From 9b16460065263de8fb88544205306183dc6c5f1d Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Thu, 10 Feb 2022 11:00:05 +0100
Subject: [PATCH] salt: Allow to configure OIDC for api-server

---
 docs/installation/bootstrap.rst               | 16 ++++++++++++
 .../kubernetes/apiserver/installed.sls        | 25 ++++++++++++++-----
 salt/tests/unit/formulas/config.yaml          | 16 ++++++++++++
 3 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/docs/installation/bootstrap.rst b/docs/installation/bootstrap.rst
index c59e8a42c1..0c0a756333 100644
--- a/docs/installation/bootstrap.rst
+++ b/docs/installation/bootstrap.rst
@@ -78,6 +78,7 @@ Configuration
           enabled: True
       kubernetes:
         apiServer:
+          oidc: {}
           featureGates:
             <feature_gate_name>: True
         controllerManager:
@@ -207,6 +208,20 @@ defaults kubernetes configuration.
   configure the corresponding entries in the
   ``kubernetes.apiServer.featureGates`` mapping.
 
+  If ``dex`` is enabled, it will be used as ``oidc`` for ``kube-apiserver``
+  but you can use a `specific OpenID for kube-apiserver`_, to do so:
+
+    .. code-block:: yaml
+
+      kubernetes:
+        apiServer:
+          oidc:
+            issuerURL: <OIDC issuer URL>
+            clientID: <Client ID>
+            CAFile: <Certificate Authority certificate file>
+            usernameClaim: <Username Claim>
+            groupsClaim: <Groups Claim>
+
   If you want to override the default ``coreDNS`` podAntiAffinity or number of
   replicas, by default MetalK8s deploy 2 replicas and use soft podAntiAffinity
   on hostname so that if it's possible ``coreDNS`` pods will be spread on
@@ -230,6 +245,7 @@ defaults kubernetes configuration.
   disabled (default to ``500``)
 
 .. _Feature Gates: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
+.. _specific OpenID for kube-apiserver: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens
 
 .. _Bootstrap SSH Provisioning:
 
diff --git a/salt/metalk8s/kubernetes/apiserver/installed.sls b/salt/metalk8s/kubernetes/apiserver/installed.sls
index ca413f6713..04a79d39c1 100644
--- a/salt/metalk8s/kubernetes/apiserver/installed.sls
+++ b/salt/metalk8s/kubernetes/apiserver/installed.sls
@@ -34,6 +34,19 @@ include:
 {%-   do feature_gates.append(feature ~ "=" ~ value) %}
 {%- endfor %}
 
+{%- set oidc_config = {} %}
+{%- if pillar.kubernetes.get("apiServer", {}).get("oidc") %}
+  {%- do oidc_config.update(pillar.kubernetes.apiServer.oidc) %}
+{%- elif pillar.addons.dex.enabled %}
+  {%- do oidc_config.update({
+    "issuerURL": salt.metalk8s_network.get_control_plane_ingress_endpoint() ~ "/oidc",
+    "clientID": "oidc-auth-client",
+    "CAFile": "/etc/metalk8s/pki/nginx-ingress/ca.crt",
+    "usernameClaim": "email",
+    "groupsClaim": "groups",
+  }) %}
+{%- endif %}
+
 Create kube-apiserver Pod manifest:
   metalk8s.static_pod_managed:
     - name: /etc/kubernetes/manifests/kube-apiserver.yaml
@@ -96,12 +109,12 @@ Create kube-apiserver Pod manifest:
           - --bind-address={{ host }}
           - --encryption-provider-config={{ encryption_k8s_path }}
           - --cors-allowed-origins=.*
-          {%- if pillar.addons.dex.enabled %}
-          - --oidc-issuer-url={{ salt.metalk8s_network.get_control_plane_ingress_endpoint() }}/oidc
-          - --oidc-client-id=oidc-auth-client
-          - --oidc-ca-file=/etc/metalk8s/pki/nginx-ingress/ca.crt
-          - --oidc-username-claim=email
-          - --oidc-groups-claim=groups
+          {%- if oidc_config %}
+          - --oidc-issuer-url={{ oidc_config.issuerURL }}
+          - --oidc-client-id={{ oidc_config.clientID }}
+          - --oidc-ca-file={{ oidc_config.CAFile }}
+          - --oidc-username-claim={{ oidc_config.usernameClaim }}
+          - --oidc-groups-claim={{ oidc_config.groupsClaim }}
           - '"--oidc-username-prefix=oidc:"'
           - '"--oidc-groups-prefix=oidc:"'
           {%- endif %}
diff --git a/salt/tests/unit/formulas/config.yaml b/salt/tests/unit/formulas/config.yaml
index 2a75b33f84..e0d8a47c8b 100644
--- a/salt/tests/unit/formulas/config.yaml
+++ b/salt/tests/unit/formulas/config.yaml
@@ -185,6 +185,22 @@ metalk8s:
                   HTTPS_PROXY: https://my-proxy.local
 
   kubernetes:
+    apiserver:
+      files:
+        installed.sls:
+          _cases:
+            "With an external OIDC":
+              pillar_overrides:
+                kubernetes:
+                  apiServer:
+                    oidc:
+                      issuerURL: "https://issuer-url/oidc"
+                      clientID: "oidc-client"
+                      CAFile: "/path/to/some/ca.crt"
+                      usernameClaim: "email"
+                      groupsClaim: "groups"
+            "With default OIDC (Dex)": {}
+
     apiserver-proxy:
       files:
         apiserver-proxy.yaml.j2: