ironcore-dev · adracus · Mar 14, 2023 · Mar 14, 2023
@@ -24,8 +24,19 @@ import (
 
 const (
 	ReconcileRequestAnnotation = "reconcile.apinet.api.onmetal.de/requestedAt"
+
+	// APINetletsGroup is the system rbac group all apinetlets are in.
+	APINetletsGroup = "apinet.api.onmetal.de:system:apinetlets"
+
+	// APINetletUserNamePrefix is the prefix all apinetlet users should have.
+	APINetletUserNamePrefix = "apinet.api.onmetal.de:system:apinetlet:"
 )
 
+// APINetletCommonName constructs the common name for a certificate of an apinetlet user.
+func APINetletCommonName(name string) string {
+	return APINetletUserNamePrefix + name
+}
+
 // IP is an IP address.
 // +kubebuilder:validation:Type=string
 type IP struct {

@@ -17,16 +17,21 @@ package config
 import (
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"os"
 
+	onmetalapinetv1alpha1 "github.com/onmetal/onmetal-api-net/api/v1alpha1"
 	networkingv1alpha1 "github.com/onmetal/onmetal-api/api/networking/v1alpha1"
 	utilcertificate "github.com/onmetal/onmetal-api/utils/certificate"
 	"github.com/onmetal/onmetal-api/utils/client/config"
 	certificatesv1 "k8s.io/api/certificates/v1"
 	"k8s.io/apiserver/pkg/server/egressselector"
+	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+var log = ctrl.Log.WithName("client").WithName("config")
+
 var (
-	APINetGetter = config.NewGetterOrDie(config.GetterOptions{
+	Getter = config.NewGetterOrDie(config.GetterOptions{
 		Name:       "apinetlet",
 		SignerName: certificatesv1.KubeAPIServerClientSignerName,
 		Template: &x509.CertificateRequest{
@@ -39,5 +44,30 @@ var (
 		NetworkContext: egressselector.ControlPlane.AsNetworkContext(),
 	})
 
-	APINetGetConfig = APINetGetter.GetConfig
+	GetConfig      = Getter.GetConfig
+	GetConfigOrDie = Getter.GetConfigOrDie
 )
+
+func NewAPINetGetter(namespace string) (*config.Getter, error) {
+	return config.NewGetter(config.GetterOptions{
+		Name:       "apinetlet",
+		SignerName: certificatesv1.KubeAPIServerClientSignerName,
+		Template: &x509.CertificateRequest{
+			Subject: pkix.Name{
+				CommonName:   onmetalapinetv1alpha1.APINetletCommonName(namespace),
+				Organization: []string{onmetalapinetv1alpha1.APINetletsGroup},
+			},
+		},
+		GetUsages:      utilcertificate.DefaultKubeAPIServerClientGetUsages,
+		NetworkContext: egressselector.ControlPlane.AsNetworkContext(),
+	})
+}
+
+func NewAPINetGetterOrDie(namespace string) *config.Getter {
+	getter, err := NewAPINetGetter(namespace)
+	if err != nil {
+		log.Error(err, "Error creating getter")
+		os.Exit(1)
+	}
+	return getter
+}
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/onmetal/controller-utils/configutils"
 	onmetalapinetv1alpha1 "github.com/onmetal/onmetal-api-net/api/v1alpha1"
 	apinetletconfig "github.com/onmetal/onmetal-api-net/apinetlet/client/config"
 	"github.com/onmetal/onmetal-api-net/apinetlet/controllers"
@@ -68,6 +67,7 @@ func main() {
 	var enableLeaderElection bool
 	var probeAddr string
 
+	var configOptions config.GetConfigOptions
 	var apiNetGetConfigOptions config.GetConfigOptions
 
 	var apiNetNamespace string
@@ -81,6 +81,7 @@ func main() {
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
 
+	configOptions.BindFlags(flag.CommandLine)
 	apiNetGetConfigOptions.BindFlags(flag.CommandLine, config.WithNamePrefix(apiNetFlagPrefix))
 
 	flag.StringVar(&apiNetNamespace, "api-net-namespace", "", "api-net cluster namespace to manage all objects in.")
@@ -91,8 +92,9 @@ func main() {
 	opts := zap.Options{
 		Development: true,
 	}
-	opts.BindFlags(goflag.CommandLine)
-	flag.CommandLine.AddGoFlagSet(goflag.CommandLine)
+	goFlags := goflag.NewFlagSet(os.Args[0], goflag.ExitOnError)
+	opts.BindFlags(goFlags)
+	flag.CommandLine.AddGoFlagSet(goFlags)
 	flag.Parse()
 
 	ctx := ctrl.SetupSignalHandler()
@@ -108,13 +110,14 @@ func main() {
 		setupLog.Info("Watching onmetal-api objects only in namespace for reconciliation", "namespace", watchNamespace)
 	}
 
-	cfg, err := configutils.GetConfig()
+	cfg, cfgCtrl, err := apinetletconfig.GetConfig(ctx, &configOptions)
 	if err != nil {
 		setupLog.Error(err, "unable to load kubeconfig")
 		os.Exit(1)
 	}
 
-	apiNetCfg, apiNetCfgCtrl, err := apinetletconfig.APINetGetConfig(ctx, &apiNetGetConfigOptions)
+	apiNetGetter := apinetletconfig.NewAPINetGetterOrDie(apiNetNamespace)
+	apiNetCfg, apiNetCfgCtrl, err := apiNetGetter.GetConfig(ctx, &apiNetGetConfigOptions)
 	if err != nil {
 		setupLog.Error(err, "unable to load api net kubeconfig")
 		os.Exit(1)
@@ -133,6 +136,10 @@ func main() {
 		setupLog.Error(err, "unable to start manager")
 		os.Exit(1)
 	}
+	if err := config.SetupControllerWithManager(mgr, cfgCtrl); err != nil {
+		setupLog.Error(err, "unable to create controller", "controller", "Config")
+		os.Exit(1)
+	}
 	if err := config.SetupControllerWithManager(mgr, apiNetCfgCtrl); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "APINetConfig")
 		os.Exit(1)

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: apinet.api.onmetal.de:system:apinetlet-bootstrapper
+rules:
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests/apinetletclient
+    verbs:
+      - create
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: apinet.api.onmetal.de:system:apinetlet-bootstrapper
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: apinet.api.onmetal.de:system:apinetlet-bootstrapper
+subjects:
+  - kind: Group
+    # Group name has to match bootstrap group pattern \Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\
+    # See https://github.com/kubernetes/kubernetes/blob/e8662a46dd27db774ec953dae15f93ae2d1a68c8/staging/src/k8s.io/cluster-bootstrap/token/api/types.go#L96
+    name: system:bootstrappers:apinet-api-onmetal-de:apinetlets
+    apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,31 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: apinet.api.onmetal.de:system:apinetlets
+rules:
+- apiGroups:
+    - apinet.api.onmetal.de
+  resources:
+    - networks
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+    - create
+    - delete
+- apiGroups:
+    - apinet.api.onmetal.de
+  resources:
+    - publicips
+  verbs:
+    - get
+    - list
+    - patch
+    - update
+    - watch
+    - create
+    - delete
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: apinet.api.onmetal.de:system:apinetlets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: apinet.api.onmetal.de:system:apinetlets
+subjects:
+  - kind: Group
+    name: apinet.api.onmetal.de:system:apinetlets
+    apiGroup: rbac.authorization.k8s.io
@@ -16,3 +16,8 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# APINetlet (bootstrapper) roles
+- apinetlet_role.yaml
+- apinetlet_rolebinding.yaml
+- apinetlet_bootstrapper_role.yaml
+- apinetlet_bootstrapper_rolebinding.yaml
@@ -60,3 +60,33 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests/approval
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - certificates.k8s.io
+  resourceNames:
+  - kubernetes.io/kube-apiserver-client
+  resources:
+  - signers
+  verbs:
+  - approve
@@ -10,6 +10,7 @@ require (
 	github.com/onsi/gomega v1.27.3
 	github.com/spf13/pflag v1.0.5
 	go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d
+	golang.org/x/exp v0.0.0-20221212164502-fae10dda9338
 	k8s.io/api v0.26.2
 	k8s.io/apimachinery v0.26.2
 	k8s.io/apiserver v0.26.2

@@ -49,6 +49,7 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bits-and-blooms/bitset v1.5.0 h1:NpE8frKRLGHIcEzkR+gZhiioW1+WbYV6fKwD6ZIpQT8=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4=
@@ -251,6 +252,7 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/onmetal/controller-utils v0.7.0 h1:EHLPb/XimNas1VkeZZLP4g31aSz+ipiwvwWhklaQob0=
 github.com/onmetal/controller-utils v0.7.0/go.mod h1:91KV/s0VaB8PC+hqsxo6OBsAhi3ICFgIFLv/36V0ng8=
 github.com/onmetal/onmetal-api v0.0.13-0.20230313112836-dfd3ad84912f h1:2kA63fXBwoFEjzF9JmhzxMbjX511JD3/0p5neOOLhnQ=
@@ -366,6 +368,7 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -376,6 +379,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/exp v0.0.0-20221212164502-fae10dda9338 h1:OvjRkcNHnf6/W5FZXSxODbxwD+X7fspczG7Jn/xQVD4=
+golang.org/x/exp v0.0.0-20221212164502-fae10dda9338/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -666,6 +671,7 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -701,6 +707,7 @@ k8s.io/component-base v0.26.2 h1:IfWgCGUDzrD6wLLgXEstJKYZKAFS2kO+rBRi0p3LqcI=
 k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEBivs=
 k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
 k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kms v0.26.2 h1:GM1gg3tFK3OUU/QQFi93yGjG3lJT8s8l3Wkn2+VxBLM=
 k8s.io/kube-aggregator v0.26.2 h1:WtcLGisa5aCKBbBI1/Xe7gdjPlVb5Xhvs4a8Rdk8EXs=
 k8s.io/kube-aggregator v0.26.2/go.mod h1:swDTw0k/XghVLR+PCWnP6Y36wR2+DsqL2HUVq8eu0RI=
 k8s.io/kube-openapi v0.0.0-20230109183929-3758b55a6596 h1:8cNCQs+WqqnSpZ7y0LMQPKD+RZUHU17VqLPMW3qxnxc=