From 9949cc5407b9eb790a944a7fa3556b4e8333613d Mon Sep 17 00:00:00 2001
From: Jesse Haka <haka.jesse@gmail.com>
Date: Sat, 4 May 2024 12:59:26 +0300
Subject: [PATCH] Support --authentication-config in APIserver

---
 k8s/crds/kops.k8s.io_clusters.yaml                         | 5 +++++
 nodeup/pkg/model/tests/golden/audit/cluster.yaml           | 1 +
 .../pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml | 1 +
 pkg/apis/kops/componentconfig.go                           | 3 +++
 pkg/apis/kops/v1alpha2/componentconfig.go                  | 3 +++
 pkg/apis/kops/v1alpha2/zz_generated.conversion.go          | 2 ++
 pkg/apis/kops/v1alpha3/componentconfig.go                  | 3 +++
 pkg/apis/kops/v1alpha3/zz_generated.conversion.go          | 2 ++
 pkg/apis/kops/validation/validation.go                     | 6 ++++++
 pkg/apis/kops/validation/validation_test.go                | 7 +++++++
 10 files changed, 33 insertions(+)

diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
index ee18158b3ff82..ed035340178a8 100644
--- a/k8s/crds/kops.k8s.io_clusters.yaml
+++ b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -1750,6 +1750,11 @@ spec:
                       Batch causes the backend to buffer and write events asynchronously.
                       Known modes are batch,blocking. (default "batch")
                     type: string
+                  authenticationConfigFile:
+                    description: |-
+                      AuthenticationConfigFile is the location of the authentication-config
+                      this option is mutually exclusive with all OIDC options
+                    type: string
                   authenticationTokenWebhookCacheTtl:
                     description: The duration to cache responses from the webhook
                       token authenticator. Default is 2m. (default 2m0s)
diff --git a/nodeup/pkg/model/tests/golden/audit/cluster.yaml b/nodeup/pkg/model/tests/golden/audit/cluster.yaml
index cc786bfe398bd..a411e6337a4d3 100644
--- a/nodeup/pkg/model/tests/golden/audit/cluster.yaml
+++ b/nodeup/pkg/model/tests/golden/audit/cluster.yaml
@@ -65,6 +65,7 @@ spec:
     auditPolicyFile: /etc/kubernetes/audit/policy-config.yaml
     auditWebhookBatchMaxWait: 5s
     auditWebhookConfigFile: /etc/kubernetes/audit/webhook-config.yaml
+    authenticationConfigFile: /etc/kubernetes/authentication-config.yaml
   kubelet:
     anonymousAuth: false
   kubernetesVersion: v1.28.0
diff --git a/nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml b/nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
index e5087dfebd15e..581e111866722 100644
--- a/nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
+++ b/nodeup/pkg/model/tests/golden/audit/tasks-kube-apiserver.yaml
@@ -28,6 +28,7 @@ contents: |
       - --audit-policy-file=/etc/kubernetes/audit/policy-config.yaml
       - --audit-webhook-batch-max-wait=5s
       - --audit-webhook-config-file=/etc/kubernetes/audit/webhook-config.yaml
+      - --authentication-config=/etc/kubernetes/authentication-config.yaml
       - --authorization-mode=AlwaysAllow
       - --bind-address=0.0.0.0
       - --client-ca-file=/srv/kubernetes/ca.crt
diff --git a/pkg/apis/kops/componentconfig.go b/pkg/apis/kops/componentconfig.go
index 71931ad5da4d8..a88a15014b610 100644
--- a/pkg/apis/kops/componentconfig.go
+++ b/pkg/apis/kops/componentconfig.go
@@ -401,6 +401,9 @@ type KubeAPIServerConfig struct {
 	// OIDCCAFile if set, the OpenID server's certificate will be verified by one
 	// of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`
+	// AuthenticationConfigFile is the location of the authentication-config
+	// this option is mutually exclusive with all OIDC options
+	AuthenticationConfigFile string `json:"authenticationConfigFile,omitempty" flag:"authentication-config"`
 	// The apiserver's client certificate used for outbound requests.
 	ProxyClientCertFile *string `json:"proxyClientCertFile,omitempty" flag:"proxy-client-cert-file"`
 	// The apiserver's client key used for outbound requests.
diff --git a/pkg/apis/kops/v1alpha2/componentconfig.go b/pkg/apis/kops/v1alpha2/componentconfig.go
index 4cb4b33fe20cd..11b25faf026f0 100644
--- a/pkg/apis/kops/v1alpha2/componentconfig.go
+++ b/pkg/apis/kops/v1alpha2/componentconfig.go
@@ -408,6 +408,9 @@ type KubeAPIServerConfig struct {
 	// OIDCCAFile if set, the OpenID server's certificate will be verified by one
 	// of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`
+	// AuthenticationConfigFile is the location of the authentication-config
+	// this option is mutually exclusive with all OIDC options
+	AuthenticationConfigFile string `json:"authenticationConfigFile,omitempty" flag:"authentication-config"`
 	// The apiserver's client certificate used for outbound requests.
 	ProxyClientCertFile *string `json:"proxyClientCertFile,omitempty" flag:"proxy-client-cert-file"`
 	// The apiserver's client key used for outbound requests.
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index 2fef7123bac4a..f067db4f9b10d 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -4906,6 +4906,7 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	// INFO: in.OIDCClientID opted out of conversion generation
 	// INFO: in.OIDCRequiredClaim opted out of conversion generation
 	out.OIDCCAFile = in.OIDCCAFile
+	out.AuthenticationConfigFile = in.AuthenticationConfigFile
 	out.ProxyClientCertFile = in.ProxyClientCertFile
 	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogFormat = in.AuditLogFormat
@@ -5020,6 +5021,7 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha2_KubeAPIServerConfig(in *ko
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCRequiredClaim = in.OIDCRequiredClaim
 	out.OIDCCAFile = in.OIDCCAFile
+	out.AuthenticationConfigFile = in.AuthenticationConfigFile
 	out.ProxyClientCertFile = in.ProxyClientCertFile
 	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogFormat = in.AuditLogFormat
diff --git a/pkg/apis/kops/v1alpha3/componentconfig.go b/pkg/apis/kops/v1alpha3/componentconfig.go
index e4b07e338a9a6..53cd82e6a8a18 100644
--- a/pkg/apis/kops/v1alpha3/componentconfig.go
+++ b/pkg/apis/kops/v1alpha3/componentconfig.go
@@ -399,6 +399,9 @@ type KubeAPIServerConfig struct {
 	// OIDCCAFile if set, the OpenID server's certificate will be verified by one
 	// of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`
+	// AuthenticationConfigFile is the location of the authentication-config
+	// this option is mutually exclusive with all OIDC options
+	AuthenticationConfigFile string `json:"authenticationConfigFile,omitempty" flag:"authentication-config"`
 	// ProxyClientCertFile is not admin-configurable.
 	ProxyClientCertFile *string `json:"-"`
 	// ProxyClientKeyFile is not admin-configurable.
diff --git a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
index e610ecf9358d8..75b333bfe2c7e 100644
--- a/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha3/zz_generated.conversion.go
@@ -5301,6 +5301,7 @@ func autoConvert_v1alpha3_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCRequiredClaim = in.OIDCRequiredClaim
 	out.OIDCCAFile = in.OIDCCAFile
+	out.AuthenticationConfigFile = in.AuthenticationConfigFile
 	out.ProxyClientCertFile = in.ProxyClientCertFile
 	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogFormat = in.AuditLogFormat
@@ -5415,6 +5416,7 @@ func autoConvert_kops_KubeAPIServerConfig_To_v1alpha3_KubeAPIServerConfig(in *ko
 	out.OIDCClientID = in.OIDCClientID
 	out.OIDCRequiredClaim = in.OIDCRequiredClaim
 	out.OIDCCAFile = in.OIDCCAFile
+	out.AuthenticationConfigFile = in.AuthenticationConfigFile
 	out.ProxyClientCertFile = in.ProxyClientCertFile
 	out.ProxyClientKeyFile = in.ProxyClientKeyFile
 	out.AuditLogFormat = in.AuditLogFormat
diff --git a/pkg/apis/kops/validation/validation.go b/pkg/apis/kops/validation/validation.go
index 593ac88854e37..2fca454f23d78 100644
--- a/pkg/apis/kops/validation/validation.go
+++ b/pkg/apis/kops/validation/validation.go
@@ -829,6 +829,12 @@ func validateKubeAPIServer(v *kops.KubeAPIServerConfig, c *kops.Cluster, fldPath
 		}
 	}
 
+	if v.AuthenticationConfigFile != "" {
+		if v.OIDCUsernameClaim != nil || v.OIDCUsernamePrefix != nil || v.OIDCGroupsClaim != nil || v.OIDCGroupsPrefix != nil || v.OIDCIssuerURL != nil || v.OIDCClientID != nil || v.OIDCRequiredClaim != nil {
+			allErrs = append(allErrs, field.Forbidden(fldPath.Child("authenticationConfigFile"), "authenticationConfigFile is mutually exclusive with OIDC options, remove all existing OIDC options to use authenticationConfigFile"))
+		}
+	}
+
 	return allErrs
 }
 
diff --git a/pkg/apis/kops/validation/validation_test.go b/pkg/apis/kops/validation/validation_test.go
index a6292a9102ec2..8a01cdef74f30 100644
--- a/pkg/apis/kops/validation/validation_test.go
+++ b/pkg/apis/kops/validation/validation_test.go
@@ -310,6 +310,13 @@ func TestValidateKubeAPIServer(t *testing.T) {
 			},
 			ExpectedErrors: []string{"Unsupported value::KubeAPIServer.logFormat"},
 		},
+		{
+			Input: kops.KubeAPIServerConfig{
+				OIDCIssuerURL:            fi.PtrTo("https://example.com"),
+				AuthenticationConfigFile: "/foo/bar",
+			},
+			ExpectedErrors: []string{"Forbidden::KubeAPIServer.authenticationConfigFile"},
+		},
 	}
 	for _, g := range grid {
 		if g.Cluster == nil {