-            cluster: webhook
-            user: webhook
-          name: webhook
-      current-context: webhook
-    owner: root:root
-    permissions: "0644"
-
-nodeGroupDefaults.kubeadmConfigSpec.preKubeadmCommands:
-  - mkdir -p /etc/kubernetes/webhooks
-  - mkdir -p /etc/kubernetes/patches
+To deploy with the k8s-keystone-auth webhook enabled, add "k8s-keystone-auth"
+to the set of `webhookApis`.
+
+```
+webhookApis: 
+  - k8s-keystone-auth
+```
 
 In `addons.yaml` you will need to configure the k8s-keystone-auth subchart:
 

diff --git a/charts/openstack-cluster/templates/_helpers.tpl b/charts/openstack-cluster/templates/_helpers.tpl
@@ -275,3 +275,79 @@ Produces the spec for a KubeadmConfig object.
   include "openstack-cluster.mergeConcatMany"
 }}
 {{- end }}
+
+{{- define "openstack-cluster.webhookPatches" }}
+  preKubeadmCommands:
+    - mkdir -p /etc/kubernetes/webhooks
+    - mkdir -p /etc/kubernetes/patches
+{{- end }}
+
+{{/*
+Produces the spec for webhook integration.
+*/}}
+{{- define "openstack-cluster.webhookApiConfigs" -}}
+{{- $ctx := index . 0 }}
+{{- $webhookApis := $ctx.Values.webhookApis }}
+{{- if $webhookApis }}
+  initConfiguration:
+    patches:
+      directory: /etc/kubernetes/patches
+  joinConfiguration:
+    patches:
+      directory: /etc/kubernetes/patches
+{{- include "openstack-cluster.webhookPatches" $ctx }}
+{{- if has "k8s-keystone-auth" $webhookApis }}
+{{- include "openstack-cluster.k8sKeystoneAuthWebhook" $ctx }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Produces integration for k8s-keystone-auth webhook on apiserver
+*/}}
+{{- define "openstack-cluster.k8sKeystoneAuthWebhook" }}
+  clusterConfiguration:
+    apiServer:
+      extraArgs:
+        authorization-mode: Node, Webhook, RBAC
+        authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+        authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+  files:
+    - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml
+      permissions: "0644"
+      owner: root:root
+      content: |
+        spec:
+          containers:
+          -  name: kube-apiserver
+             volumeMounts:
+             - mountPath: /etc/kubernetes/webhooks
+               name: kube-webhooks
+               readOnly: true
+          volumes:
+          - hostPath:
+              path: /etc/kubernetes/webhooks
+              type: DirectoryOrCreate
+            name: kube-webhooks
+    - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+      content: |
+        ---
+        apiVersion: v1
+        kind: Config
+        preferences: {}
+        clusters:
+          - cluster:
+              insecure-skip-tls-verify: true
+              server: https://127.0.0.1:8443/webhook
+            name: webhook
+        users:
+          - name: webhook
+        contexts:
+          - context:
+              cluster: webhook
+              user: webhook
+            name: webhook
+        current-context: webhook
+      owner: root:root
+      permissions: "0644"
+{{- end }}
diff --git a/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml b/charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml
@@ -53,6 +53,7 @@ spec:
         list
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.nodeLabels" . | fromYaml)
           (include "openstack-cluster.kubeadmConfigSpec" (list . .Values.controlPlane.kubeadmConfigSpec) | fromYaml)
+          (include "openstack-cluster.webhookApiConfigs"  (list .) | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.kubeProxyConfiguration" .Values.controlPlane.kubeadmConfigSpec | fromYaml) |
         include "openstack-cluster.mergeConcatMany" |
         fromYaml

diff --git a/charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml b/charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml
@@ -25,8 +25,9 @@ joinConfiguration: {{ include "openstack-cluster.nodeRegistration.nodeLabels" $n
 {{-
   list
     (include "openstack-cluster.nodegroup.kct.spec.nodeLabels" (list $ctx $nodeGroup) | fromYaml)
-    (include "openstack-cluster.kubeadmConfigSpec" (list $ctx $nodeGroup.kubeadmConfigSpec) | fromYaml) |
-  include "openstack-cluster.mergeConcat" |
+    (include "openstack-cluster.kubeadmConfigSpec" (list $ctx $nodeGroup.kubeadmConfigSpec) | fromYaml) 
+    (include "openstack-cluster.webhookPatches" (list $ctx ) | fromYaml) |
+  include "openstack-cluster.mergeConcatMany" |
   fromYaml |
   toYaml
 }}

diff --git a/charts/openstack-cluster/values.yaml b/charts/openstack-cluster/values.yaml
@@ -119,6 +119,11 @@ apiServer:
   # The port to use for the API server
   port: 6443
 
+# API server generic webhook range. Add webhook names to this array to 
+# integrate into KubeadmControlPlane and KubeadmConfigTemplate
+webhookApis: []
+ # - k8s-keystone-auth
+
 # Settings for the control plane
 controlPlane:
   # The failure domains to use for control plane nodes