Merge pull request #14 from achimweigel/oidc-auth

Oidc authentication webhook
gardener-attic · Jan 19, 2022 · 0a79cbc · 0a79cbc
2 parents e3f8ceb + fbbdb3e
commit 0a79cbc
Show file tree

Hide file tree

Showing 22 changed files with 520 additions and 137 deletions.
diff --git a/.ci/component_descriptor b/.ci/component_descriptor
@@ -5,7 +5,6 @@
 # SPDX-License-Identifier: Apache-2.0
 
 set -o errexit
-set -o nounset
 set -o pipefail
 
 SOURCE_PATH="$(dirname $0)/.."

diff --git a/.landscaper/blueprint/blueprint.yaml b/.landscaper/blueprint/blueprint.yaml
@@ -98,10 +98,34 @@ imports:
             gardenerControlplane:
               type: object
               properties:
-                validatingWebhookEnabled:
-                  type: boolean
-                mutatingWebhookEnabled:
-                  type: boolean
+                validatingWebhook:
+                  type: object
+                  properties:
+                    kubeconfig:
+                      type: string
+                    token:
+                      type: object
+                      properties:
+                        enabled:
+                          type: boolean
+                        audience:
+                          type: string
+                        expirationSeconds:
+                          type: number
+                mutatingWebhook:
+                  type: object
+                  properties:
+                    kubeconfig:
+                      type: string
+                    token:
+                      type: object
+                      properties:
+                        enabled:
+                          type: boolean
+                        audience:
+                          type: string
+                        expirationSeconds:
+                          type: number
             serviceAccountKeyPem:
               type: string
             auditWebhookConfig:
@@ -119,6 +143,13 @@ imports:
                   type: boolean
                 certificateAuthorityData:
                   type: string
+            oidcWebhookAuthenticator:
+              type: object
+              properties:
+                enabled:
+                  type: boolean
+                certificateAuthorityData:
+                  type: string
             hvpaEnabled:
               type: boolean
             hvpa:

diff --git a/Makefile b/Makefile
@@ -110,7 +110,8 @@ setup-testenv:
 
 .PHONY: test
 test:
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test.sh ./cmd/... ./pkg/...
+	make setup-testenv
+	@go test -mod=vendor $(REPO_ROOT)/cmd/... $(REPO_ROOT)/pkg/...
 
 .PHONY: test-e2e
 test-e2e:

diff --git a/example/imports.yaml b/example/imports.yaml
@@ -59,5 +59,29 @@ virtualGarden:
     replicas: 1
     dnsAccessDomain: ""
     gardenerControlplane:
-      validatingWebhookEnabled: true
-      mutatingWebhookEnabled: true
+      validatingWebhook:
+        kubeconfig: |
+          apiVersion: v1
+          kind: Config
+          users:
+          - name: '*'
+            user:
+              tokenFile: /var/run/secrets/admission-tokens/validating-webhook-token
+        token:
+          enabled: true
+          audience: validating-webhook
+          expirationSeconds: 3600
+      mutatingWebhook:
+        kubeconfig: |
+          apiVersion: v1
+          kind: Config
+          users:
+          - name: '*'
+            user:
+              tokenFile: /var/run/secrets/admission-tokens/mutating-webhook-token
+        token:
+          enabled: true
+          audience: mutating-webhook
+          expirationSeconds: 3600
+    oidcWebhookAuthenticator:
+      enabled: true
diff --git a/pkg/api/imports.go b/pkg/api/imports.go
@@ -116,6 +116,8 @@ type KubeAPIServer struct {
 
 	SeedAuthorizer SeedAuthorizer `json:"seedAuthorizer,omitempty" yaml:"seedAuthorizer,omitempty"`
 
+	OidcWebhookAuthenticator OidcWebhookAuthenticator `json:"oidcWebhookAuthenticator,omitempty" yaml:"oidcWebhookAuthenticator,omitempty"`
+
 	HVPAEnabled bool        `json:"hvpaEnabled,omitempty" yaml:"hvpaEnabled,omitempty"`
 	HVPA        *HvpaConfig `json:"hvpa,omitempty" yaml:"hvpa,omitempty"`
 
@@ -158,8 +160,19 @@ type HorizontalPodAutoscaler struct {
 
 // GardenerControlplane contains the activation info for webhooks
 type GardenerControlplane struct {
-	ValidatingWebhookEnabled bool `json:"validatingWebhookEnabled,omitempty" yaml:"validatingWebhookEnabled,omitempty"`
-	MutatingWebhookEnabled   bool `json:"mutatingWebhookEnabled,omitempty" yaml:"mutatingWebhookEnabled,omitempty"`
+	ValidatingWebhook AdmissionWebhookConfig `json:"validatingWebhook,omitempty" yaml:"validatingWebhook,omitempty"`
+	MutatingWebhook   AdmissionWebhookConfig `json:"mutatingWebhook,omitempty" yaml:"mutatingWebhook,omitempty"`
+}
+
+type AdmissionWebhookConfig struct {
+	Kubeconfig string                      `json:"kubeconfig,omitempty" yaml:"kubeconfig,omitempty"`
+	Token      AdmissionWebhookTokenConfig `json:"token,omitempty" yaml:"token,omitempty"`
+}
+
+type AdmissionWebhookTokenConfig struct {
+	Enabled           bool   `json:"enabled,omitempty" yaml:"enabled,omitempty"`
+	Audience          string `json:"audience,omitempty" yaml:"audience,omitempty"`
+	ExpirationSeconds int64  `json:"expirationSeconds,omitempty" yaml:"expirationSeconds,omitempty"`
 }
 
 // AuditWebhookConfig contains configuration for the audit webhook.
@@ -173,6 +186,12 @@ type SeedAuthorizer struct {
 	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty" yaml:"certificateAuthorityData,omitempty"`
 }
 
+// OidcWebhookAuthenticator contains configuration for the OIDC webhook authenticator.
+type OidcWebhookAuthenticator struct {
+	Enabled                  bool   `json:"enabled,omitempty" yaml:"enabled,omitempty"`
+	CertificateAuthorityData string `json:"certificateAuthorityData,omitempty" yaml:"certificateAuthorityData,omitempty"`
+}
+
 // SNI contains configuration for SNI settings for the virtual garden.
 type SNI struct {
 	// Hostname is the hostname for the virtual garden kube-apiserver. It is used to create DNS entries

diff --git a/pkg/virtualgarden/constants.go b/pkg/virtualgarden/constants.go
@@ -24,59 +24,66 @@ const (
 
 // Keys of annotations for checksums
 const (
-	ChecksumKeyKubeAPIServerAuditPolicyConfig  = "checksum/configmap-kube-apiserver-audit-policy-config"
-	ChecksumKeyKubeAPIServerEncryptionConfig   = "checksum/secret-kube-apiserver-encryption-config"
-	ChecksumKeyKubeAggregatorCA                = "checksum/secret-kube-aggregator-ca"
-	ChecksumKeyKubeAggregatorClient            = "checksum/secret-kube-aggregator-client"
-	ChecksumKeyKubeAPIServerCA                 = "checksum/secret-kube-apiserver-ca"
-	ChecksumKeyKubeAPIServerServer             = "checksum/secret-kube-apiserver-server"
-	ChecksumKeyKubeAPIServerAuditWebhookConfig = "checksum/secret-kube-apiserver-audit-webhook-config"
-	ChecksumKeyKubeAPIServerAuthWebhookConfig  = "checksum/secret-kube-apiserver-auth-webhook-config"
-	ChecksumKeyKubeAPIServerStaticToken        = "checksum/secret-kube-apiserver-static-token"
-	ChecksumKeyKubeAPIServerAdmissionConfig    = "checksum/virtual-garden-kube-apiserver-admission-config"
-	ChecksumKeyKubeControllerManagerClient     = "checksum/secret-kube-controller-manager-client"
-	ChecksumKeyServiceAccountKey               = "checksum/secret-service-account-key"
+	ChecksumKeyKubeAPIServerAuditPolicyConfig               = "checksum/configmap-kube-apiserver-audit-policy-config"
+	ChecksumKeyKubeAPIServerEncryptionConfig                = "checksum/secret-kube-apiserver-encryption-config"
+	ChecksumKeyKubeAggregatorCA                             = "checksum/secret-kube-aggregator-ca"
+	ChecksumKeyKubeAggregatorClient                         = "checksum/secret-kube-aggregator-client"
+	ChecksumKeyKubeAPIServerCA                              = "checksum/secret-kube-apiserver-ca"
+	ChecksumKeyKubeAPIServerServer                          = "checksum/secret-kube-apiserver-server"
+	ChecksumKeyKubeAPIServerAuditWebhookConfig              = "checksum/secret-kube-apiserver-audit-webhook-config"
+	ChecksumKeyKubeAPIServerAuthWebhookConfig               = "checksum/secret-kube-apiserver-auth-webhook-config"
+	ChecksumKeyKubeAPIServerOidcAuthenticationWebhookConfig = "checksum/secret-kube-apiserver-authentication-webhook-config"
+	ChecksumKeyKubeAPIServerStaticToken                     = "checksum/secret-kube-apiserver-static-token"
+	ChecksumKeyKubeAPIServerAdmissionConfig                 = "checksum/virtual-garden-kube-apiserver-admission-config"
+	ChecksumKeyKubeControllerManagerClient                  = "checksum/secret-kube-controller-manager-client"
+	ChecksumKeyServiceAccountKey                            = "checksum/secret-service-account-key"
 )
 
 // Names of volumes and corresponding volume mounts
 const (
-	volumeNameKubeAggregator                   = "kube-aggregator"
-	volumeNameKubeAPIServer                    = "kube-apiserver"
-	volumeNameKubeAPIServerCA                  = "ca-kube-apiserver"
-	volumeNameKubeAPIServerStaticToken         = "kube-apiserver-static-token"
-	volumeNameKubeAPIServerAdmissionConfig     = "kube-apiserver-admission-config"
-	volumeNameKubeAPIServerAdmissionKubeconfig = "kube-apiserver-admission-kubeconfig"
-	volumeNameKubeAPIServerAdmissionTokens     = "kube-apiserver-admission-tokens"
-	volumeNameKubeAPIServerEncryptionConfig    = "kube-apiserver-encryption-config"
-	volumeNameKubeAPIServerAuthWebhookConfig   = "kube-apiserver-auth-webhook-config"
-	volumeNameKubeAPIServerAuditPolicyConfig   = "kube-apiserver-audit-policy-config"
-	volumeNameKubeAPIServerAuditWebhookConfig  = "kube-apiserver-audit-webhook-config"
-	volumeNameKubeControllerManager            = "kube-controller-manager"
-	volumeNameServiceAccountKey                = "service-account-key"
-	volumeNameCAETCD                           = "ca-etcd"
-	volumeNameCAFrontProxy                     = "ca-front-proxy"
-	volumeNameETCDClientTLS                    = "etcd-client-tls"
-	volumeNameSNITLS                           = "sni-tls"
-	volumeNameFedora                           = "fedora-rhel6-openelec-cabundle"
-	volumeNameCentos                           = "centos-rhel7-cabundle"
-	volumeNameETCSSL                           = "etc-ssl"
+	volumeNameKubeAggregator                               = "kube-aggregator"
+	volumeNameKubeAPIServer                                = "kube-apiserver"
+	volumeNameKubeAPIServerCA                              = "ca-kube-apiserver"
+	volumeNameKubeAPIServerStaticToken                     = "kube-apiserver-static-token"
+	volumeNameKubeAPIServerAdmissionConfig                 = "kube-apiserver-admission-config"
+	volumeNameKubeAPIServerAdmissionKubeconfig             = "kube-apiserver-admission-kubeconfig"
+	volumeNameKubeAPIServerAdmissionTokens                 = "kube-apiserver-admission-tokens"
+	volumeNameKubeAPIServerEncryptionConfig                = "kube-apiserver-encryption-config"
+	volumeNameKubeAPIServerAuthWebhookConfig               = "kube-apiserver-auth-webhook-config"
+	volumeNameKubeAPIServerOidcAuthenticationWebhookConfig = "kube-apiserver-authentication-webhook-config"
+	volumeNameKubeAPIServerAuditPolicyConfig               = "kube-apiserver-audit-policy-config"
+	volumeNameKubeAPIServerAuditWebhookConfig              = "kube-apiserver-audit-webhook-config"
+	volumeNameKubeControllerManager                        = "kube-controller-manager"
+	volumeNameServiceAccountKey                            = "service-account-key"
+	volumeNameCAETCD                                       = "ca-etcd"
+	volumeNameCAFrontProxy                                 = "ca-front-proxy"
+	volumeNameETCDClientTLS                                = "etcd-client-tls"
+	volumeNameSNITLS                                       = "sni-tls"
+	volumeNameFedora                                       = "fedora-rhel6-openelec-cabundle"
+	volumeNameCentos                                       = "centos-rhel7-cabundle"
+	volumeNameETCSSL                                       = "etc-ssl"
 )
 
 // Keys of secrets and configmaps
 const (
-	ValidatingWebhookKey  = "validating-webhook"
-	MutatingWebhookKey    = "mutating-webhook"
-	AuditWebhookConfigKey = "audit-webhook-config.yaml"
-	ConfigYamlKey         = "config.yaml"
-	StaticTokenKey        = "static_tokens.csv"
-	EncryptionConfigKey   = "encryption-config.yaml"
-	ServiceAccountKey     = "service_account.key"
-	ConfigurationYamlKey  = "configuration.yaml"
-	AuditPolicyYamlKey    = "audit-policy.yaml"
+	ValidatingWebhookKey    = "validating-webhook"
+	MutatingWebhookKey      = "mutating-webhook"
+	AuditWebhookConfigKey   = "audit-webhook-config.yaml"
+	ConfigYamlKey           = "config.yaml"
+	StaticTokenKey          = "static_tokens.csv"
+	EncryptionConfigKey     = "encryption-config.yaml"
+	ServiceAccountKey       = "service_account.key"
+	ConfigurationYamlKey    = "configuration.yaml"
+	AuditPolicyYamlKey      = "audit-policy.yaml"
+	SecretKeyKubeconfig     = "kubeconfig"
+	SecretKeyKubeconfigYaml = "kubeconfig.yaml"
 )
 
-const SecretKeyKubeconfig = "kubeconfig"
-
 const kubeAPIServerContainerName = "kube-apiserver"
 
 const kubeControllerManager = "kube-controller-manager"
+
+const (
+	UserVirtualGardenKubeApiServer     = "virtual-garden-kube-apiserver"
+	UserOidcWebhookAuthenticatorGarden = "oidc-webhook-authenticator.garden"
+)
diff --git a/pkg/virtualgarden/kube_api_server.go b/pkg/virtualgarden/kube_api_server.go
@@ -34,12 +34,12 @@ func (o *operation) DeployKubeAPIServer(ctx context.Context) error {
 		return err
 	}
 
-	err = o.deployKubeAPIServerCertificates(ctx, loadBalancer, checksums)
+	oidcAuthenticationWebhookCert, err := o.deployKubeAPIServerCertificates(ctx, loadBalancer, checksums)
 	if err != nil {
 		return err
 	}
 
-	staticTokenHealthCheck, err := o.deployKubeAPIServerSecrets(ctx, checksums)
+	staticTokenHealthCheck, err := o.deployKubeAPIServerSecrets(ctx, checksums, oidcAuthenticationWebhookCert)
 	if err != nil {
 		return err
 	}
@@ -108,8 +108,17 @@ func (o *operation) DeleteKubeAPIServer(ctx context.Context) error {
 }
 
 func (o *operation) isWebhookEnabled() bool {
+	return o.isWebhookTokenEnabled() || o.isWebhookKubeconfig()
+}
+
+func (o *operation) isWebhookTokenEnabled() bool {
+	controlplane := o.imports.VirtualGarden.KubeAPIServer.GardenerControlplane
+	return controlplane.ValidatingWebhook.Token.Enabled || controlplane.MutatingWebhook.Token.Enabled
+}
+
+func (o *operation) isWebhookKubeconfig() bool {
 	controlplane := o.imports.VirtualGarden.KubeAPIServer.GardenerControlplane
-	return controlplane.ValidatingWebhookEnabled || controlplane.MutatingWebhookEnabled
+	return controlplane.ValidatingWebhook.Kubeconfig != "" || controlplane.MutatingWebhook.Kubeconfig != ""
 }
 
 func (o *operation) computeKubeAPIServerLoadBalancer(ctx context.Context) (string, error) {