Allow OIDC Configuration in Virtual Garden Kube API Server (#266)

control-plane/roles/gardener/README.md

@@ -44,15 +44,22 @@ These variables are related to spinning up the virtual garden, a dedicated kube-
 
 The deployment chart is taken from [garden-setup](https://github.com/gardener/garden-setup) and follows the same deployment approach.
 
-| Name                                                 | Mandatory | Description                                                                                                            |
-| ---------------------------------------------------- | --------- | ---------------------------------------------------------------------------------------------------------------------- |
-| gardener_virtual_api_server_svc_cluster_ip_add       |           | An integer to "guess" a free IP for the service that allows the soil to internally communicate with the virtual garden |
-| gardener_virtual_api_server_public_dns               |           | The DNS domain to reach the virtual garden API server on                                                               |
-| gardener_virtual_api_server_healthcheck_static_token | yes       | A static token for healthchecking the virtual garden API server                                                        |
-| gardener_etcd_backup_schedule                        |           | The backup schedule for the virtual garden ETCD                                                                        |
-| gardener_etcd_snapshot_period                        |           | The snapshot period for the virtual garden ETCD                                                                        |
-| gardener_etcd_garbage_collection_period              |           | The priod for garbage collection for the virtual garden ETCD                                                           |
-| gardener_etcd_resources                              |           | Set custom resource definitions for the virtual garden ETCD                                                            |
+| Name                                                 | Mandatory | Description                                                                                                                                                                                  |
+|------------------------------------------------------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| gardener_virtual_api_server_svc_cluster_ip_add       |           | An integer to "guess" a free IP for the service that allows the soil to internally communicate with the virtual garden                                                                       |
+| gardener_virtual_api_server_public_dns               |           | The DNS domain to reach the virtual garden API server on                                                                                                                                     |
+| gardener_virtual_api_server_healthcheck_static_token | yes       | A static token for healthchecking the virtual garden API server                                                                                                                              |
+| gardener_etcd_backup_schedule                        |           | The backup schedule for the virtual garden ETCD                                                                                                                                              |
+| gardener_etcd_snapshot_period                        |           | The snapshot period for the virtual garden ETCD                                                                                                                                              |
+| gardener_etcd_garbage_collection_period              |           | The priod for garbage collection for the virtual garden ETCD                                                                                                                                 |
+| gardener_etcd_resources                              |           | Set custom resource definitions for the virtual garden ETCD                                                                                                                                  |
+| gardener_virtual_api_oidc_issuer_url                 |           | [Corresponds to the `--oidc-issuer-url` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-issuer-url) in the Kubernetes API server configuration.           |
+| gardener_virtual_api_oidc_client_id                  |           | [Corresponds to the `--oidc-client-id` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-client-id) in the Kubernetes API server configuration.             |
+| gardener_virtual_api_oidc_username_claim             |           | [Corresponds to the `--oidc-username-claim` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-username-claim) in the Kubernetes API server configuration.   |
+| gardener_virtual_api_oidc_username_prefix            |           | [Corresponds to the `--oidc-username-prefix` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-username-prefix) in the Kubernetes API server configuration. |
+| gardener_virtual_api_oidc_groups_claim               |           | [Corresponds to the `--oidc-groups-claim` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-groups-claim) in the Kubernetes API server configuration.       |
+| gardener_virtual_api_oidc_groups_prefix              |           | [Corresponds to the `--oidc-groups-prefix` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-groups-prefix) in the Kubernetes API server configuration.     |
+| gardener_virtual_api_oidc_ca                         |           | [Corresponds to the `--oidc-ca-file` flag](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#oidc-groups-prefix) in the Kubernetes API server configuration.           |
 
 ### Cloud Profile
 

control-plane/roles/gardener/defaults/main/certs.yaml

@@ -35,3 +35,5 @@ gardener_etcd_cert:
 gardener_etcd_cert_key:
 gardener_etcd_client_cert:
 gardener_etcd_client_key:
+
+gardener_virtual_api_oidc_ca:

control-plane/roles/gardener/defaults/main/virtual_garden.yaml

@@ -14,3 +14,10 @@ gardener_etcd_resources:
   limits:
     cpu: 800m
     memory: 8Gi
+
+gardener_virtual_api_oidc_issuer_url:
+gardener_virtual_api_oidc_client_id:
+gardener_virtual_api_oidc_username_claim:
+gardener_virtual_api_oidc_username_prefix:
+gardener_virtual_api_oidc_groups_claim:
+gardener_virtual_api_oidc_groups_prefix:

control-plane/roles/gardener/files/kube-apiserver/templates/deployment-kube-apiserver.yaml

@@ -37,8 +37,8 @@ spec:
         checksum/secret-kube-apiserver-static-token: {{ include (print $.Template.BasePath "/secret-kube-apiserver-static-token.yaml") . | sha256sum }}
         checksum/secret-kube-controller-manager-client: {{ include (print $.Template.BasePath "/secret-kube-controller-manager-tls.yaml") . | sha256sum }}
         checksum/secret-service-account-key: {{ include (print $.Template.BasePath "/secret-service-account-key.yaml") . | sha256sum }}
-        {{- if .Values.tls.identity.ca }}
-        checksum/secret-identity-ca: {{ include (print $.Template.BasePath "/secret-identity-ca.yaml") . | sha256sum }}
+        {{- if .Values.tls.oidc.ca }}
+        checksum/secret-oidc-ca: {{ include (print $.Template.BasePath "/secret-oidc-ca.yaml") . | sha256sum }}
         {{- end }}
       labels:
         app: garden
@@ -93,6 +93,25 @@ spec:
         - --etcd-keyfile=/srv/kubernetes/etcd/client/tls.key
         - --etcd-servers={{ .Values.etcd.main.endpoints }}
         - --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
+{{ if and .Values.oidc.issuerURL .Values.oidc.clientID }}
+        - --oidc-issuer-url={{ .Values.oidc.issuerURL }}
+        - --oidc-client-id={{ .Values.oidc.clientID }}
+        {{- if .Values.oidc.usernameClaim }}
+        - --oidc-username-claim={{ .Values.oidc.usernameClaim }}
+        {{- end }}
+        {{- if .Values.oidc.usernamePrefix }}
+        - --oidc-username-prefix={{ .Values.oidc.usernamePrefix | quote }}
+        {{- end}}
+        {{- if .Values.oidc.groupsClaim }}
+        - --oidc-groups-claim={{ .Values.oidc.groupsClaim }}
+        {{- end }}
+        {{- if .Values.oidc.groupsPrefix }}
+        - --oidc-groups-prefix={{ .Values.oidc.groupsPrefix | quote }}
+        {{- end }}
+        {{- if .Values.tls.oidc.ca }}
+        - --oidc-ca-file=/srv/kubernetes/oidc-ca/ca.crt
+        {{- end }}
+{{ end }}
         - --profiling=false
         - --proxy-client-cert-file=/srv/kubernetes/aggregator/tls.crt
         - --proxy-client-key-file=/srv/kubernetes/aggregator/tls.key
@@ -165,9 +184,9 @@ spec:
           mountPath: /srv/kubernetes/token
         - name: kube-aggregator
           mountPath: /srv/kubernetes/aggregator
-        {{- if .Values.tls.identity.ca }}
-        - name: ca-identity
-          mountPath: /srv/kubernetes/identity-ca
+        {{- if .Values.tls.oidc.ca }}
+        - name: ca-oidc
+          mountPath: /srv/kubernetes/oidc-ca
         {{- end }}
       - name: kube-controller-manager
         image: {{ index .Values.images "controllermanager" }}
@@ -218,10 +237,10 @@ spec:
       - name: ca-kube-apiserver
         secret:
           secretName: garden-kube-apiserver-ca
-      {{- if .Values.tls.identity.ca }}
-      - name: ca-identity
+      {{- if .Values.tls.oidc.ca }}
+      - name: ca-oidc
         secret:
-          secretName: identity-ca
+          secretName: oidc-ca
       {{- end }}
       - name: ca-etcd
         secret:

control-plane/roles/gardener/files/kube-apiserver/templates/secret-identity-ca.yaml → control-plane/roles/gardener/files/kube-apiserver/templates/secret-oidc-ca.yaml

@@ -12,13 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-{{- if .Values.tls.identity.ca }}
+{{- if .Values.tls.oidc.ca }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: identity-ca
+  name: oidc-ca
   namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
-  ca.crt: {{ .Values.tls.identity.ca | b64enc }}
+  ca.crt: {{ .Values.tls.oidc.ca | b64enc }}
 {{- end }}

control-plane/roles/gardener/files/kube-apiserver/values.yaml

@@ -23,6 +23,14 @@ apiServer:
   hostname: 127.0.0.1
   serviceName: garden-kube-apiserver
 
+oidc:
+  issuerURL:
+  clientID:
+  usernameClaim:
+  usernamePrefix:
+  groupsClaim:
+  groupsPrefix:
+
 tls:
   kubeAPIServer:
     ca:
@@ -40,3 +48,5 @@ tls:
     crt: client-certificate
     key: client-key
   serviceAccountKey: key
+  oidc:
+    ca:

control-plane/roles/gardener/templates/kube-apiserver-values.j2

@@ -7,6 +7,22 @@ apiServer:
   hostname: {{ gardener_virtual_api_server_public_dns }}
   serviceName: garden-kube-apiserver
 
+oidc:
+  issuerURL: {{ gardener_virtual_api_oidc_issuer_url }}
+  clientID: {{ gardener_virtual_api_oidc_client_id }}
+{% if gardener_virtual_api_oidc_username_claim %}
+  usernameClaim: {{ gardener_virtual_api_oidc_username_claim }}
+{% endif %}
+{% if gardener_virtual_api_oidc_username_prefix %}
+  usernamePrefix: "{{ gardener_virtual_api_oidc_username_prefix }}"
+{% endif %}
+{% if gardener_virtual_api_oidc_groups_claim %}
+  groupsClaim: {{ gardener_virtual_api_oidc_groups_claim }}
+{% endif %}
+{% if gardener_virtual_api_oidc_groups_prefix %}
+  groupsPrefix: "{{ gardener_virtual_api_oidc_groups_prefix }}"
+{% endif %}
+
 tls:
   kubeAPIServer:
     ca:
@@ -44,8 +60,11 @@ tls:
       {{ gardener_admin_client_key | indent(width=6, first=false) }}
   serviceAccountKey: |
     {{ gardener_service_account_client_key | indent(width=4, first=false) }}
-  identity:
-    ca:
+{% if gardener_virtual_api_oidc_ca %}
+  oidc:
+    ca: |
+      {{ gardener_virtual_api_oidc_ca | indent(width=6, first=false) }}
+{% endif %}
 
 etcd:
   main: