Authentication/Authorization webhook integration (#91)

* Set up webhook for k8s-keystone-auth and other plugins in the future

charts/cluster-addons/README.md

@@ -163,3 +163,18 @@ By default, Grafana is only available from within the cluster and must be access
 ```sh
 kubectl -n monitoring-system port-forward svc/kube-prometheus-stack-grafana 3000:80
 ```
+
+## Keystone Authentication Webhook
+
+The  [k8s-keystone-auth](https://github.com/heytrav/helm-charts/tree/main/charts/k8s-keystone-auth) 
+webhook can be installed by enabling the `k8sKeystoneAuth` subchart. Note that you will need to provide 
+the **auth url** and **project id** for the Openstack tenant where you are deploying your cluster.
+
+```yaml
+  k8sKeystoneAuth:
+    enabled: true
+    values:
+      openstackAuthUrl: $OS_AUTH_URL
+      projectId: $OS_PROJECT_ID
+
+```

charts/cluster-addons/templates/openstack/k8s-keystone-auth.yaml

@@ -0,0 +1,33 @@
+{{- if and .Values.openstack.enabled .Values.openstack.k8sKeystoneAuth.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config
+  labels:
+    {{- include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }}
+    addons.stackhpc.com/watch: ""
+stringData:
+  overrides: |
+    {{- toYaml .Values.openstack.k8sKeystoneAuth.values | nindent 4 }}
+
+---
+apiVersion: addons.stackhpc.com/v1alpha1
+kind: HelmRelease
+metadata:
+  name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}
+  labels: {{ include "cluster-addons.componentLabels" (list . "k8s-keystone-auth") | nindent 4 }}
+  annotations:
+    # Tell Argo to ignore the non-controller owner references for this object
+    argocd.argoproj.io/sync-options: "ControllerReferencesOnly=true"
+spec:
+  clusterName: {{ include "cluster-addons.clusterName" . }}
+  bootstrap: true
+  chart: {{ toYaml .Values.openstack.k8sKeystoneAuth.chart | nindent 4 }}
+  targetNamespace: {{ .Values.openstack.k8sKeystoneAuth.targetNamespace }}
+  releaseName: k8s-keystone-auth
+  valuesSources:
+    - secret:
+        name: {{ include "cluster-addons.componentName" (list . "k8s-keystone-auth") }}-config
+        key: overrides
+{{- end }}

charts/cluster-addons/values.yaml

@@ -109,6 +109,14 @@ openstack:
       # The allowed topologies for the storage class
       allowedTopologies:
 
+  k8sKeystoneAuth:
+    enabled: false
+    targetNamespace: kube-system
+    chart:
+      repo: https://heytrav.github.io/helm-charts
+      name: k8s-keystone-auth
+      version: 0.0.8
+
 # Settings for the metrics server
 # https://github.com/kubernetes-sigs/metrics-server#helm-chart
 metricsServer:

charts/openstack-cluster/README.md

@@ -230,3 +230,14 @@ To deploy clusters which use Ignition such as Flatcar, you will need to override
 ```yaml
 osDistro: flatcar 
 ```
+
+## Keystone Authentication Webhook
+
+To deploy with the k8s-keystone-auth webhook enabled, set `authWebhook`
+to "k8s-keystone-auth".
+
+```
+authWebhook: k8s-keystone-auth 
+```
+
+See cluster-addons README for instructions on installing the `k8s-keystone-auth` subchart.

charts/openstack-cluster/templates/_helpers.tpl

@@ -319,3 +319,93 @@ ignition:
 {{- include "openstack-cluster.flatcarKubeadmConfigSpec" $ctx }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create folders necessary for webhook integration.
+*/}}
+{{- define "openstack-cluster.webhookPatches" }}
+  preKubeadmCommands:
+    - mkdir -p /etc/kubernetes/webhooks
+    - mkdir -p /etc/kubernetes/patches
+{{- end }}
+
+{{/*
+Supplement kubeadmConfig with apiServer config and webhook patches as needed. Authentication
+webhooks and policies for audit logging can be added here.
+*/}}
+{{- define "openstack-cluster.patchConfigSpec" -}}
+{{- $ctx := index . 0 }}
+{{- $authWebhook := $ctx.Values.authWebhook }}
+  clusterConfiguration:
+    apiServer:
+      extraArgs:
+        cloud-provider: external
+{{- if $authWebhook }}
+        authorization-mode: Node,Webhook,RBAC
+{{- if eq $authWebhook "k8s-keystone-auth" }}
+        authentication-token-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+        authorization-webhook-config-file: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+{{/*
+Add else if blocks with other webhooks and apiServer arguments (i.e. audit logging) 
+in future
+*/}}
+{{- end }}
+  initConfiguration:
+    patches:
+      directory: /etc/kubernetes/patches
+  joinConfiguration:
+    patches:
+      directory: /etc/kubernetes/patches
+{{- include "openstack-cluster.webhookPatches" $ctx }}
+{{- if eq $authWebhook "k8s-keystone-auth" }}
+{{- include "openstack-cluster.k8sKeystoneAuthWebhook" $ctx }}
+{{/*
+Add else if blocks with other webhooks or policy files in future.
+*/}}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Produces integration for k8s-keystone-auth webhook on apiserver
+*/}}
+{{- define "openstack-cluster.k8sKeystoneAuthWebhook" }}
+  files:
+    - path: /etc/kubernetes/patches/kube-apiserver0+strategic.yaml
+      permissions: "0644"
+      owner: root:root
+      content: |
+        spec:
+          containers:
+          -  name: kube-apiserver
+             volumeMounts:
+             - mountPath: /etc/kubernetes/webhooks
+               name: kube-webhooks
+               readOnly: true
+          volumes:
+          - hostPath:
+              path: /etc/kubernetes/webhooks
+              type: DirectoryOrCreate
+            name: kube-webhooks
+    - path: /etc/kubernetes/webhooks/keystone_webhook_config.yaml
+      content: |
+        ---
+        apiVersion: v1
+        kind: Config
+        preferences: {}
+        clusters:
+          - cluster:
+              insecure-skip-tls-verify: true
+              server: https://127.0.0.1:8443/webhook
+            name: webhook
+        users:
+          - name: webhook
+        contexts:
+          - context:
+              cluster: webhook
+              user: webhook
+            name: webhook
+        current-context: webhook
+      owner: root:root
+      permissions: "0644"
+{{- end }}

charts/openstack-cluster/templates/control-plane/kubeadm-control-plane.yaml

@@ -58,6 +58,7 @@ spec:
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.nodeLabels" . | fromYaml)
           (include "openstack-cluster.kubeadmConfigSpec" (list . .Values.controlPlane.kubeadmConfigSpec) | fromYaml)
           (include "openstack-cluster.osDistroKubeadmConfigSpec" (list . ) | fromYaml)
+          (include "openstack-cluster.patchConfigSpec"  (list .) | fromYaml)
           (include "openstack-cluster.controlplane.kubeadmConfigSpec.kubeProxyConfiguration" (list .Values.controlPlane.kubeadmConfigSpec .Values.osDistro) | fromYaml) |
         include "openstack-cluster.mergeConcatMany" |
         fromYaml

charts/openstack-cluster/templates/node-group/kubeadm-config-template.yaml

@@ -26,7 +26,8 @@ joinConfiguration: {{ include "openstack-cluster.nodeRegistration.nodeLabels" $n
   list
     (include "openstack-cluster.nodegroup.kct.spec.nodeLabels" (list $ctx $nodeGroup) | fromYaml)
     (include "openstack-cluster.kubeadmConfigSpec" (list $ctx $nodeGroup.kubeadmConfigSpec) | fromYaml)
-    (omit (include "openstack-cluster.osDistroKubeadmConfigSpec" (list $ctx) | fromYaml) "initConfiguration") |
+    (omit (include "openstack-cluster.osDistroKubeadmConfigSpec" (list $ctx) | fromYaml) "initConfiguration") 
+    (pick (include "openstack-cluster.patchConfigSpec" (list $ctx ) | fromYaml) "preKubeadmCommands") |
   include "openstack-cluster.mergeConcatMany" |
   fromYaml |
   toYaml

charts/openstack-cluster/values.yaml

@@ -122,6 +122,11 @@ apiServer:
 
 # Set osDistro used. ubuntu, flatcar, etc.
 osDistro: ubuntu
+#
+# API server authentication/authorization webhook. Set this to
+# integrate into KubeadmControlPlane and KubeadmConfigTemplate
+# possible values: k8s-keystone-auth
+# authWebhook: k8s-keystone-auth
 
 # Settings for the control plane
 controlPlane: