diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index ffa0ce7a..4ad5a18f 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -44,15 +44,22 @@ These variables are related to spinning up the virtual garden, a dedicated kube- The deployment chart is taken from [garden-setup](https://github.com/gardener/garden-setup) and follows the same deployment approach. -| Name | Mandatory | Description | -| ---------------------------------------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------- | -| gardener_virtual_api_server_svc_cluster_ip_add | | An integer to "guess" a free IP for the service that allows the soil to internally communicate with the virtual garden | -| gardener_virtual_api_server_public_dns | | The DNS domain to reach the virtual garden API server on | -| gardener_virtual_api_server_healthcheck_static_token | yes | A static token for healthchecking the virtual garden API server | -| gardener_etcd_backup_schedule | | The backup schedule for the virtual garden ETCD | -| gardener_etcd_snapshot_period | | The snapshot period for the virtual garden ETCD | -| gardener_etcd_garbage_collection_period | | The priod for garbage collection for the virtual garden ETCD | -| gardener_etcd_resources | | Set custom resource definitions for the virtual garden ETCD | +| Name | Mandatory | Description | +|------------------------------------------------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| gardener_virtual_api_server_svc_cluster_ip_add | | An integer to "guess" a free IP for the service that allows the soil to internally communicate with the virtual garden | +| gardener_virtual_api_server_public_dns | | The DNS domain to reach the virtual garden API server on | +| gardener_virtual_api_server_healthcheck_static_token | yes | A static token for healthchecking the virtual garden API server | +| gardener_etcd_backup_schedule | | The backup schedule for the virtual garden ETCD | +| gardener_etcd_snapshot_period | | The snapshot period for the virtual garden ETCD | +| gardener_etcd_garbage_collection_period | | The priod for garbage collection for the virtual garden ETCD | +| gardener_etcd_resources | | Set custom resource definitions for the virtual garden ETCD | +| gardener_virtual_api_oidc_issuer_url | | [Corresponds to the `--oidc-issuer-url` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-issuer-url) in the Kubernetes API server configuration. | +| gardener_virtual_api_oidc_client_id | | [Corresponds to the `--oidc-client-id` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-client-id) in the Kubernetes API server configuration. | +| gardener_virtual_api_oidc_username_claim | | [Corresponds to the `--oidc-username-claim` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-username-claim) in the Kubernetes API server configuration. | +| gardener_virtual_api_oidc_username_prefix | | [Corresponds to the `--oidc-username-prefix` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-username-prefix) in the Kubernetes API server configuration. | +| gardener_virtual_api_oidc_groups_claim | | [Corresponds to the `--oidc-groups-claim` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-groups-claim) in the Kubernetes API server configuration. | +| gardener_virtual_api_oidc_groups_prefix | | [Corresponds to the `--oidc-groups-prefix` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-groups-prefix) in the Kubernetes API server configuration. | +| gardener_virtual_api_oidc_ca | | [Corresponds to the `--oidc-ca-file` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-groups-prefix) in the Kubernetes API server configuration. | ### Cloud Profile diff --git a/control-plane/roles/gardener/defaults/main/certs.yaml b/control-plane/roles/gardener/defaults/main/certs.yaml index 7ad91b55..bee53edd 100644 --- a/control-plane/roles/gardener/defaults/main/certs.yaml +++ b/control-plane/roles/gardener/defaults/main/certs.yaml @@ -35,3 +35,5 @@ gardener_etcd_cert: gardener_etcd_cert_key: gardener_etcd_client_cert: gardener_etcd_client_key: + +gardener_virtual_api_oidc_ca: diff --git a/control-plane/roles/gardener/defaults/main/virtual_garden.yaml b/control-plane/roles/gardener/defaults/main/virtual_garden.yaml index 54d77e33..eaa8260c 100644 --- a/control-plane/roles/gardener/defaults/main/virtual_garden.yaml +++ b/control-plane/roles/gardener/defaults/main/virtual_garden.yaml @@ -14,3 +14,10 @@ gardener_etcd_resources: limits: cpu: 800m memory: 8Gi + +gardener_virtual_api_oidc_issuer_url: +gardener_virtual_api_oidc_client_id: +gardener_virtual_api_oidc_username_claim: +gardener_virtual_api_oidc_username_prefix: +gardener_virtual_api_oidc_groups_claim: +gardener_virtual_api_oidc_groups_prefix: diff --git a/control-plane/roles/gardener/files/kube-apiserver/templates/deployment-kube-apiserver.yaml b/control-plane/roles/gardener/files/kube-apiserver/templates/deployment-kube-apiserver.yaml index 3f0cdf6f..3ec1ccc0 100644 --- a/control-plane/roles/gardener/files/kube-apiserver/templates/deployment-kube-apiserver.yaml +++ b/control-plane/roles/gardener/files/kube-apiserver/templates/deployment-kube-apiserver.yaml @@ -37,8 +37,8 @@ spec: checksum/secret-kube-apiserver-static-token: {{ include (print $.Template.BasePath "/secret-kube-apiserver-static-token.yaml") . | sha256sum }} checksum/secret-kube-controller-manager-client: {{ include (print $.Template.BasePath "/secret-kube-controller-manager-tls.yaml") . | sha256sum }} checksum/secret-service-account-key: {{ include (print $.Template.BasePath "/secret-service-account-key.yaml") . | sha256sum }} - {{- if .Values.tls.identity.ca }} - checksum/secret-identity-ca: {{ include (print $.Template.BasePath "/secret-identity-ca.yaml") . | sha256sum }} + {{- if .Values.tls.oidc.ca }} + checksum/secret-oidc-ca: {{ include (print $.Template.BasePath "/secret-oidc-ca.yaml") . | sha256sum }} {{- end }} labels: app: garden @@ -93,6 +93,25 @@ spec: - --etcd-keyfile=/srv/kubernetes/etcd/client/tls.key - --etcd-servers={{ .Values.etcd.main.endpoints }} - --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP +{{ if and .Values.oidc.issuerURL .Values.oidc.clientID }} + - --oidc-issuer-url={{ .Values.oidc.issuerURL }} + - --oidc-client-id={{ .Values.oidc.clientID }} + {{- if .Values.oidc.usernameClaim }} + - --oidc-username-claim={{ .Values.oidc.usernameClaim }} + {{- end }} + {{- if .Values.oidc.usernamePrefix }} + - --oidc-username-prefix={{ .Values.oidc.usernamePrefix | quote }} + {{- end}} + {{- if .Values.oidc.groupsClaim }} + - --oidc-groups-claim={{ .Values.oidc.groupsClaim }} + {{- end }} + {{- if .Values.oidc.groupsPrefix }} + - --oidc-groups-prefix={{ .Values.oidc.groupsPrefix | quote }} + {{- end }} + {{- if .Values.tls.oidc.ca }} + - --oidc-ca-file=/srv/kubernetes/oidc-ca/ca.crt + {{- end }} +{{ end }} - --profiling=false - --proxy-client-cert-file=/srv/kubernetes/aggregator/tls.crt - --proxy-client-key-file=/srv/kubernetes/aggregator/tls.key @@ -165,9 +184,9 @@ spec: mountPath: /srv/kubernetes/token - name: kube-aggregator mountPath: /srv/kubernetes/aggregator - {{- if .Values.tls.identity.ca }} - - name: ca-identity - mountPath: /srv/kubernetes/identity-ca + {{- if .Values.tls.oidc.ca }} + - name: ca-oidc + mountPath: /srv/kubernetes/oidc-ca {{- end }} - name: kube-controller-manager image: {{ index .Values.images "controllermanager" }} @@ -218,10 +237,10 @@ spec: - name: ca-kube-apiserver secret: secretName: garden-kube-apiserver-ca - {{- if .Values.tls.identity.ca }} - - name: ca-identity + {{- if .Values.tls.oidc.ca }} + - name: ca-oidc secret: - secretName: identity-ca + secretName: oidc-ca {{- end }} - name: ca-etcd secret: diff --git a/control-plane/roles/gardener/files/kube-apiserver/templates/secret-identity-ca.yaml b/control-plane/roles/gardener/files/kube-apiserver/templates/secret-oidc-ca.yaml similarity index 89% rename from control-plane/roles/gardener/files/kube-apiserver/templates/secret-identity-ca.yaml rename to control-plane/roles/gardener/files/kube-apiserver/templates/secret-oidc-ca.yaml index 23670bbd..28f67d04 100644 --- a/control-plane/roles/gardener/files/kube-apiserver/templates/secret-identity-ca.yaml +++ b/control-plane/roles/gardener/files/kube-apiserver/templates/secret-oidc-ca.yaml @@ -12,13 +12,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{- if .Values.tls.identity.ca }} +{{- if .Values.tls.oidc.ca }} apiVersion: v1 kind: Secret metadata: - name: identity-ca + name: oidc-ca namespace: {{ .Release.Namespace }} type: Opaque data: - ca.crt: {{ .Values.tls.identity.ca | b64enc }} + ca.crt: {{ .Values.tls.oidc.ca | b64enc }} {{- end }} \ No newline at end of file diff --git a/control-plane/roles/gardener/files/kube-apiserver/values.yaml b/control-plane/roles/gardener/files/kube-apiserver/values.yaml index e778874c..5a33b572 100644 --- a/control-plane/roles/gardener/files/kube-apiserver/values.yaml +++ b/control-plane/roles/gardener/files/kube-apiserver/values.yaml @@ -23,6 +23,14 @@ apiServer: hostname: 127.0.0.1 serviceName: garden-kube-apiserver +oidc: + issuerURL: + clientID: + usernameClaim: + usernamePrefix: + groupsClaim: + groupsPrefix: + tls: kubeAPIServer: ca: @@ -40,3 +48,5 @@ tls: crt: client-certificate key: client-key serviceAccountKey: key + oidc: + ca: diff --git a/control-plane/roles/gardener/templates/kube-apiserver-values.j2 b/control-plane/roles/gardener/templates/kube-apiserver-values.j2 index a99f2efa..13fe4baa 100644 --- a/control-plane/roles/gardener/templates/kube-apiserver-values.j2 +++ b/control-plane/roles/gardener/templates/kube-apiserver-values.j2 @@ -7,6 +7,22 @@ apiServer: hostname: {{ gardener_virtual_api_server_public_dns }} serviceName: garden-kube-apiserver +oidc: + issuerURL: {{ gardener_virtual_api_oidc_issuer_url }} + clientID: {{ gardener_virtual_api_oidc_client_id }} +{% if gardener_virtual_api_oidc_username_claim %} + usernameClaim: {{ gardener_virtual_api_oidc_username_claim }} +{% endif %} +{% if gardener_virtual_api_oidc_username_prefix %} + usernamePrefix: "{{ gardener_virtual_api_oidc_username_prefix }}" +{% endif %} +{% if gardener_virtual_api_oidc_groups_claim %} + groupsClaim: {{ gardener_virtual_api_oidc_groups_claim }} +{% endif %} +{% if gardener_virtual_api_oidc_groups_prefix %} + groupsPrefix: "{{ gardener_virtual_api_oidc_groups_prefix }}" +{% endif %} + tls: kubeAPIServer: ca: @@ -44,8 +60,11 @@ tls: {{ gardener_admin_client_key | indent(width=6, first=false) }} serviceAccountKey: | {{ gardener_service_account_client_key | indent(width=4, first=false) }} - identity: - ca: +{% if gardener_virtual_api_oidc_ca %} + oidc: + ca: | + {{ gardener_virtual_api_oidc_ca | indent(width=6, first=false) }} +{% endif %} etcd: main: