From 82ba943365648ee0745faafa415573917070205d Mon Sep 17 00:00:00 2001 From: Tamal Saha Date: Sun, 22 Oct 2023 22:50:31 -0700 Subject: [PATCH] Enable extended apiserver support (#122) * Enable extended apiserver support Signed-off-by: Tamal Saha * Add aggregator config to ocm config Signed-off-by: Tamal Saha --------- Signed-off-by: Tamal Saha --- .../templates/deployment.yaml | 4 ++-- .../templates/secret.yaml | 17 +++++++++++++++++ pkg/servers/aggregator.go | 6 ++++-- pkg/servers/configs/configs.go | 17 ++++++++++++++--- pkg/servers/kubeapiserver.go | 3 +++ pkg/servers/options/options.go | 18 ++++++++++++++++-- 6 files changed, 56 insertions(+), 9 deletions(-) diff --git a/charts/multicluster-controlplane/templates/deployment.yaml b/charts/multicluster-controlplane/templates/deployment.yaml index 0694749..72f6112 100644 --- a/charts/multicluster-controlplane/templates/deployment.yaml +++ b/charts/multicluster-controlplane/templates/deployment.yaml @@ -72,12 +72,12 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 15 - volumeMounts: + volumeMounts: - name: controlplane-config mountPath: /controlplane_config - name: ocm-data mountPath: /.ocm - volumes: + volumes: - name: controlplane-config secret: secretName: controlplane-config diff --git a/charts/multicluster-controlplane/templates/secret.yaml b/charts/multicluster-controlplane/templates/secret.yaml index 1fe22f2..744d2cc 100644 --- a/charts/multicluster-controlplane/templates/secret.yaml +++ b/charts/multicluster-controlplane/templates/secret.yaml @@ -12,6 +12,9 @@ {{ $caKey = $ca.Key }} {{- end }} +{{- $proxyCA := genCA "proxy-ca" 3650 }} +{{- $proxyClient := genSignedCert "front-proxy-client" nil nil 3650 $proxyCA }} + apiVersion: v1 kind: Secret metadata: @@ -42,11 +45,25 @@ stringData: certFile: "/controlplane_config/etcd_cert.crt" keyFile: "/controlplane_config/etcd_cert.key" {{- end }} + aggregator: + proxyClientCertFile: /controlplane_config/proxy-client.crt + proxyClientKeyFile: /controlplane_config/proxy-client.key + requestheaderClientCAFile: /controlplane_config/requestheader-client-ca.crt + requestheaderUsernameHeaders: ["X-Remote-User"] + requestheaderGroupHeaders: ["X-Remote-Group"] + requestheaderExtraHeadersPrefix: ["X-Remote-Extra-"] + requestheaderAllowedNames: ["front-proxy-client"] {{- if $caCrt }} apiserver_ca.crt: {{ $caCrt | quote }} apiserver_ca.key: {{ $caKey | quote }} {{- end }} + + requestheader-client-ca.crt: {{ $proxyCA.Cert | quote }} + requestheader-client-ca.key: {{ $proxyCA.Key | quote }} + proxy-client.crt: {{ $proxyClient.Cert | quote }} + proxy-client.key: {{ $proxyClient.Key | quote }} + {{- if (eq .Values.etcd.mode "external") }} etcd_ca.crt: {{ (required "etcd.ca should be set together with etcd.mode" .Values.etcd.ca) | quote }} etcd_cert.crt: {{ (required "etcd.cert should be set together with etcd.mode" .Values.etcd.cert) | quote }} diff --git a/pkg/servers/aggregator.go b/pkg/servers/aggregator.go index 5380d32..5f4ef47 100644 --- a/pkg/servers/aggregator.go +++ b/pkg/servers/aggregator.go @@ -89,8 +89,10 @@ func createAggregatorConfig( SharedInformerFactory: externalInformers, }, ExtraConfig: aggregatorapiserver.ExtraConfig{ - ServiceResolver: serviceResolver, - ProxyTransport: proxyTransport, + ProxyClientCertFile: genericOptions.ProxyClientCertFile, + ProxyClientKeyFile: genericOptions.ProxyClientKeyFile, + ServiceResolver: serviceResolver, + ProxyTransport: proxyTransport, }, } diff --git a/pkg/servers/configs/configs.go b/pkg/servers/configs/configs.go index 39f15e7..249cde8 100644 --- a/pkg/servers/configs/configs.go +++ b/pkg/servers/configs/configs.go @@ -22,9 +22,10 @@ const ( ) type ControlplaneRunConfig struct { - DataDirectory string `yaml:"dataDirectory"` - Apiserver ApiserverConfig `yaml:"apiserver"` - Etcd EtcdConfig `yaml:"etcd"` + DataDirectory string `yaml:"dataDirectory"` + Apiserver ApiserverConfig `yaml:"apiserver"` + Etcd EtcdConfig `yaml:"etcd"` + Aggregator AggregatorConfig `yaml:"aggregator"` } type ApiserverConfig struct { @@ -43,6 +44,16 @@ type EtcdConfig struct { Prefix string `yaml:"prefix"` } +type AggregatorConfig struct { + ProxyClientCertFile string `yaml:"proxyClientCertFile"` + ProxyClientKeyFile string `yaml:"proxyClientKeyFile"` + RequestHeaderClientCAFile string `yaml:"requestheaderClientCAFile"` + RequestHeaderUsernameHeaders []string `yaml:"requestheaderUsernameHeaders"` + RequestHeaderGroupHeaders []string `yaml:"requestheaderGroupHeaders"` + RequestHeaderExtraHeaderPrefixes []string `yaml:"requestheaderExtraHeadersPrefix"` + RequestHeaderAllowedNames []string `yaml:"requestheaderAllowedNames"` +} + func LoadConfig(configDir string) (*ControlplaneRunConfig, error) { configFile := path.Join(configDir, "ocmconfig.yaml") configFileData, err := os.ReadFile(configFile) diff --git a/pkg/servers/kubeapiserver.go b/pkg/servers/kubeapiserver.go index 39b059e..5868f17 100644 --- a/pkg/servers/kubeapiserver.go +++ b/pkg/servers/kubeapiserver.go @@ -96,6 +96,9 @@ func createKubeAPIServerConfig(options options.ServerRunOptions) ( APIServerServiceIP: options.APIServerServiceIP, APIServerServicePort: 443, + ServiceIPRange: options.PrimaryServiceClusterIPRange, + SecondaryServiceIPRange: options.SecondaryServiceClusterIPRange, + EndpointReconcilerType: reconcilers.Type(options.EndpointReconcilerType), MasterCount: 1, diff --git a/pkg/servers/options/options.go b/pkg/servers/options/options.go index ba2c007..36619d4 100644 --- a/pkg/servers/options/options.go +++ b/pkg/servers/options/options.go @@ -22,13 +22,13 @@ import ( "errors" "fmt" "net" - registrationhub "open-cluster-management.io/ocm/pkg/registration/hub" "os" "strconv" "strings" "time" "github.com/spf13/pflag" + registrationhub "open-cluster-management.io/ocm/pkg/registration/hub" // add the kubernetes feature gates _ "k8s.io/kubernetes/pkg/features" @@ -117,6 +117,9 @@ type ServerRunOptions struct { // EnableDelegatingAuthentication delegate the authentication with controlplane hosing cluster EnableDelegatingAuthentication bool + + ProxyClientCertFile string + ProxyClientKeyFile string } type ExtraOptions struct { @@ -231,7 +234,8 @@ func NewServerRunOptions() *ServerRunOptions { KubeControllerManagerOptions: kubeControllerManagerOptions, - ServiceClusterIPRanges: "10.0.0.0/24", + ServiceClusterIPRanges: "10.0.0.0/8", + EnableAggregatorRouting: false, ControlplaneConfigDir: "/controlplane_config", @@ -479,6 +483,16 @@ func (o *ServerRunOptions) InitServerRunOptions(cfg *configs.ControlplaneRunConf o.Etcd.StorageConfig.Prefix = cfg.Etcd.Prefix } + o.ProxyClientCertFile = cfg.Aggregator.ProxyClientCertFile + o.ProxyClientKeyFile = cfg.Aggregator.ProxyClientKeyFile + if o.Authentication.RequestHeader != nil { + o.Authentication.RequestHeader.ClientCAFile = cfg.Aggregator.RequestHeaderClientCAFile + o.Authentication.RequestHeader.UsernameHeaders = cfg.Aggregator.RequestHeaderUsernameHeaders + o.Authentication.RequestHeader.GroupHeaders = cfg.Aggregator.RequestHeaderGroupHeaders + o.Authentication.RequestHeader.ExtraHeaderPrefixes = cfg.Aggregator.RequestHeaderExtraHeaderPrefixes + o.Authentication.RequestHeader.AllowedNames = cfg.Aggregator.RequestHeaderAllowedNames + } + o.SecureServing.BindPort = bindPort o.Authentication.ClientCert.ClientCA = certificate.ClientCACertFile(certsDir) o.ExtraOptions.ClientKeyFile = certificate.ClientCAKeyFile(certsDir)