From 0e813a04b989eda317d3f8acb4d8f140f4d00ee7 Mon Sep 17 00:00:00 2001 From: Scott Hussey Date: Wed, 19 Sep 2018 14:21:18 -0500 Subject: [PATCH] Extend webhook-enabled apiserver chart - Updates to the webhook-enabled apiserver chart to properly support certificate trust and allow for fragmented CAs for better security. Change-Id: I56dee9d1ca4e0807d89ce6b0f3ab3fb5d4ea8c67 --- .../templates/bin/_webhook_start.sh.tpl | 19 +- .../templates/configmap-bin.yaml | 8 +- .../templates/configmap-certs.yaml | 31 --- .../templates/configmap-etc.yaml | 3 +- .../templates/deployment.yaml | 227 +++++++++++++----- .../templates/etc/_kubeconfig.yaml.tpl | 34 --- .../templates/etc/_webhook.kubeconfig.tpl | 3 +- .../templates/ingress-api.yaml | 6 +- ...secret-apiserver.yaml => job-ks-user.yaml} | 17 +- .../templates/secret-ingress-tls.yaml | 19 -- .../templates/secret-keystone.yaml | 2 +- .../templates/secret-tls.yaml | 73 ++++++ .../templates/secret-webhook.yaml | 28 --- ...-ingress.yaml => service-ingress-api.yaml} | 6 +- .../apiserver-webhook/templates/service.yaml | 6 +- charts/apiserver-webhook/values.yaml | 176 ++++++++------ 16 files changed, 383 insertions(+), 275 deletions(-) delete mode 100644 charts/apiserver-webhook/templates/configmap-certs.yaml delete mode 100644 charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl rename charts/apiserver-webhook/templates/{secret-apiserver.yaml => job-ks-user.yaml} (61%) delete mode 100644 charts/apiserver-webhook/templates/secret-ingress-tls.yaml create mode 100644 charts/apiserver-webhook/templates/secret-tls.yaml delete mode 100644 charts/apiserver-webhook/templates/secret-webhook.yaml rename charts/apiserver-webhook/templates/{service-apiserver-ingress.yaml => service-ingress-api.yaml} (78%) diff --git a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl index 0fbe3350..7357f5c0 100644 --- a/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl +++ b/charts/apiserver-webhook/templates/bin/_webhook_start.sh.tpl @@ -18,9 +18,20 @@ limitations under the License. set -xe +SERVER_CERT_FILE=${SERVER_CERT_FILE:-"/etc/webhook_apiserver/pki/tls.crt"} +SERVER_KEY_FILE=${SERVER_KEY_FILE:-"/etc/webhook_apiserver/pki/tls.key"} +POLICY_FILE=${POLICY_FILE:-"/etc/webhook_apiserver/policy.json"} +SERVER_PORT=${SERVER_PORT:-"8443"} +KEYSTONE_CA_FILE=${KEYSTONE_CA_FILE:-"/etc/webhook_apiserver/pki/keystone.pem"} + exec /bin/k8s-keystone-auth \ - --tls-cert-file /opt/kubernetes-keystone-webhook/pki/tls.crt \ - --tls-private-key-file /opt/kubernetes-keystone-webhook/pki/tls.key \ - --keystone-policy-file /etc/kubernetes-keystone-webhook/policy.json \ - --listen 127.0.0.1:8443 \ + --v 5 \ + --tls-cert-file "${SERVER_CERT_FILE}" \ + --tls-private-key-file "${SERVER_KEY_FILE}" \ + --keystone-policy-file "${POLICY_FILE}" \ + --listen "127.0.0.1:${SERVER_PORT}" \ +{{- if hasKey .Values.certificates "keystone" }} + --keystone-ca-file "${KEYSTONE_CA_FILE}" \ +{{- end }} --keystone-url {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} + diff --git a/charts/apiserver-webhook/templates/configmap-bin.yaml b/charts/apiserver-webhook/templates/configmap-bin.yaml index 6cf5263b..731cd230 100644 --- a/charts/apiserver-webhook/templates/configmap-bin.yaml +++ b/charts/apiserver-webhook/templates/configmap-bin.yaml @@ -16,13 +16,15 @@ limitations under the License. {{- if .Values.manifests.configmap_bin }} {{- $envAll := . }} - --- apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Values.service.name }}-bin + name: {{ .Release.Name }}-bin data: - webhook_start.sh: | + ks-user.sh: |- +{{- include "helm-toolkit.scripts.keystone_user" $envAll | indent 4 }} + webhook_start.sh: |- {{ tuple "bin/_webhook_start.sh.tpl" $envAll | include "helm-toolkit.utils.template" | indent 4 }} +... {{- end }} diff --git a/charts/apiserver-webhook/templates/configmap-certs.yaml b/charts/apiserver-webhook/templates/configmap-certs.yaml deleted file mode 100644 index 34d412e0..00000000 --- a/charts/apiserver-webhook/templates/configmap-certs.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright 2017 AT&T Intellectual Property. All other rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.configmap_certs }} -{{- $envAll := . }} - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.service.name }}-certs -data: - cluster-ca.pem: {{ .Values.secrets.tls.ca | quote }} - apiserver.pem: {{ .Values.secrets.tls.cert | quote }} - etcd-client-ca.pem: {{ .Values.secrets.etcd.tls.ca | quote }} - etcd-client.pem: {{ .Values.secrets.etcd.tls.cert | quote }} - service-account.pub: {{ .Values.secrets.service_account.public_key | quote }} -{{- end }} diff --git a/charts/apiserver-webhook/templates/configmap-etc.yaml b/charts/apiserver-webhook/templates/configmap-etc.yaml index f08cdfe7..cb2b4422 100644 --- a/charts/apiserver-webhook/templates/configmap-etc.yaml +++ b/charts/apiserver-webhook/templates/configmap-etc.yaml @@ -21,8 +21,9 @@ limitations under the License. apiVersion: v1 kind: ConfigMap metadata: - name: {{ .Values.service.name }}-etc + name: {{ .Release.Name }}-etc data: + service-account.pub: {{ .Values.secrets.service_account.public_key | quote }} webhook.kubeconfig: | {{ tuple "etc/_webhook.kubeconfig.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} policy.json: | diff --git a/charts/apiserver-webhook/templates/deployment.yaml b/charts/apiserver-webhook/templates/deployment.yaml index 091288e4..a9ac0ba8 100644 --- a/charts/apiserver-webhook/templates/deployment.yaml +++ b/charts/apiserver-webhook/templates/deployment.yaml @@ -14,13 +14,94 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{/* +These local.* templates may be moved out of this chart into helm-toolkit +in the future if there is desire to generalize this pattern. Otherwise +in the future they will be moved into a separate helpers file. +*/}} + +{{- define "local.tls_volume_name" -}} +{{- $group := index . 0 -}} +{{- $type := index . 1 -}} +tls-{{ $group | replace "_" "-" }}-{{ $type | replace "_" "-" }} +{{- end -}} + +{{- define "local.attach_all_bundles" }} +{{- $envAll := . }} +{{- range $group, $certs := $envAll.Values.certificates }} +{{- range $type, $bundle := . }} +{{ tuple $group $type $envAll | include "local.attach_cert_bundle" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "local.attach_cert_bundle" }} +{{- $group := index . 0 }} +{{- $type := index . 1 }} +{{- $envAll := index . 2 }} +- name: {{ tuple $group $type | include "local.tls_volume_name" }} + secret: + secretName: {{ tuple $group $type $envAll | include "local.tls_secret_name" }} + defaultMode: 0444 +{{ end }} + +{{- define "local.mount_all_bundles" }} +{{- $basepath := index . 0 }} +{{- $envAll := index . 1 }} +{{- range $group, $certs := $envAll.Values.certificates }} +{{- range $type, $bundle := . }} +{{ tuple $group $type $basepath $envAll | include "local.mount_cert_bundle" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "local.mount_cert_bundle" }} +{{- $group := index . 0 }} +{{- $type := index . 1 }} +{{- $basepath := index . 2 }} +{{- $envAll := index . 3 }} +{{- $bundle := index $envAll.Values "certificates" $group $type }} +{{- range tuple "ca" "cert" "key" }} +{{- if hasKey $bundle . }} +{{ tuple $group $type . $basepath $envAll | include "local.mount_cert_file" }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "local.mount_cert_file" }} +{{- $group := index . 0 }} +{{- $type := index . 1 }} +{{- $member := index . 2 }} +{{- $basepath := index . 3 }} +{{- $envAll := index . 4 }} +- name: {{ tuple $group $type | include "local.tls_volume_name" }} + mountPath: {{ tuple $group $type $basepath $member $envAll | include "local.cert_bundle_path" }} +{{- if eq $member "ca" }} + subPath: ca.crt +{{- else if eq $member "cert" }} + subPath: tls.crt +{{- else if eq $member "key" }} + subPath: tls.key +{{- end }} + readOnly: true +{{- end }} + +{{- define "local.cert_bundle_path" -}} +{{- $group := index . 0 -}} +{{- $type := index . 1 -}} +{{- $basepath := index . 2 -}} +{{- $member := index . 3 -}} +{{- $envAll := index . 4 -}} +{{ $basepath }}/{{ $group }}-{{ $type }}-{{ $member }}.pem +{{- end -}} + {{- if .Values.manifests.deployment }} {{- $envAll := . }} --- apiVersion: apps/v1 kind: Deployment metadata: - name: kubernetes-keystone-webhook + name: {{ .Release.Name }}-apiserver-webhook labels: {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} spec: @@ -36,7 +117,7 @@ spec: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: - dnsPolicy: ClusterFirstWithHostNet + dnsPolicy: ClusterFirst containers: - name: apiserver image: {{ .Values.images.tags.apiserver }} @@ -50,93 +131,117 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - command: {{- range .Values.command_prefix }} - {{ . }} {{- end }} + - --service-cluster-ip-range={{ $envAll.Values.network.service_cidr }} - --authorization-mode=Webhook - --advertise-address=$(POD_IP) - --anonymous-auth=false - --endpoint-reconciler-type=none - - --bind-address=0.0.0.0 - - --secure-port={{ .Values.network.kubernetes_apiserver.port }} + - --bind-address=$(POD_IP) + - --secure-port={{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - --insecure-port=0 - - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem - - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem - - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem + - --tls-cert-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }} + - --tls-private-key-file={{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }} - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - - --kubelet-certificate-authority=/etc/kubernetes/apiserver/pki/cluster-ca.pem - - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/apiserver.pem - - --kubelet-client-key=/etc/kubernetes/apiserver/pki/apiserver-key.pem + - --kubelet-certificate-authority={{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }} + - --kubelet-client-certificate={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }} + - --kubelet-client-key={{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }} - --etcd-servers={{ tuple "etcd" "internal" "client" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }} - - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem - - --etcd-certfile=/etc/kubernetes/apiserver/pki/etcd-client.pem - - --etcd-keyfile=/etc/kubernetes/apiserver/pki/etcd-client-key.pem + - --etcd-cafile={{ tuple "etcd" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" }} + - --etcd-certfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" }} + - --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }} - --allow-privileged=true - - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub - - --authentication-token-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig - - --authorization-webhook-config-file=/etc/kubernetes/apiserver/webhook.kubeconfig - ports: - - containerPort: {{ .Values.network.kubernetes_apiserver.port }} + - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }} + - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }} + - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }} readinessProbe: tcpSocket: - port: 6443 - initialDelaySeconds: 5 - periodSeconds: 10 + port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{ $envAll.Values.pod.probes.readinessProbe | toYaml | indent 12 }} livenessProbe: tcpSocket: - port: 6443 - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 20 + port: {{ tuple "webhook_apiserver" "podport" "api" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{ $envAll.Values.pod.probes.livenessProbe | toYaml | indent 12 }} volumeMounts: - - name: etc - mountPath: /etc/kubernetes/apiserver - - name: {{ .Values.service.name }}-etc - mountPath: /etc/kubernetes/apiserver/webhook.kubeconfig + - name: etc-apiserver + mountPath: {{ $envAll.Values.conf.paths.base }} + - name: etc-apiserver-pki + mountPath: {{ $envAll.Values.conf.paths.pki }} + - name: configmap-etc + mountPath: {{ $envAll.Values.conf.paths.sapubkey }} + subPath: service-account.pub + readOnly: true + - name: configmap-etc + mountPath: {{ $envAll.Values.conf.paths.conf }} subPath: webhook.kubeconfig readOnly: true - - name: kubernetes-keystone-webhook +{{ tuple "keystone_webhook" "server" "ca" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_file" | indent 12 }} +{{ tuple "apiserver_webhook_pod" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} +{{ tuple "kubelet" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} +{{ tuple "kubelet" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} +{{ tuple "etcd" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} +{{ tuple "etcd" "client" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} + - name: webhook {{ tuple $envAll "kubernetes_keystone_webhook" | include "helm-toolkit.snippets.image" | indent 10 }} {{ tuple $envAll $envAll.Values.pod.resources.server | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }} command: - /tmp/webhook_start.sh + env: +{{- with $env := dict "ksUserSecret" .Values.secrets.identity.webhook }} +{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }} +{{- end }} + - name: SERVER_CERT_FILE + value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "cert" $envAll | include "local.cert_bundle_path" | quote }} + - name: SERVER_KEY_FILE + value: {{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" | quote }} + - name: POLICY_FILE + value: {{ $envAll.Values.conf.paths.policy | quote }} + - name: SERVER_PORT + value: {{ tuple "webhook_apiserver" "podport" "webhook" $envAll | include "helm-toolkit.endpoints.endpoint_port_lookup" | quote }} +{{- if hasKey .Values.certificates "keystone" }} + - name: KEYSTONE_CA_FILE + value: {{ tuple "keystone" "server" $envAll.Values.conf.paths.pki "ca" $envAll | include "local.cert_bundle_path" | quote }} +{{- end }} volumeMounts: - - name: etc-kubernetes-keystone-webhook - mountPath: /etc/kubernetes-keystone-webhook - - name: key-kubernetes-keystone-webhook - mountPath: /opt/kubernetes-keystone-webhook/pki/tls.crt - subPath: tls.crt - readOnly: true - - name: key-kubernetes-keystone-webhook - mountPath: /opt/kubernetes-keystone-webhook/pki/tls.key - subPath: tls.key - readOnly: true - - name: {{ .Values.service.name }}-etc - mountPath: /etc/kubernetes-keystone-webhook/policy.json + - name: etc-webhook + mountPath: {{ $envAll.Values.conf.paths.base }} + - name: etc-webhook-pki + mountPath: {{ $envAll.Values.conf.paths.pki }} + - name: configmap-etc + mountPath: {{ $envAll.Values.conf.paths.policy }} subPath: policy.json readOnly: true - - name: {{ .Values.service.name }}-bin + - name: configmap-bin mountPath: /tmp/webhook_start.sh subPath: webhook_start.sh readOnly: true +{{ tuple "keystone_webhook" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} volumes: - - name: etc - hostPath: - path: {{ .Values.apiserver.host_etc_path }} - - name: etc-kubernetes-keystone-webhook - emptyDir: {} - - name: key-kubernetes-keystone-webhook - secret: - secretName: {{ $envAll.Values.secrets.certificates.api }} - defaultMode: 0444 - - name: {{ .Values.service.name }}-etc - configMap: - name: {{ .Values.service.name }}-etc - defaultMode: 0444 - - name: {{ .Values.service.name }}-bin - configMap: - name: {{ .Values.service.name }}-bin - defaultMode: 0555 +{{- if hasKey .Values.certificates "keystone" }} +{{ tuple "keystone" "server" $envAll.Values.conf.paths.pki $envAll | include "local.mount_cert_bundle" | indent 12 }} +{{- end }} +{{ include "local.attach_all_bundles" $envAll | indent 8 }} + - name: etc-apiserver + emptyDir: {} + - name: etc-apiserver-pki + emptyDir: {} + - name: etc-webhook + emptyDir: {} + - name: etc-webhook-pki + emptyDir: {} + - name: configmap-etc + configMap: + name: {{ .Release.Name }}-etc + defaultMode: 0444 + - name: configmap-bin + configMap: + name: {{ .Release.Name }}-bin + defaultMode: 0555 + - name: tls-apiserver-webhook-public-server + secret: + defaultMode: 292 + secretName: {{ .Values.secrets.tls.webhook_apiserver.api.public }} {{- end }} diff --git a/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl b/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl deleted file mode 100644 index 53810a6f..00000000 --- a/charts/apiserver-webhook/templates/etc/_kubeconfig.yaml.tpl +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2017 AT&T Intellectual Property. All other rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - ---- -apiVersion: v1 -clusters: -- cluster: - server: https://127.0.0.1:{{ .Values.network.kubernetes_apiserver.port }} - certificate-authority: pki/cluster-ca.pem - name: kubernetes -contexts: -- context: - cluster: kubernetes - user: apiserver - name: apiserver@kubernetes -current-context: apiserver@kubernetes -kind: Config -preferences: {} -users: -- name: apiserver - user: - client-certificate: pki/apiserver.pem - client-key: pki/apiserver-key.pem diff --git a/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl b/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl index a834a886..7e12810d 100644 --- a/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl +++ b/charts/apiserver-webhook/templates/etc/_webhook.kubeconfig.tpl @@ -2,7 +2,8 @@ apiVersion: v1 clusters: - cluster: insecure-skip-tls-verify: false - server: https://127.0.0.1:8443/webhook + server: https://127.0.0.1:{{ tuple "webhook_apiserver" "podport" "webhook" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/webhook + certificate-authority: {{ tuple "keystone_webhook" "server" .Values.conf.paths.pki "ca" . | include "local.cert_bundle_path" | quote }} name: webhook contexts: - context: diff --git a/charts/apiserver-webhook/templates/ingress-api.yaml b/charts/apiserver-webhook/templates/ingress-api.yaml index 8b9f9bf0..e2bc47af 100644 --- a/charts/apiserver-webhook/templates/ingress-api.yaml +++ b/charts/apiserver-webhook/templates/ingress-api.yaml @@ -15,7 +15,7 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.manifests.ingress_api .Values.network.kubernetes_apiserver.ingress.public }} -{{- $ingressOpts := dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" "backendPort" "https" -}} -{{- $ingressOpts | include "helm-toolkit.manifests.ingress" -}} +{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +{{- $ingressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" "backendPort" "https" -}} +{{ $ingressOpts | include "helm-toolkit.manifests.ingress" }} {{- end }} diff --git a/charts/apiserver-webhook/templates/secret-apiserver.yaml b/charts/apiserver-webhook/templates/job-ks-user.yaml similarity index 61% rename from charts/apiserver-webhook/templates/secret-apiserver.yaml rename to charts/apiserver-webhook/templates/job-ks-user.yaml index f32f6bfd..1471462f 100644 --- a/charts/apiserver-webhook/templates/secret-apiserver.yaml +++ b/charts/apiserver-webhook/templates/job-ks-user.yaml @@ -1,5 +1,5 @@ {{/* -Copyright 2017 AT&T Intellectual Property. All other rights reserved. +Copyright 2018 AT&T Intellectual Property. All other rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,15 +14,8 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if .Values.manifests.secret }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.service.name }}-keys -type: Opaque -data: - apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }} - etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }} +{{- if .Values.manifests.job_ks_user }} +{{ $cm_name := printf "%s-bin" .Release.Name }} +{{- $ksUserJob := dict "envAll" . "serviceName" "webhook_apiserver" "configMapBin" $cm_name "serviceUser" "webhook" -}} +{{ $ksUserJob | include "helm-toolkit.manifests.job_ks_user" }} {{- end }} diff --git a/charts/apiserver-webhook/templates/secret-ingress-tls.yaml b/charts/apiserver-webhook/templates/secret-ingress-tls.yaml deleted file mode 100644 index 92574bf9..00000000 --- a/charts/apiserver-webhook/templates/secret-ingress-tls.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.secret_ingress_tls }} -{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "kubernetes_apiserver" "backendServiceType" "kubernetes_apiserver" ) }} -{{- end }} diff --git a/charts/apiserver-webhook/templates/secret-keystone.yaml b/charts/apiserver-webhook/templates/secret-keystone.yaml index 99f1d5b8..4a49e8bb 100644 --- a/charts/apiserver-webhook/templates/secret-keystone.yaml +++ b/charts/apiserver-webhook/templates/secret-keystone.yaml @@ -16,7 +16,7 @@ limitations under the License. {{- if .Values.manifests.secret_keystone }} {{- $envAll := . }} -{{- range $key1, $userClass := tuple "admin" }} +{{- range $key1, $userClass := tuple "admin" "webhook" }} {{- $secretName := index $envAll.Values.secrets.identity $userClass }} --- apiVersion: v1 diff --git a/charts/apiserver-webhook/templates/secret-tls.yaml b/charts/apiserver-webhook/templates/secret-tls.yaml new file mode 100644 index 00000000..3ad03e4d --- /dev/null +++ b/charts/apiserver-webhook/templates/secret-tls.yaml @@ -0,0 +1,73 @@ +{{/* +Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- define "local.tls_secret_name" -}} +{{- $group := index . 0 -}} +{{- $type := index . 1 -}} +{{- $envAll := index . 2 -}} +{{ printf "%s-%s-%s" $envAll.Release.Name $group $type | replace "_" "-" }} +{{- end -}} + +{{- define "local.tls_secret" }} +{{- $group := index . 0 }} +{{- $type := index . 1 }} +{{- $bundle := index . 2 }} +{{- $envAll := index . 3 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ tuple $group $type $envAll | include "local.tls_secret_name" }} + namespace: {{ $envAll.Release.Namespace }} +type: opaque +data: + {{- if hasKey $bundle "ca" }} + ca.crt: |- +{{ $bundle.ca | b64enc | indent 4 }} + {{- end }} + {{- if hasKey $bundle "cert" }} + tls.crt: |- +{{ $bundle.cert | b64enc | indent 4 }} + {{- end }} + {{- if hasKey $bundle "key" }} + tls.key: |- +{{ $bundle.key | b64enc | indent 4 }} + {{- end }} +... +{{- end -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secrets.tls.webhook_apiserver.api.public }} + namespace: {{ .Release.Namespace }} +type: opaque +data: + ca.crt: |- +{{ .Values.secrets.tls.webhook_apiserver.api.server.ca | b64enc | indent 4 }} + tls.crt: |- +{{ .Values.secrets.tls.webhook_apiserver.api.server.cert | b64enc | indent 4 }} + tls.key: |- +{{ .Values.secrets.tls.webhook_apiserver.api.server.key | b64enc | indent 4 }} +... +{{- if .Values.manifests.secret_tls }} +{{- $envAll := . }} +{{- range $group, $certs := .Values.certificates }} +{{- range $type, $bundle := $certs }} +{{ tuple $group $type $bundle $envAll | include "local.tls_secret" }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/apiserver-webhook/templates/secret-webhook.yaml b/charts/apiserver-webhook/templates/secret-webhook.yaml deleted file mode 100644 index 4438a356..00000000 --- a/charts/apiserver-webhook/templates/secret-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -Copyright 2018 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.secret_webhook }} -{{- $envAll := . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ $envAll.Values.secrets.certificates.api }} -type: kubernetes.io/tls -data: - tls.crt: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.crt | default "" | b64enc }} - tls.key: {{ $envAll.Values.endpoints.kubernetes.auth.api.tls.key | default "" | b64enc }} -{{- end }} diff --git a/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml b/charts/apiserver-webhook/templates/service-ingress-api.yaml similarity index 78% rename from charts/apiserver-webhook/templates/service-apiserver-ingress.yaml rename to charts/apiserver-webhook/templates/service-ingress-api.yaml index d4bc7b6b..256107f5 100644 --- a/charts/apiserver-webhook/templates/service-apiserver-ingress.yaml +++ b/charts/apiserver-webhook/templates/service-ingress-api.yaml @@ -1,6 +1,5 @@ {{/* Copyright 2017 The Openstack-Helm Authors. -Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -15,7 +14,8 @@ See the License for the specific language governing permissions and limitations under the License. */}} -{{- if and .Values.manifests.service_ingress .Values.network.kubernetes_apiserver.ingress.public }} -{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "kubernetes-keystone-webhook" -}} +{{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }} +{{- $serviceIngressOpts := dict "envAll" . "backendServiceType" "webhook_apiserver" -}} {{ $serviceIngressOpts | include "helm-toolkit.manifests.service_ingress" }} {{- end }} + diff --git a/charts/apiserver-webhook/templates/service.yaml b/charts/apiserver-webhook/templates/service.yaml index d0150b0e..75939e2c 100644 --- a/charts/apiserver-webhook/templates/service.yaml +++ b/charts/apiserver-webhook/templates/service.yaml @@ -20,15 +20,15 @@ limitations under the License. apiVersion: v1 kind: Service metadata: - name: {{ .Values.service.name }} + name: {{ tuple "webhook_apiserver" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" spec: ports: - name: https - port: {{ .Values.network.kubernetes_apiserver.port }} + port: {{ tuple "webhook_apiserver" "default" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} protocol: TCP - targetPort: {{ .Values.network.kubernetes_apiserver.port }} + targetPort: {{ tuple "webhook_apiserver" "podport" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} selector: {{ tuple $envAll "kubernetes-keystone-webhook" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{- end }} diff --git a/charts/apiserver-webhook/values.yaml b/charts/apiserver-webhook/values.yaml index 008c6a9c..e83fd71e 100644 --- a/charts/apiserver-webhook/values.yaml +++ b/charts/apiserver-webhook/values.yaml @@ -21,6 +21,7 @@ images: scripted_test: docker.io/openstackhelm/heat:newton dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.3.1 image_repo_sync: docker.io/docker:17.07.0 + ks_user: docker.io/openstackhelm/heat:ocata pull_policy: IfNotPresent local_registry: active: false @@ -30,80 +31,101 @@ images: labels: kubernetes_apiserver: - node_selector_key: kubernetes-apiserver + node_selector_key: apiserver-webhook + node_selector_value: enabled + job: + node_selector_key: apiserver-webhook node_selector_value: enabled command_prefix: - /apiserver - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds - - --service-cluster-ip-range=10.96.0.0/16 - --v=5 -apiserver: - host_etc_path: /etc/kubernetes/apiserver - network: - kubernetes_apiserver: + pod_cidr: '10.97.0.0/16' + service_cidr: '10.96.0.0/16' + api: ingress: public: true classes: - namespace: "nginx-cluster" + namespace: "nginx" cluster: "nginx-cluster" annotations: nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/proxy-read-timeout: "120" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/secure-backends: "true" - name: kubernetes-apiserver - port: 6443 - node_port: - enabled: false - port: 31943 - -service: - name: kubernetes-webhook-apiserver - ip: null - -secrets: - tls: - ca: placeholder - cert: placeholder - key: placeholder - service_account: - public_key: placeholder - etcd: - tls: - ca: placeholder + name: webhook_apiserver +# +# Insert TLS certificates, keys and CAs +# here. Server is for server-terminated TLS (basic) +# and client is for mTLS. Each group of certificates +# will generate two secrets -client and -server +# built to the kubernetes.io/tls secret type with keys 'tls.crt', 'tls.key' +# and 'ca.crt' +# +certificates: + apiserver_webhook_pod: + server: cert: placeholder key: placeholder - identity: - admin: kubernetes-keystone-webhook-admin - certificates: - api: kubernetes-keystone-webhook-certs + ca: placeholder + keystone_webhook: + server: + cert: placeholder + key: placeholder + ca: placeholder + kubelet: + client: + cert: placeholder + key: placeholder + server: + ca: placeholder + etcd: + client: + cert: placeholder + key: placeholder + server: + ca: placeholder -kubernetes_keystone_webhook: - port: 8443 - endpoints: https://k8sksauth-api.kube-system.svc.cluster.local +secrets: + service_account: + public_key: placeholder + identity: + admin: apiserver-webhook-keystone-creds-admin + webhook: apiserver-webhook-keystone-creds-webhook + tls: + webhook_apiserver: + api: + public: apiserver-webhook-public + server: + cert: placeholder + key: placeholder + ca: placeholder # typically overriden by environmental # values, but should include all endpoints # required by this chart endpoints: cluster_domain_suffix: cluster.local - kubernetes_apiserver: - name: kubernetes-webhook-apiserver + webhook_apiserver: + name: webhook_apiserver hosts: - default: keystone - internal: keystone-api + default: apiserver-webhook + internal: apiserver-webhook-int port: - https: + api: default: 6443 public: 443 + webhook: + podport: 8443 path: default: / + webhook: /webhook scheme: - default: http - public: http + default: https + public: https host_fqdn_override: default: null # NOTE: this chart supports TLS for fqdn over-ridden public @@ -113,12 +135,6 @@ endpoints: # tls: # crt: null # key: null - kubernetes: - auth: - api: - tls: - crt: null - key: null identity: name: keystone namespace: null @@ -130,6 +146,14 @@ endpoints: project_name: admin user_domain_name: default project_domain_name: default + webhook: + region_name: RegionOne + username: webhook + password: password + project_name: service + user_domain_name: default + project_domain_name: default + role: admin hosts: default: keystone internal: keystone-api @@ -143,22 +167,6 @@ endpoints: api: default: 80 internal: 5000 - kubernetes_keystone_webhook: - namespace: null - name: k8sksauth - hosts: - default: k8sksauth-api - public: k8sksauth - host_fqdn_override: - default: null - path: - default: /webhook - scheme: - default: https - port: - api: - default: 8443 - public: 443 etcd: name: etcd namespace: kube-system @@ -182,6 +190,14 @@ pod: replicas: apiserver: 1 api: 1 + probes: + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 20 lifecycle: upgrades: daemonsets: @@ -232,6 +248,12 @@ pod: init_container: null kubernetes_keystone_webhook_tests: null conf: + paths: + base: '/etc/webhook_apiserver/' + pki: '/etc/webhook_apiserver/pki' + conf: '/etc/webhook_apiserver/webhook.kubeconfig' + policy: '/etc/webhook_apiserver/conf/policy.json' + sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub' policy: - resource: verbs: @@ -273,23 +295,35 @@ conf: - "*" resources: - "*" - namespace: "openstack" + namespace: "ucp" version: "*" match: - type: project values: - - openstack-system + - ucp-admin + - airship-admin + +dependencies: + static: + ks_user: + services: + - service: identity + endpoint: internal + api: + jobs: + - webhook-apiserver-ks-user + services: + - service: identity + endpoint: internal manifests: configmap_bin: true configmap_certs: true configmap_etc: true + job_ks_user: true deployment: true - ingress_api: false + ingress_api: true pod_test: false - kubernetes_apiserver: true - secret: true - secret_ingress_tls: false - secret_webhook: true + secret_keystone: true + secret_tls: true service: true - service_ingress: false