kubernetes · chrislovecnm · Jul 6, 2017 · Jun 19, 2017 · Jun 19, 2017
diff --git a/nodeup/pkg/model/kubeapiserver.go b/nodeup/pkg/model/kubeapiserver.go
@@ -25,11 +25,15 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/pkg/api/v1"
+	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
+	"k8s.io/kops/pkg/kubeconfig"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
 )
 
+const PathAuthnConfig = "/etc/kubernetes/authn.config"
+
 // KubeAPIServerBuilder install kube-apiserver (just the manifest at the moment)
 type KubeAPIServerBuilder struct {
 	*NodeupModelContext
@@ -42,6 +46,11 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 		return nil
 	}
 
+	err := b.writeAuthenticationConfig(c)
+	if err != nil {
+		return err
+	}
+
 	{
 		pod, err := b.buildPod()
 		if err != nil {
@@ -76,6 +85,54 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {
 	return nil
 }
 
+func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderContext) error {
+	if b.Cluster.Spec.Authentication == nil || b.Cluster.Spec.Authentication.IsEmpty() {
+		return nil
+	}
+
+	if b.Cluster.Spec.Authentication.Kopeio != nil {
+		cluster := kubeconfig.KubectlCluster{
+			Server: "http://127.0.0.1:9001/hooks/authn",
+		}
+		context := kubeconfig.KubectlContext{
+			Cluster: "webhook",
+			User:    "kube-apiserver",
+		}
+
+		config := kubeconfig.KubectlConfig{
+			Kind:       "Config",
+			ApiVersion: "v1",
+		}
+		config.Clusters = append(config.Clusters, &kubeconfig.KubectlClusterWithName{
+			Name:    "webhook",
+			Cluster: cluster,
+		})
+		config.Users = append(config.Users, &kubeconfig.KubectlUserWithName{
+			Name: "kube-apiserver",
+		})
+		config.CurrentContext = "webhook"
+		config.Contexts = append(config.Contexts, &kubeconfig.KubectlContextWithName{
+			Name:    "webhook",
+			Context: context,
+		})
+
+		manifest, err := kops.ToRawYaml(config)
+		if err != nil {
+			return fmt.Errorf("error marshalling authentication config to yaml: %v", err)
+		}
+
+		t := &nodetasks.File{
+			Path:     PathAuthnConfig,
+			Contents: fi.NewBytesResource(manifest),
+			Type:     nodetasks.FileType_File,
+		}
+		c.AddTask(t)
+		return nil
+	} else {
+		return fmt.Errorf("Unrecognized authentication config %v", b.Cluster.Spec.Authentication)
+	}
+}
+
 func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 	kubeAPIServer := b.Cluster.Spec.KubeAPIServer
 
@@ -192,6 +249,12 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) {
 		addHostPathMapping(pod, container, "auditlogpathdir", auditLogPathDir).ReadOnly = false
 	}
 
+	if b.Cluster.Spec.Authentication != nil {
+		if b.Cluster.Spec.Authentication.Kopeio != nil {
+			addHostPathMapping(pod, container, "authn-config", PathAuthnConfig)
+		}
+	}
+
 	pod.Spec.Containers = append(pod.Spec.Containers, *container)
 
 	return pod, nil

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -236,6 +236,9 @@ type ClusterSpec struct {
 	// API field controls how the API is exposed outside the cluster
 	API *AccessSpec `json:"api,omitempty"`
 
+	// Authentication field controls how the cluster is configured for authentication
+	Authentication *AuthenticationSpec `json:"authentication,omitempty"`
+
 	// Authorization field controls how the cluster is configured for authorization
 	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
 
@@ -257,6 +260,17 @@ type ExecContainerAction struct {
 	Command []string `json:"command,omitempty"`
 }
 
+type AuthenticationSpec struct {
+	Kopeio *KopeioAuthenticationSpec `json:"kopeio,omitempty"`
+}
+
+func (s *AuthenticationSpec) IsEmpty() bool {
+	return s.Kopeio == nil
+}
+
+type KopeioAuthenticationSpec struct {
+}
+
 type AuthorizationSpec struct {
 	AlwaysAllow *AlwaysAllowAuthorizationSpec `json:"alwaysAllow,omitempty"`
 	RBAC        *RBACAuthorizationSpec        `json:"rbac,omitempty"`

diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go
@@ -230,6 +230,9 @@ type ClusterSpec struct {
 	// API field controls how the API is exposed outside the cluster
 	API *AccessSpec `json:"api,omitempty"`
 
+	// Authentication field controls how the cluster is configured for authentication
+	Authentication *AuthenticationSpec `json:"authentication,omitempty"`
+
 	// Authorization field controls how the cluster is configured for authorization
 	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
 
@@ -251,6 +254,17 @@ type ExecContainerAction struct {
 	Command []string `json:"command,omitempty"`
 }
 
+type AuthenticationSpec struct {
+	Kopeio *KopeioAuthenticationSpec `json:"kopeio,omitempty"`
+}
+
+func (s *AuthenticationSpec) IsEmpty() bool {
+	return s.Kopeio == nil
+}
+
+type KopeioAuthenticationSpec struct {
+}
+
 type AuthorizationSpec struct {
 	AlwaysAllow *AlwaysAllowAuthorizationSpec `json:"alwaysAllow,omitempty"`
 	RBAC        *RBACAuthorizationSpec        `json:"rbac,omitempty"`

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -39,6 +39,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_kops_AccessSpec_To_v1alpha1_AccessSpec,
 		Convert_v1alpha1_AlwaysAllowAuthorizationSpec_To_kops_AlwaysAllowAuthorizationSpec,
 		Convert_kops_AlwaysAllowAuthorizationSpec_To_v1alpha1_AlwaysAllowAuthorizationSpec,
+		Convert_v1alpha1_AuthenticationSpec_To_kops_AuthenticationSpec,
+		Convert_kops_AuthenticationSpec_To_v1alpha1_AuthenticationSpec,
 		Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec,
 		Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec,
 		Convert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec,
@@ -87,6 +89,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_kops_InstanceGroupList_To_v1alpha1_InstanceGroupList,
 		Convert_v1alpha1_InstanceGroupSpec_To_kops_InstanceGroupSpec,
 		Convert_kops_InstanceGroupSpec_To_v1alpha1_InstanceGroupSpec,
+		Convert_v1alpha1_KopeioAuthenticationSpec_To_kops_KopeioAuthenticationSpec,
+		Convert_kops_KopeioAuthenticationSpec_To_v1alpha1_KopeioAuthenticationSpec,
 		Convert_v1alpha1_KopeioNetworkingSpec_To_kops_KopeioNetworkingSpec,
 		Convert_kops_KopeioNetworkingSpec_To_v1alpha1_KopeioNetworkingSpec,
 		Convert_v1alpha1_KubeAPIServerConfig_To_kops_KubeAPIServerConfig,
@@ -186,6 +190,40 @@ func Convert_kops_AlwaysAllowAuthorizationSpec_To_v1alpha1_AlwaysAllowAuthorizat
 	return autoConvert_kops_AlwaysAllowAuthorizationSpec_To_v1alpha1_AlwaysAllowAuthorizationSpec(in, out, s)
 }
 
+func autoConvert_v1alpha1_AuthenticationSpec_To_kops_AuthenticationSpec(in *AuthenticationSpec, out *kops.AuthenticationSpec, s conversion.Scope) error {
+	if in.Kopeio != nil {
+		in, out := &in.Kopeio, &out.Kopeio
+		*out = new(kops.KopeioAuthenticationSpec)
+		if err := Convert_v1alpha1_KopeioAuthenticationSpec_To_kops_KopeioAuthenticationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Kopeio = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_AuthenticationSpec_To_kops_AuthenticationSpec(in *AuthenticationSpec, out *kops.AuthenticationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AuthenticationSpec_To_kops_AuthenticationSpec(in, out, s)
+}
+
+func autoConvert_kops_AuthenticationSpec_To_v1alpha1_AuthenticationSpec(in *kops.AuthenticationSpec, out *AuthenticationSpec, s conversion.Scope) error {
+	if in.Kopeio != nil {
+		in, out := &in.Kopeio, &out.Kopeio
+		*out = new(KopeioAuthenticationSpec)
+		if err := Convert_kops_KopeioAuthenticationSpec_To_v1alpha1_KopeioAuthenticationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Kopeio = nil
+	}
+	return nil
+}
+
+func Convert_kops_AuthenticationSpec_To_v1alpha1_AuthenticationSpec(in *kops.AuthenticationSpec, out *AuthenticationSpec, s conversion.Scope) error {
+	return autoConvert_kops_AuthenticationSpec_To_v1alpha1_AuthenticationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error {
 	if in.AlwaysAllow != nil {
 		in, out := &in.AlwaysAllow, &out.AlwaysAllow
@@ -549,6 +587,15 @@ func autoConvert_v1alpha1_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.API = nil
 	}
+	if in.Authentication != nil {
+		in, out := &in.Authentication, &out.Authentication
+		*out = new(kops.AuthenticationSpec)
+		if err := Convert_v1alpha1_AuthenticationSpec_To_kops_AuthenticationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Authentication = nil
+	}
 	if in.Authorization != nil {
 		in, out := &in.Authorization, &out.Authorization
 		*out = new(kops.AuthorizationSpec)
@@ -716,6 +763,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha1_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.API = nil
 	}
+	if in.Authentication != nil {
+		in, out := &in.Authentication, &out.Authentication
+		*out = new(AuthenticationSpec)
+		if err := Convert_kops_AuthenticationSpec_To_v1alpha1_AuthenticationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Authentication = nil
+	}
 	if in.Authorization != nil {
 		in, out := &in.Authorization, &out.Authorization
 		*out = new(AuthorizationSpec)
@@ -1170,6 +1226,22 @@ func autoConvert_kops_InstanceGroupSpec_To_v1alpha1_InstanceGroupSpec(in *kops.I
 	return nil
 }
 
+func autoConvert_v1alpha1_KopeioAuthenticationSpec_To_kops_KopeioAuthenticationSpec(in *KopeioAuthenticationSpec, out *kops.KopeioAuthenticationSpec, s conversion.Scope) error {
+	return nil
+}
+
+func Convert_v1alpha1_KopeioAuthenticationSpec_To_kops_KopeioAuthenticationSpec(in *KopeioAuthenticationSpec, out *kops.KopeioAuthenticationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_KopeioAuthenticationSpec_To_kops_KopeioAuthenticationSpec(in, out, s)
+}
+
+func autoConvert_kops_KopeioAuthenticationSpec_To_v1alpha1_KopeioAuthenticationSpec(in *kops.KopeioAuthenticationSpec, out *KopeioAuthenticationSpec, s conversion.Scope) error {
+	return nil
+}
+
+func Convert_kops_KopeioAuthenticationSpec_To_v1alpha1_KopeioAuthenticationSpec(in *kops.KopeioAuthenticationSpec, out *KopeioAuthenticationSpec, s conversion.Scope) error {
+	return autoConvert_kops_KopeioAuthenticationSpec_To_v1alpha1_KopeioAuthenticationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha1_KopeioNetworkingSpec_To_kops_KopeioNetworkingSpec(in *KopeioNetworkingSpec, out *kops.KopeioNetworkingSpec, s conversion.Scope) error {
 	return nil
 }

diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
@@ -156,6 +156,9 @@ type ClusterSpec struct {
 	// API field controls how the API is exposed outside the cluster
 	API *AccessSpec `json:"api,omitempty"`
 
+	// Authentication field controls how the cluster is configured for authentication
+	Authentication *AuthenticationSpec `json:"authentication,omitempty"`
+
 	// Authorization field controls how the cluster is configured for authorization
 	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
 
@@ -177,6 +180,17 @@ type ExecContainerAction struct {
 	Command []string `json:"command,omitempty"`
 }
 
+type AuthenticationSpec struct {
+	Kopeio *KopeioAuthenticationSpec `json:"kopeio,omitempty"`
+}
+
+func (s *AuthenticationSpec) IsEmpty() bool {
+	return s.Kopeio == nil
+}
+
+type KopeioAuthenticationSpec struct {
+}
+
 type AuthorizationSpec struct {
 	AlwaysAllow *AlwaysAllowAuthorizationSpec `json:"alwaysAllow,omitempty"`
 	RBAC        *RBACAuthorizationSpec        `json:"rbac,omitempty"`