From 9533be32a1765bc05c087632ac0f74f03389956b Mon Sep 17 00:00:00 2001 From: Phil Sphicas Date: Wed, 31 Mar 2021 06:32:01 +0000 Subject: [PATCH] Add required apiserver serviceaccount flags In v1.20, TokenRequest and TokenRequestProjection become GA features, and the following flags are required by the API server: * --service-account-issuer * --service-account-key-file * --service-account-signing-key-file This change ensures that the flags are set, and that the required keys are in the right places. Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408 --- .../templates/deployment.yaml | 9 +++++++ .../templates/secret-keys.yaml | 27 +++++++++++++++++++ charts/apiserver-webhook/values.yaml | 6 +++++ .../apiserver/templates/secret-apiserver.yaml | 1 + charts/apiserver/values.yaml | 6 +++++ examples/basic/armada-resources.yaml | 7 +++++ examples/complete/armada-resources.yaml | 7 +++++ examples/containerd/armada-resources.yaml | 7 +++++ examples/gate/armada-resources.yaml | 7 +++++ .../templates/include/genesis-apiserver.yaml | 2 ++ .../genesis/apiserver/pki/service-account.key | 1 + .../builder_data/simple/armada-resources.yaml | 7 +++++ .../bootstrap-armada-config.yaml | 7 +++++ 13 files changed, 94 insertions(+) create mode 100644 charts/apiserver-webhook/templates/secret-keys.yaml create mode 100644 promenade/templates/roles/genesis/etc/genesis/apiserver/pki/service-account.key diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml index a469b1e1..79c5783e 100644 --- a/charts/apiserver-webhook/templates/deployment.yaml +++ b/charts/apiserver-webhook/templates/deployment.yaml @@ -171,6 +171,7 @@ spec: - --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }} - --allow-privileged=true - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }} + - --service-account-signing-key-file={{ $envAll.Values.conf.paths.saprivkey }} - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }} - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }} {{- range $key, $val := .Values.conf.apiserver }} @@ -200,6 +201,10 @@ spec: mountPath: {{ $envAll.Values.conf.paths.sapubkey }} subPath: service-account.pub readOnly: true + - name: secrets-etc + mountPath: {{ $envAll.Values.conf.paths.saprivkey }} + subPath: service-account.key + readOnly: true - name: configmap-etc mountPath: {{ $envAll.Values.conf.paths.conf }} subPath: webhook.kubeconfig @@ -273,6 +278,10 @@ spec: configMap: name: {{ .Release.Name }}-etc defaultMode: 0444 + - name: secrets-etc + secret: + secretName: {{ .Release.Name }}-keys + defaultMode: 0444 - name: configmap-bin configMap: name: {{ .Release.Name }}-bin diff --git a/charts/apiserver-webhook/templates/secret-keys.yaml b/charts/apiserver-webhook/templates/secret-keys.yaml new file mode 100644 index 00000000..3e3faa70 --- /dev/null +++ b/charts/apiserver-webhook/templates/secret-keys.yaml @@ -0,0 +1,27 @@ +{{/* +Copyright 2021 AT&T Intellectual Property. All other rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_keys }} +{{- $envAll := . }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-keys +type: Opaque +data: + service-account.key: {{ .Values.secrets.service_account.private_key | b64enc }} +{{- end }} diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml index 4993992f..9f0f5e18 100644 --- a/charts/apiserver-webhook/values.yaml +++ b/charts/apiserver-webhook/values.yaml @@ -103,6 +103,7 @@ certificates: secrets: service_account: public_key: placeholder + private_key: placeholder identity: admin: apiserver-webhook-keystone-creds-admin webhook: apiserver-webhook-keystone-creds-webhook @@ -302,6 +303,7 @@ conf: conf: '/etc/webhook_apiserver/webhook.kubeconfig' policy: '/etc/webhook_apiserver/conf/policy.json' sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub' + saprivkey: '/etc/webhook_apiserver/pki/service-accounts.key' encryption_provider: '/etc/webhook_apiserver/encryption_provider.json' # Every key below 'apiserver' yields a dynamic configuration file # and can mutate the apiserver command-line args. @@ -354,6 +356,9 @@ conf: # rules: # - level: Metadata # + service_account_issuer: + command_options: + - --service-account-issuer=https://kubernetes.default.svc.cluster.local policy: - resource: verbs: @@ -427,5 +432,6 @@ manifests: pod_test: false secret_keystone: true secret_tls: true + secret_keys: true service: true network_policy: false diff --git a/charts/apiserver/templates/secret-apiserver.yaml b/charts/apiserver/templates/secret-apiserver.yaml index ed168d16..d0089b10 100644 --- a/charts/apiserver/templates/secret-apiserver.yaml +++ b/charts/apiserver/templates/secret-apiserver.yaml @@ -26,4 +26,5 @@ data: apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }} etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }} kubelet-client-key.pem: {{ .Values.secrets.kubelet.tls.key | default .Values.secrets.tls.key | b64enc }} + service-account.key: {{ .Values.secrets.service_account.private_key | b64enc }} {{- end }} diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml index 786658d5..f9d6465a 100644 --- a/charts/apiserver/values.yaml +++ b/charts/apiserver/values.yaml @@ -36,6 +36,7 @@ const: - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --secure-port=$(APISERVER_PORT) - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub + - --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem @@ -52,6 +53,7 @@ const: /etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem /etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem /etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub + /etc/kubernetes/apiserver/pki/service-account.key: /keys/service-account.key /etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml images: @@ -163,6 +165,9 @@ conf: - name: key1 secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk= - identity: {} + service_account_issuer: + command_options: + - --service-account-issuer=https://kubernetes.default.svc.cluster.local apiserver: arguments: @@ -214,6 +219,7 @@ secrets: key: placeholder service_account: public_key: placeholder + private_key: placeholder etcd: tls: ca: placeholder diff --git a/examples/basic/armada-resources.yaml b/examples/basic/armada-resources.yaml index 5daef8dc..d0439a43 100644 --- a/examples/basic/armada-resources.yaml +++ b/examples/basic/armada-resources.yaml @@ -697,6 +697,13 @@ metadata: path: . dest: path: .values.secrets.service_account.public_key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key - src: schema: promenade/EncryptionPolicy/v1 diff --git a/examples/complete/armada-resources.yaml b/examples/complete/armada-resources.yaml index ed80ec7d..cfdc9b91 100644 --- a/examples/complete/armada-resources.yaml +++ b/examples/complete/armada-resources.yaml @@ -714,6 +714,13 @@ metadata: path: . dest: path: .values.secrets.service_account.public_key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key data: chart_name: apiserver diff --git a/examples/containerd/armada-resources.yaml b/examples/containerd/armada-resources.yaml index 0790db01..6203ca13 100644 --- a/examples/containerd/armada-resources.yaml +++ b/examples/containerd/armada-resources.yaml @@ -594,6 +594,13 @@ metadata: path: . dest: path: .values.secrets.service_account.public_key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key - src: diff --git a/examples/gate/armada-resources.yaml b/examples/gate/armada-resources.yaml index 7e541e37..a574de32 100644 --- a/examples/gate/armada-resources.yaml +++ b/examples/gate/armada-resources.yaml @@ -600,6 +600,13 @@ metadata: path: . dest: path: .values.secrets.service_account.public_key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key - src: diff --git a/promenade/templates/include/genesis-apiserver.yaml b/promenade/templates/include/genesis-apiserver.yaml index 4314a61c..bb0b15f6 100644 --- a/promenade/templates/include/genesis-apiserver.yaml +++ b/promenade/templates/include/genesis-apiserver.yaml @@ -10,7 +10,9 @@ - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname + - --service-account-issuer=https://kubernetes.default.svc.cluster.local - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub + - --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem {%- for argument in config.get_path('Genesis:apiserver.arguments', []) %} diff --git a/promenade/templates/roles/genesis/etc/genesis/apiserver/pki/service-account.key b/promenade/templates/roles/genesis/etc/genesis/apiserver/pki/service-account.key new file mode 100644 index 00000000..8eca90e6 --- /dev/null +++ b/promenade/templates/roles/genesis/etc/genesis/apiserver/pki/service-account.key @@ -0,0 +1 @@ +{{ config.get(schema='deckhand/PrivateKey/v1', name='service-account') }} diff --git a/tests/unit/builder_data/simple/armada-resources.yaml b/tests/unit/builder_data/simple/armada-resources.yaml index 9af0911f..ec0fc902 100644 --- a/tests/unit/builder_data/simple/armada-resources.yaml +++ b/tests/unit/builder_data/simple/armada-resources.yaml @@ -607,6 +607,13 @@ metadata: path: . dest: path: .values.secrets.service_account.public_key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key data: chart_name: apiserver diff --git a/tools/gate/config-templates/bootstrap-armada-config.yaml b/tools/gate/config-templates/bootstrap-armada-config.yaml index c8e2667b..c07a0619 100644 --- a/tools/gate/config-templates/bootstrap-armada-config.yaml +++ b/tools/gate/config-templates/bootstrap-armada-config.yaml @@ -627,6 +627,13 @@ metadata: path: . dest: path: .values.secrets.service_account.public_key + - + src: + schema: deckhand/PrivateKey/v1 + name: service-account + path: . + dest: + path: .values.secrets.service_account.private_key data: chart_name: apiserver