Skip to content

Commit

Permalink
Test Structured Authentication Configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
@robertvolkmann
robertvolkmann committed Nov 22, 2024
1 parent 00f4033 commit 1193f4b
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 0 deletions.
1 change: 1 addition & 0 deletions control-plane/roles/gardener/defaults/main/virtual_garden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ gardener_etcd_resources:
cpu: 800m
memory: 8Gi

gardener_virtual_api_authentication_config:
gardener_virtual_api_oidc_issuer_url:
gardener_virtual_api_oidc_client_id:
gardener_virtual_api_oidc_username_claim:
Expand Down
10 changes: 10 additions & 0 deletions ...-plane/roles/gardener/files/kube-apiserver/templates/configmap-authentication-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{{- if .Values.authenticationConfig }}
apiVersion: v1
kind: ConfigMap
metadata:
name: authentication-config
namespace: {{ .Release.Namespace }}
type: Opaque
data:
config.yaml: {{ .Values.authenticationConfig }}
{{- end }}
12 changes: 12 additions & 0 deletions control-plane/roles/gardener/files/kube-apiserver/templates/deployment-kube-apiserver.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ spec:
- --etcd-keyfile=/srv/kubernetes/etcd/client/tls.key
- --etcd-servers={{ .Values.etcd.main.endpoints }}
- --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
{{ if .Values.authenticationConfig }}
- --authentication-config=/src/kubernetes/authentication-config/config.yaml
{{ end }}
{{ if and .Values.oidc.issuerURL .Values.oidc.clientID }}
- --oidc-issuer-url={{ .Values.oidc.issuerURL }}
- --oidc-client-id={{ .Values.oidc.clientID }}
Expand Down Expand Up @@ -188,6 +191,10 @@ spec:
- name: ca-oidc
mountPath: /srv/kubernetes/oidc-ca
{{- end }}
{{- if .Values.authenticationConfig}}
- name: authentication-config
mountPath: /srv/kubernetes/authentication-config
{{- end }}
- name: kube-controller-manager
image: {{ index .Values.images "controllermanager" }}
imagePullPolicy: IfNotPresent
Expand Down Expand Up @@ -266,3 +273,8 @@ spec:
- name: kube-aggregator
secret:
secretName: garden-kube-aggregator
{{- if .Values.authenticationConfig}}
- name: authentication-config
configMap:
name: authentication-config
{{- end }}
2 changes: 2 additions & 0 deletions control-plane/roles/gardener/files/kube-apiserver/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ apiServer:
hostname: 127.0.0.1
serviceName: garden-kube-apiserver

authenticationConfig:

oidc:
issuerURL:
clientID:
Expand Down
5 changes: 5 additions & 0 deletions control-plane/roles/gardener/templates/kube-apiserver-values.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,11 @@ apiServer:
hostname: {{ gardener_virtual_api_server_public_dns }}
serviceName: garden-kube-apiserver

{% if gardener_virtual_api_authentication_config %}
authenticationConfig: |
{{ gardener_virtual_api_authentication_config | indent(width=4, first=false) }}
{% endif %}

oidc:
issuerURL: {% if gardener_virtual_api_oidc_issuer_url %}{{ gardener_virtual_api_oidc_issuer_url }}{% endif %}

Expand Down

0 comments on commit 1193f4b

Please sign in to comment.