Add kubernetes-keystone-webhook chart

This patch set adds a kubernetes keystone webhook authorizer chart to
OpenStack-Helm-Infra.

Change-Id: I16136f4ac2a787e8bcf90eb0675294300ac088f0
Co-Authored-By: Gage Hugo <gagehugo@gmail.com>
Signed-off-by: Tin Lam <tin@irrational.io>
Signed-off-by: Pete Birley <pete@port.direct>

kubernetes-keystone-webhook/Chart.yaml

@@ -0,0 +1,24 @@
+
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+description: OpenStack-Helm Kubernetes keystone webhook
+name: kubernetes-keystone-webhook
+version: 0.1.0
+home: https://github.com/kubernetes/cloud-provider-openstack
+sources:
+  - https://github.com/elastic/kibana
+  - https://git.openstack.org/cgit/openstack/openstack-helm-infra
+maintainers:
+  - name: OpenStack-Helm Authors

kubernetes-keystone-webhook/requirements.yaml

@@ -0,0 +1,18 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: 0.1.0

kubernetes-keystone-webhook/templates/bin/_kubernetes-keystone-webhook-test.sh.tpl

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -ex
+
+TOKEN="$(openstack token issue -f value -c id)"
+cat << EOF | curl -kvs -XPOST -d @- "${WEBHOOK_URL}" | python -mjson.tool
+{
+    "apiVersion": "authentication.k8s.io/v1beta1",
+    "kind": "TokenReview",
+    "metadata": {
+        "creationTimestamp": null
+    },
+    "spec": {
+        "token": "$TOKEN"
+    }
+}
+EOF

kubernetes-keystone-webhook/templates/bin/_start.sh.tpl

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+set -xe
+
+exec /bin/k8s-keystone-auth \
+  --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \
+  --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \
+  --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \
+  --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}

kubernetes-keystone-webhook/templates/configmap-bin.yaml

@@ -0,0 +1,29 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_bin }}
+{{- $envAll := . -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubernetes-keystone-webhook-bin
+data:
+  start.sh: |
+{{ tuple "bin/_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
+  kubernetes-keystone-webhook-test.sh: |
+{{ tuple "bin/_kubernetes-keystone-webhook-test.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }}
+{{- end }}

kubernetes-keystone-webhook/templates/configmap-etc.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.configmap_etc }}
+{{- $envAll := . -}}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubernetes-keystone-webhook-etc
+data:
+  policy.json: |
+{{ toPrettyJson $envAll.Values.conf.policy | indent 4 }}
+{{- end }}

kubernetes-keystone-webhook/templates/deployment.yaml

@@ -0,0 +1,79 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.deployment }}
+{{- $envAll := . }}
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: kubernetes-keystone-webhook
+spec:
+  replicas: {{ $envAll.Values.pod.replicas.api }}
+  template:
+    metadata:
+      labels:
+{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
+    spec:
+      containers:
+        - name: kubernetes-keystone-webhook
+{{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }}
+          command:
+            - /tmp/start.sh
+          readinessProbe:
+            tcpSocket:
+              port: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          ports:
+            - name: k8sksauth-pub
+              containerPort: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+{{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+          volumeMounts:
+            - name: etc-kubernetes-keystone-webhook
+              mountPath: /etc/kubernetes-keystone-webhook
+            - name: key-kubernetes-keystone-webhook
+              mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt
+              subPath: tls.crt
+              readOnly: true
+            - name: key-kubernetes-keystone-webhook
+              mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key
+              subPath: tls.key
+              readOnly: true
+            - name: kubernetes-keystone-webhook-etc
+              mountPath: /etc/kubernetes-keystone-webhook/policy.json
+              subPath: policy.json
+              readOnly: true
+            - name: kubernetes-keystone-webhook-bin
+              mountPath: /tmp/start.sh
+              subPath: start.sh
+              readOnly: true
+      volumes:
+        - name: etc-kubernetes-keystone-webhook
+          emptyDir: {}
+        - name: key-kubernetes-keystone-webhook
+          secret:
+            secretName: {{ $envAll.Values.secrets.certificates.api }}
+            defaultMode: 0444
+        - name: kubernetes-keystone-webhook-etc
+          configMap:
+            name: kubernetes-keystone-webhook-etc
+            defaultMode: 0444
+        - name: kubernetes-keystone-webhook-bin
+          configMap:
+            name: kubernetes-keystone-webhook-bin
+            defaultMode: 0555
+{{- end }}

kubernetes-keystone-webhook/templates/ingress.yaml

@@ -0,0 +1,20 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.ingress_webhook .Values.network.api.ingress.public }}
+{{- $ingressOpts := dict "envAll" . "backendService" "api" "backendServiceType" "kubernetes_keystone_webhook" "backendPort" "k8sksauth-pub" -}}
+{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
+{{- end }}

kubernetes-keystone-webhook/templates/pod-test.yaml

@@ -0,0 +1,62 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.pod_test }}
+{{- $envAll := . }}
+
+{{- $mounts_kubernetes_keystone_webhook_tests := $envAll.Values.pod.mounts.kubernetes_keystone_webhook_tests.kubernetes_keystone_webhook_tests }}
+{{- $mounts_kubernetes_keystone_webhook_tests_init := $envAll.Values.pod.mounts.kubernetes_keystone_webhook_tests.init_container }}
+
+{{- $serviceAccountName := print $envAll.Release.Name "-test" }}
+{{ tuple $envAll "tests" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ $envAll.Release.Name }}-test"
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  serviceAccountName: {{ $serviceAccountName }}
+  nodeSelector:
+    {{ $envAll.Values.labels.test.node_selector_key }}: {{ $envAll.Values.labels.test.node_selector_value }}
+  restartPolicy: Never
+  initContainers:
+{{ tuple $envAll "tests" $mounts_kubernetes_keystone_webhook_tests_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
+  containers:
+    - name: {{ $envAll.Release.Name }}-kubernetes-keystone-webhook-test
+      image: {{ $envAll.Values.images.tags.scripted_test }}
+      env:
+        - name: WEBHOOK_URL
+          value: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin }}
+{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 8 }}
+{{- end }}
+      command:
+        - /tmp/kubernetes-keystone-webhook-test.sh
+      volumeMounts:
+        - name: kubernetes-keystone-webhook-bin
+          mountPath: /tmp/kubernetes-keystone-webhook-test.sh
+          subPath: kubernetes-keystone-webhook-test.sh
+          readOnly: true
+{{ if $mounts_kubernetes_keystone_webhook_tests.volumeMounts }}{{ toYaml $mounts_kubernetes_keystone_webhook_tests.volumeMounts | indent 8 }}{{ end }}
+  volumes:
+    - name: kubernetes-keystone-webhook-bin
+      configMap:
+        name: kubernetes-keystone-webhook-bin
+        defaultMode: 0555
+{{ if $mounts_kubernetes_keystone_webhook_tests.volumes }}{{ toYaml $mounts_kubernetes_keystone_webhook_tests.volumes | indent 4 }}{{ end }}
+{{- end }}

kubernetes-keystone-webhook/templates/secret-certificates.yaml

@@ -0,0 +1,28 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_certificates }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $envAll.Values.secrets.certificates.api }}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt }}
+  tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key }}
+{{- end }}

kubernetes-keystone-webhook/templates/secret-keystone.yaml

@@ -0,0 +1,30 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keystone }}
+{{- $envAll := . }}
+{{- range $key1, $userClass := tuple "admin" }}
+{{- $secretName := index $envAll.Values.secrets.identity $userClass }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+type: Opaque
+data:
+{{- tuple $userClass "internal" $envAll | include "helm-toolkit.snippets.keystone_secret_openrc" | indent 2 -}}
+{{- end }}
+{{- end }}

kubernetes-keystone-webhook/templates/service-ingress-api.yaml

@@ -0,0 +1,20 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.service_ingress_api .Values.network.api.ingress.public }}
+{{- $serviceIngressOpts := dict "envAll" . "backendService" "api" "backendServiceType" "kubernetes_keystone_webhook" -}}
+{{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }}
+{{- end }}

kubernetes-keystone-webhook/templates/service.yaml

@@ -0,0 +1,30 @@
+{{/*
+Copyright 2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.service }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ tuple "kubernetes_keystone_webhook" "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
+spec:
+  ports:
+    - name: k8sksauth-pub
+      port: {{ tuple "kubernetes_keystone_webhook" "internal" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
+  selector:
+{{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+{{- end }}

kubernetes-keystone-webhook/values.yaml

@@ -0,0 +1,183 @@
+# Copyright 2017 The Openstack-Helm Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+labels:
+  api:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+  test:
+    node_selector_key: openstack-control-plane
+    node_selector_value: enabled
+
+images:
+  tags:
+    kubernetes_keystone_webhook: docker.io/gagehugo/k8s-keystone-auth:latest
+    scripted_test: docker.io/openstackhelm/heat:newton
+    dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1
+    image_repo_sync: docker.io/docker:17.07.0
+  pull_policy: IfNotPresent
+  local_registry:
+    active: false
+    exclude:
+      - dep_check
+      - image_repo_sync
+
+network:
+  api:
+    ingress:
+      public: true
+      classes:
+        namespace: "nginx"
+        cluster: "nginx-cluster"
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        nginx.ingress.kubernetes.io/secure-backends: "true"
+    external_policy_local: false
+    node_port:
+      enabled: false
+      port: 30601
+
+pod:
+  affinity:
+    anti:
+      type:
+        default: preferredDuringSchedulingIgnoredDuringExecution
+      topologyKey:
+        default: kubernetes.io/hostname
+  replicas:
+    api: 1
+  resources:
+    enabled: false
+    api:
+      requests:
+        memory: "128Mi"
+        cpu: "100m"
+      limits:
+        memory: "256Mi"
+        cpu: "200m"
+    jobs:
+      tests:
+        requests:
+          memory: "128Mi"
+          cpu: "100m"
+        limits:
+          memory: "256Mi"
+          cpu: "200m"
+  mounts:
+    kubernetes_keystone_webhook_api:
+      init_container: null
+      kubernetes_keystone_webhook_api: null
+    kubernetes_keystone_webhook_tests:
+      init_container: null
+      kubernetes_keystone_webhook_tests: null
+
+release_group: null
+
+conf:
+  policy:
+    - resource:
+        verbs:
+          - get
+          - list
+          - watch
+        resources:
+          - pods
+        namespace: openstack
+        version: "*"
+      match:
+        - type: user
+          values:
+            - admin
+
+secrets:
+  identity:
+    admin: kubernetes-keystone-webhook-admin
+  certificates:
+    api: kubernetes-keystone-webhook-certs
+
+endpoints:
+  cluster_domain_suffix: cluster.local
+  kubernetes:
+    auth:
+      api:
+        tls:
+          crt: null
+          key: null
+  identity:
+    name: keystone
+    auth:
+      admin:
+        region_name: RegionOne
+        username: admin
+        password: password
+        project_name: admin
+        user_domain_name: default
+        project_domain_name: default
+    hosts:
+      default: keystone-api
+      public: keystone
+    host_fqdn_override:
+      default: null
+    path:
+      default: /v3
+    scheme:
+      default: http
+    port:
+      admin:
+        default: 35357
+      api:
+        default: 80
+  kubernetes_keystone_webhook:
+    namespace: null
+    name: k8sksauth
+    hosts:
+      default: k8sksauth-api
+      public: k8sksauth
+    host_fqdn_override:
+      default: null
+    path:
+      default: /webhook
+    scheme:
+      default: https
+    port:
+      api:
+        default: 8443
+        public: 443
+
+
+dependencies:
+  dynamic:
+    common:
+      local_image_registry:
+        jobs:
+          - k8sksauth-image-repo-sync
+        services:
+          - endpoint: node
+            service: local_image_registry
+  static:
+    api:
+      jobs: null
+      services: null
+
+manifests:
+  api_secret: true
+  configmap_etc: true
+  configmap_bin: true
+  deployment: true
+  ingress_webhook: true
+  pod_test: true
+  secret_certificates: true
+  secret_keystone: true
+  service_ingress_api: true
+  service: true