Skip to content

Commit

Permalink
salt: Allow to configure OIDC for api-server
Browse files Browse the repository at this point in the history
  • Loading branch information
@alexandre-allard @TeddyAndrieux
alexandre-allard authored and TeddyAndrieux committed Feb 24, 2022
1 parent 653132a commit 9b16460
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 6 deletions.
16 changes: 16 additions & 0 deletions docs/installation/bootstrap.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ Configuration
enabled: True
kubernetes:
apiServer:
oidc: {}
featureGates:
<feature_gate_name>: True
controllerManager:
Expand Down Expand Up @@ -207,6 +208,20 @@ defaults kubernetes configuration.
configure the corresponding entries in the
``kubernetes.apiServer.featureGates`` mapping.

If ``dex`` is enabled, it will be used as ``oidc`` for ``kube-apiserver``
but you can use a `specific OpenID for kube-apiserver`_, to do so:

.. code-block:: yaml
kubernetes:
apiServer:
oidc:
issuerURL: <OIDC issuer URL>
clientID: <Client ID>
CAFile: <Certificate Authority certificate file>
usernameClaim: <Username Claim>
groupsClaim: <Groups Claim>
If you want to override the default ``coreDNS`` podAntiAffinity or number of
replicas, by default MetalK8s deploy 2 replicas and use soft podAntiAffinity
on hostname so that if it's possible ``coreDNS`` pods will be spread on
Expand All @@ -230,6 +245,7 @@ defaults kubernetes configuration.
disabled (default to ``500``)

.. _Feature Gates: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
.. _specific OpenID for kube-apiserver: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens

.. _Bootstrap SSH Provisioning:

Expand Down
25 changes: 19 additions & 6 deletions salt/metalk8s/kubernetes/apiserver/installed.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,19 @@ include:
{%- do feature_gates.append(feature ~ "=" ~ value) %}
{%- endfor %}
{%- set oidc_config = {} %}
{%- if pillar.kubernetes.get("apiServer", {}).get("oidc") %}
{%- do oidc_config.update(pillar.kubernetes.apiServer.oidc) %}
{%- elif pillar.addons.dex.enabled %}
{%- do oidc_config.update({
"issuerURL": salt.metalk8s_network.get_control_plane_ingress_endpoint() ~ "/oidc",
"clientID": "oidc-auth-client",
"CAFile": "/etc/metalk8s/pki/nginx-ingress/ca.crt",
"usernameClaim": "email",
"groupsClaim": "groups",
}) %}
{%- endif %}
Create kube-apiserver Pod manifest:
metalk8s.static_pod_managed:
- name: /etc/kubernetes/manifests/kube-apiserver.yaml
Expand Down Expand Up @@ -96,12 +109,12 @@ Create kube-apiserver Pod manifest:
- --bind-address={{ host }}
- --encryption-provider-config={{ encryption_k8s_path }}
- --cors-allowed-origins=.*
{%- if pillar.addons.dex.enabled %}
- --oidc-issuer-url={{ salt.metalk8s_network.get_control_plane_ingress_endpoint() }}/oidc
- --oidc-client-id=oidc-auth-client
- --oidc-ca-file=/etc/metalk8s/pki/nginx-ingress/ca.crt
- --oidc-username-claim=email
- --oidc-groups-claim=groups
{%- if oidc_config %}
- --oidc-issuer-url={{ oidc_config.issuerURL }}
- --oidc-client-id={{ oidc_config.clientID }}
- --oidc-ca-file={{ oidc_config.CAFile }}
- --oidc-username-claim={{ oidc_config.usernameClaim }}
- --oidc-groups-claim={{ oidc_config.groupsClaim }}
- '"--oidc-username-prefix=oidc:"'
- '"--oidc-groups-prefix=oidc:"'
{%- endif %}
Expand Down
16 changes: 16 additions & 0 deletions salt/tests/unit/formulas/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,22 @@ metalk8s:
HTTPS_PROXY: https://my-proxy.local

kubernetes:
apiserver:
files:
installed.sls:
_cases:
"With an external OIDC":
pillar_overrides:
kubernetes:
apiServer:
oidc:
issuerURL: "https://issuer-url/oidc"
clientID: "oidc-client"
CAFile: "/path/to/some/ca.crt"
usernameClaim: "email"
groupsClaim: "groups"
"With default OIDC (Dex)": {}

apiserver-proxy:
files:
apiserver-proxy.yaml.j2:
Expand Down

0 comments on commit 9b16460

Please sign in to comment.