Make kube-apiserver oidc flags configurable (#84)

* added: make oidc flags configurable

Signed-off-by: Danny Eiselt <[email protected]>

* feat(oidc-config): copy config to all versions; add upstream descriptions

Signed-off-by: Jan Schoone <[email protected]>

---------

Signed-off-by: Danny Eiselt <[email protected]>
Signed-off-by: Jan Schoone <[email protected]>
Co-authored-by: Jan Schoone <[email protected]>

Author: DEiselt

providers/openstack/alpha/1-27/cluster-class/templates/cluster-class.yaml

@@ -158,7 +158,82 @@ spec:
          default: ""
          example: "capi-keypair"
          description: "The ssh key to inject in the nodes."
+   - name: certSANs
+     required: false
+     schema:
+       openAPIV3Schema:
+         type: array
+         default: []
+         example: ["mydomain.example"]
+         description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert."
+         items:
+           type: string
+   - name: oidc_config
+     required: false
+     schema:
+       openAPIV3Schema:
+         type: object
+         properties:
+           client_id:
+             type: string
+             example: "kubectl"
+             description: "A client id that all tokens must be issued for."
+           issuer_url:
+             type: string
+             example: "https://dex.k8s.scs.community"
+             description: "URL of the provider that allows the API server to
+discover public signing keys. Only URLs that use the https:// scheme are
+accepted. This is typically the provider's discovery URL, changed to have an
+empty path"
+           username_claim:
+             type: string
+             example: "preferred_username"
+             default: "sub"
+             description: "JWT claim to use as the user name. By default sub,
+which is expected to be a unique identifier of the end user. Admins can choose
+other claims, such as email or name, depending on their provider. However,
+claims other than email will be prefixed with the issuer URL to prevent naming
+clashes with other plugins."
+           groups_claim:
+             type: string
+             example: "groups"
+             default: "groups"
+             description: "JWT claim to use as the user's group. If the claim
+is present it must be an array of strings."
+           username_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to username claims to prevent
+clashes with existing names (such as system: users). For example, the value
+oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and
+--oidc-username-claim is a value other than email the prefix defaults to (
+Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value
+- can be used to disable all prefixing."
+           groups_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to group claims to prevent clashes
+with existing names (such as system: groups). For example, the value oidc: will
+create group names like oidc:engineering and oidc:infra."
   patches:
+    - name: k8s_version
+      description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version."
+      definitions:
+        - selector:
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+            kind: OpenStackMachineTemplate
+            matchResources:
+              controlPlane: true
+              machineDeploymentClass:
+                names:
+                  - {{ .Release.Name }}-{{ .Chart.Version }}
+          jsonPatches:
+          - op: replace
+            path: "/spec/template/spec/image/filter/name"
+            valueFrom:
+              template: ubuntu-capi-image-{{ `{{ .builtin.cluster.topology.version }}` }}
     - name: controller_flavor
       description: "Sets the openstack instance flavor for the KubeadmControlPlane."
       enabledIf: {{ `'{{ ne .controller_flavor "" }}'` }}
@@ -413,3 +488,51 @@ spec:
             path: "/spec/template/spec/sshKeyName"
             valueFrom:
               variable: ssh_key
+    - name: certSANs
+      description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert."
+      enabledIf: {{ `"{{ if .certSANs }}true{{end}}"` }}
+      definitions:
+        - selector:
+            apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+            kind: KubeadmControlPlaneTemplate
+            matchResources:
+              controlPlane: true
+          jsonPatches:
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs"
+            valueFrom:
+              variable: certSANs
+    - name: oidc_config
+      description: "Configure API Server to use external authentication service."
+      enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }}
+      definitions:
+        - selector:
+            apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+            kind: KubeadmControlPlaneTemplate
+            matchResources:
+              controlPlane: true
+          jsonPatches:
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id"
+            valueFrom:
+              variable: oidc_config.client_id
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url"
+            valueFrom:
+              variable: oidc_config.issuer_url
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim"
+            valueFrom:
+              variable: oidc_config.username_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim"
+            valueFrom:
+              variable: oidc_config.groups_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix"
+            valueFrom:
+              variable: oidc_config.username_prefix
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix"
+            valueFrom:
+              variable: oidc_config.groups_prefix

providers/openstack/alpha/1-28/cluster-class/templates/cluster-class.yaml

@@ -158,7 +158,82 @@ spec:
          default: ""
          example: "capi-keypair"
          description: "The ssh key to inject in the nodes."
+   - name: certSANs
+     required: false
+     schema:
+       openAPIV3Schema:
+         type: array
+         default: []
+         example: ["mydomain.example"]
+         description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert."
+         items:
+           type: string
+   - name: oidc_config
+     required: false
+     schema:
+       openAPIV3Schema:
+         type: object
+         properties:
+           client_id:
+             type: string
+             example: "kubectl"
+             description: "A client id that all tokens must be issued for."
+           issuer_url:
+             type: string
+             example: "https://dex.k8s.scs.community"
+             description: "URL of the provider that allows the API server to
+discover public signing keys. Only URLs that use the https:// scheme are
+accepted. This is typically the provider's discovery URL, changed to have an
+empty path"
+           username_claim:
+             type: string
+             example: "preferred_username"
+             default: "sub"
+             description: "JWT claim to use as the user name. By default sub,
+which is expected to be a unique identifier of the end user. Admins can choose
+other claims, such as email or name, depending on their provider. However,
+claims other than email will be prefixed with the issuer URL to prevent naming
+clashes with other plugins."
+           groups_claim:
+             type: string
+             example: "groups"
+             default: "groups"
+             description: "JWT claim to use as the user's group. If the claim
+is present it must be an array of strings."
+           username_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to username claims to prevent
+clashes with existing names (such as system: users). For example, the value
+oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and
+--oidc-username-claim is a value other than email the prefix defaults to (
+Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value
+- can be used to disable all prefixing."
+           groups_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to group claims to prevent clashes
+with existing names (such as system: groups). For example, the value oidc: will
+create group names like oidc:engineering and oidc:infra."
   patches:
+    - name: k8s_version
+      description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version."
+      definitions:
+        - selector:
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
+            kind: OpenStackMachineTemplate
+            matchResources:
+              controlPlane: true
+              machineDeploymentClass:
+                names:
+                  - {{ .Release.Name }}-{{ .Chart.Version }}
+          jsonPatches:
+          - op: replace
+            path: "/spec/template/spec/image/filter/name"
+            valueFrom:
+              template: ubuntu-capi-image-{{ `{{ .builtin.cluster.topology.version }}` }}
     - name: controller_flavor
       description: "Sets the openstack instance flavor for the KubeadmControlPlane."
       enabledIf: {{ `'{{ ne .controller_flavor "" }}'` }}
@@ -413,3 +488,51 @@ spec:
             path: "/spec/template/spec/sshKeyName"
             valueFrom:
               variable: ssh_key
+    - name: certSANs
+      description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert."
+      enabledIf: {{ `"{{ if .certSANs }}true{{end}}"` }}
+      definitions:
+        - selector:
+            apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+            kind: KubeadmControlPlaneTemplate
+            matchResources:
+              controlPlane: true
+          jsonPatches:
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs"
+            valueFrom:
+              variable: certSANs
+    - name: oidc_config
+      description: "Configure API Server to use external authentication service."
+      enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }}
+      definitions:
+        - selector:
+            apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+            kind: KubeadmControlPlaneTemplate
+            matchResources:
+              controlPlane: true
+          jsonPatches:
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id"
+            valueFrom:
+              variable: oidc_config.client_id
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url"
+            valueFrom:
+              variable: oidc_config.issuer_url
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim"
+            valueFrom:
+              variable: oidc_config.username_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim"
+            valueFrom:
+              variable: oidc_config.groups_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix"
+            valueFrom:
+              variable: oidc_config.username_prefix
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix"
+            valueFrom:
+              variable: oidc_config.groups_prefix

providers/openstack/alpha/1-29/cluster-class/templates/cluster-class.yaml

@@ -168,6 +168,55 @@ spec:
          description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert."
          items:
            type: string
+   - name: oidc_config
+     required: false
+     schema:
+       openAPIV3Schema:
+         type: object
+         properties:
+           client_id:
+             type: string
+             example: "kubectl"
+             description: "A client id that all tokens must be issued for."
+           issuer_url:
+             type: string
+             example: "https://dex.k8s.scs.community"
+             description: "URL of the provider that allows the API server to
+discover public signing keys. Only URLs that use the https:// scheme are
+accepted. This is typically the provider's discovery URL, changed to have an
+empty path"
+           username_claim:
+             type: string
+             example: "preferred_username"
+             default: "sub"
+             description: "JWT claim to use as the user name. By default sub,
+which is expected to be a unique identifier of the end user. Admins can choose
+other claims, such as email or name, depending on their provider. However,
+claims other than email will be prefixed with the issuer URL to prevent naming
+clashes with other plugins."
+           groups_claim:
+             type: string
+             example: "groups"
+             default: "groups"
+             description: "JWT claim to use as the user's group. If the claim
+is present it must be an array of strings."
+           username_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to username claims to prevent
+clashes with existing names (such as system: users). For example, the value
+oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and
+--oidc-username-claim is a value other than email the prefix defaults to (
+Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value
+- can be used to disable all prefixing."
+           groups_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to group claims to prevent clashes
+with existing names (such as system: groups). For example, the value oidc: will
+create group names like oidc:engineering and oidc:infra."
   patches:
     - name: k8s_version
       description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version."
@@ -453,3 +502,37 @@ spec:
             path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs"
             valueFrom:
               variable: certSANs
+    - name: oidc_config
+      description: "Configure API Server to use external authentication service."
+      enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }}
+      definitions:
+        - selector:
+            apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+            kind: KubeadmControlPlaneTemplate
+            matchResources:
+              controlPlane: true
+          jsonPatches:
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id"
+            valueFrom:
+              variable: oidc_config.client_id
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url"
+            valueFrom:
+              variable: oidc_config.issuer_url
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim"
+            valueFrom:
+              variable: oidc_config.username_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim"
+            valueFrom:
+              variable: oidc_config.groups_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix"
+            valueFrom:
+              variable: oidc_config.username_prefix
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix"
+            valueFrom:
+              variable: oidc_config.groups_prefix