Enable extended apiserver support (#122)

* Enable extended apiserver support

Signed-off-by: Tamal Saha <tamal@appscode.com>

* Add aggregator config to ocm config

Signed-off-by: Tamal Saha <tamal@appscode.com>

---------

Signed-off-by: Tamal Saha <tamal@appscode.com>

charts/multicluster-controlplane/templates/deployment.yaml

@@ -72,12 +72,12 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 15
-        volumeMounts: 
+        volumeMounts:
         - name: controlplane-config
           mountPath: /controlplane_config
         - name: ocm-data
           mountPath: /.ocm
-      volumes: 
+      volumes:
       - name: controlplane-config
         secret:
           secretName: controlplane-config

charts/multicluster-controlplane/templates/secret.yaml

@@ -12,6 +12,9 @@
 {{ $caKey = $ca.Key }}
 {{- end }}
 
+{{- $proxyCA := genCA "proxy-ca" 3650 }}
+{{- $proxyClient := genSignedCert "front-proxy-client" nil nil 3650 $proxyCA }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -42,11 +45,25 @@ stringData:
       certFile: "/controlplane_config/etcd_cert.crt"
       keyFile: "/controlplane_config/etcd_cert.key"
       {{- end }}
+    aggregator:
+      proxyClientCertFile: /controlplane_config/proxy-client.crt
+      proxyClientKeyFile: /controlplane_config/proxy-client.key
+      requestheaderClientCAFile: /controlplane_config/requestheader-client-ca.crt
+      requestheaderUsernameHeaders: ["X-Remote-User"]
+      requestheaderGroupHeaders: ["X-Remote-Group"]
+      requestheaderExtraHeadersPrefix: ["X-Remote-Extra-"]
+      requestheaderAllowedNames: ["front-proxy-client"]
 
   {{- if $caCrt }}
   apiserver_ca.crt: {{ $caCrt | quote  }}
   apiserver_ca.key: {{ $caKey | quote  }}
   {{- end }}
+
+  requestheader-client-ca.crt: {{ $proxyCA.Cert | quote }}
+  requestheader-client-ca.key: {{ $proxyCA.Key | quote }}
+  proxy-client.crt: {{ $proxyClient.Cert | quote }}
+  proxy-client.key: {{ $proxyClient.Key | quote }}
+
   {{- if (eq .Values.etcd.mode "external") }}
   etcd_ca.crt: {{ (required "etcd.ca should be set together with etcd.mode" .Values.etcd.ca) | quote }}
   etcd_cert.crt: {{ (required "etcd.cert should be set together with etcd.mode" .Values.etcd.cert) | quote }}

pkg/servers/aggregator.go

@@ -89,8 +89,10 @@ func createAggregatorConfig(
 			SharedInformerFactory: externalInformers,
 		},
 		ExtraConfig: aggregatorapiserver.ExtraConfig{
-			ServiceResolver: serviceResolver,
-			ProxyTransport:  proxyTransport,
+			ProxyClientCertFile: genericOptions.ProxyClientCertFile,
+			ProxyClientKeyFile:  genericOptions.ProxyClientKeyFile,
+			ServiceResolver:     serviceResolver,
+			ProxyTransport:      proxyTransport,
 		},
 	}
 

pkg/servers/configs/configs.go

@@ -22,9 +22,10 @@ const (
 )
 
 type ControlplaneRunConfig struct {
-	DataDirectory string          `yaml:"dataDirectory"`
-	Apiserver     ApiserverConfig `yaml:"apiserver"`
-	Etcd          EtcdConfig      `yaml:"etcd"`
+	DataDirectory string           `yaml:"dataDirectory"`
+	Apiserver     ApiserverConfig  `yaml:"apiserver"`
+	Etcd          EtcdConfig       `yaml:"etcd"`
+	Aggregator    AggregatorConfig `yaml:"aggregator"`
 }
 
 type ApiserverConfig struct {
@@ -43,6 +44,16 @@ type EtcdConfig struct {
 	Prefix   string   `yaml:"prefix"`
 }
 
+type AggregatorConfig struct {
+	ProxyClientCertFile              string   `yaml:"proxyClientCertFile"`
+	ProxyClientKeyFile               string   `yaml:"proxyClientKeyFile"`
+	RequestHeaderClientCAFile        string   `yaml:"requestheaderClientCAFile"`
+	RequestHeaderUsernameHeaders     []string `yaml:"requestheaderUsernameHeaders"`
+	RequestHeaderGroupHeaders        []string `yaml:"requestheaderGroupHeaders"`
+	RequestHeaderExtraHeaderPrefixes []string `yaml:"requestheaderExtraHeadersPrefix"`
+	RequestHeaderAllowedNames        []string `yaml:"requestheaderAllowedNames"`
+}
+
 func LoadConfig(configDir string) (*ControlplaneRunConfig, error) {
 	configFile := path.Join(configDir, "ocmconfig.yaml")
 	configFileData, err := os.ReadFile(configFile)

pkg/servers/kubeapiserver.go

@@ -96,6 +96,9 @@ func createKubeAPIServerConfig(options options.ServerRunOptions) (
 			APIServerServiceIP:   options.APIServerServiceIP,
 			APIServerServicePort: 443,
 
+			ServiceIPRange:          options.PrimaryServiceClusterIPRange,
+			SecondaryServiceIPRange: options.SecondaryServiceClusterIPRange,
+
 			EndpointReconcilerType: reconcilers.Type(options.EndpointReconcilerType),
 			MasterCount:            1,
 

pkg/servers/options/options.go

@@ -22,13 +22,13 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	registrationhub "open-cluster-management.io/ocm/pkg/registration/hub"
 	"os"
 	"strconv"
 	"strings"
 	"time"
 
 	"github.com/spf13/pflag"
+	registrationhub "open-cluster-management.io/ocm/pkg/registration/hub"
 
 	// add the kubernetes feature gates
 	_ "k8s.io/kubernetes/pkg/features"
@@ -117,6 +117,9 @@ type ServerRunOptions struct {
 
 	// EnableDelegatingAuthentication delegate the authentication with controlplane hosing cluster
 	EnableDelegatingAuthentication bool
+
+	ProxyClientCertFile string
+	ProxyClientKeyFile  string
 }
 
 type ExtraOptions struct {
@@ -231,7 +234,8 @@ func NewServerRunOptions() *ServerRunOptions {
 
 		KubeControllerManagerOptions: kubeControllerManagerOptions,
 
-		ServiceClusterIPRanges: "10.0.0.0/24",
+		ServiceClusterIPRanges:  "10.0.0.0/8",
+		EnableAggregatorRouting: false,
 
 		ControlplaneConfigDir: "/controlplane_config",
 
@@ -479,6 +483,16 @@ func (o *ServerRunOptions) InitServerRunOptions(cfg *configs.ControlplaneRunConf
 		o.Etcd.StorageConfig.Prefix = cfg.Etcd.Prefix
 	}
 
+	o.ProxyClientCertFile = cfg.Aggregator.ProxyClientCertFile
+	o.ProxyClientKeyFile = cfg.Aggregator.ProxyClientKeyFile
+	if o.Authentication.RequestHeader != nil {
+		o.Authentication.RequestHeader.ClientCAFile = cfg.Aggregator.RequestHeaderClientCAFile
+		o.Authentication.RequestHeader.UsernameHeaders = cfg.Aggregator.RequestHeaderUsernameHeaders
+		o.Authentication.RequestHeader.GroupHeaders = cfg.Aggregator.RequestHeaderGroupHeaders
+		o.Authentication.RequestHeader.ExtraHeaderPrefixes = cfg.Aggregator.RequestHeaderExtraHeaderPrefixes
+		o.Authentication.RequestHeader.AllowedNames = cfg.Aggregator.RequestHeaderAllowedNames
+	}
+
 	o.SecureServing.BindPort = bindPort
 	o.Authentication.ClientCert.ClientCA = certificate.ClientCACertFile(certsDir)
 	o.ExtraOptions.ClientKeyFile = certificate.ClientCAKeyFile(certsDir)