kinvolk · ipochi · May 27, 2020 · Mar 17, 2020 · Mar 17, 2020 · May 11, 2020
diff --git a/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/bootkube.tf b/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/bootkube.tf
@@ -2,17 +2,17 @@
 module "bootkube" {
   source = "../../../bootkube"
 
-  cluster_name          = var.cluster_name
-  api_servers           = [format("%s.%s", var.cluster_name, var.dns_zone)]
-  etcd_servers          = aws_route53_record.etcds.*.fqdn
-  asset_dir             = var.asset_dir
-  network_mtu           = var.network_mtu
-  pod_cidr              = var.pod_cidr
-  service_cidr          = var.service_cidr
-  cluster_domain_suffix = var.cluster_domain_suffix
-  enable_reporting      = var.enable_reporting
-  enable_aggregation    = var.enable_aggregation
-
+  cluster_name                = var.cluster_name
+  api_servers                 = [format("%s.%s", var.cluster_name, var.dns_zone)]
+  etcd_servers                = aws_route53_record.etcds.*.fqdn
+  asset_dir                   = var.asset_dir
+  network_mtu                 = var.network_mtu
+  pod_cidr                    = var.pod_cidr
+  service_cidr                = var.service_cidr
+  cluster_domain_suffix       = var.cluster_domain_suffix
+  enable_reporting            = var.enable_reporting
+  enable_aggregation          = var.enable_aggregation
+  kube_apiserver_extra_flags  = var.kube_apiserver_extra_flags
   certs_validity_period_hours = var.certs_validity_period_hours
 
   # Disable the self hosted kubelet.

diff --git a/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/variables.tf b/assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/variables.tf
@@ -163,3 +163,9 @@ variable "certs_validity_period_hours" {
   type        = number
   default     = 8760
 }
+
+variable "kube_apiserver_extra_flags" {
+  description = "Extra flags passed to self-hosted kube-apiserver."
+  type        = list(string)
+  default     = []
+}
diff --git a/assets/lokomotive-kubernetes/bare-metal/flatcar-linux/kubernetes/bootkube.tf b/assets/lokomotive-kubernetes/bare-metal/flatcar-linux/kubernetes/bootkube.tf
@@ -13,6 +13,7 @@ module "bootkube" {
   cluster_domain_suffix           = var.cluster_domain_suffix
   enable_reporting                = var.enable_reporting
   enable_aggregation              = var.enable_aggregation
+  kube_apiserver_extra_flags      = var.kube_apiserver_extra_flags
 
   certs_validity_period_hours = var.certs_validity_period_hours
 

diff --git a/assets/lokomotive-kubernetes/bare-metal/flatcar-linux/kubernetes/variables.tf b/assets/lokomotive-kubernetes/bare-metal/flatcar-linux/kubernetes/variables.tf
@@ -167,3 +167,9 @@ variable "certs_validity_period_hours" {
   type        = number
   default     = 8760
 }
+
+variable "kube_apiserver_extra_flags" {
+  description = "Extra flags passed to self-hosted kube-apiserver."
+  type        = list(string)
+  default     = []
+}
diff --git a/assets/lokomotive-kubernetes/bootkube/assets.tf b/assets/lokomotive-kubernetes/bootkube/assets.tf
@@ -38,6 +38,7 @@ resource "local_file" "kube-apiserver" {
     aggregation_client_key   = var.enable_aggregation == true ? base64encode(join(" ", tls_private_key.aggregation-client.*.private_key_pem)) : ""
     replicas                 = length(var.etcd_servers)
     expose_on_all_interfaces = var.expose_on_all_interfaces
+    extra_flags              = var.kube_apiserver_extra_flags
   })
 }
 

diff --git a/assets/lokomotive-kubernetes/bootkube/resources/charts/kube-apiserver.yaml b/assets/lokomotive-kubernetes/bootkube/resources/charts/kube-apiserver.yaml
@@ -17,3 +17,9 @@ apiserver:
   trustedCertsDir: ${trusted_certs_dir}
   replicas: ${replicas}
   exposeOnAllInterfaces: ${expose_on_all_interfaces}
+  %{~ if length(extra_flags) > 0 ~}
+  extraFlags:
+  %{~ for f in extra_flags ~}
+  - ${f}
+  %{~ endfor ~}
+  %{~ endif ~}
diff --git a/...omotive-kubernetes/bootkube/resources/charts/kube-apiserver/templates/kube-apiserver.yaml b/...omotive-kubernetes/bootkube/resources/charts/kube-apiserver/templates/kube-apiserver.yaml
@@ -109,7 +109,10 @@ spec:
           --requestheader-extra-headers-prefix=X-Remote-Extra- \
           --requestheader-group-headers=X-Remote-Group \
           --requestheader-username-headers=X-Remote-User \
-          {{ end -}}
+          {{- end }}
+          {{- range .Values.apiserver.extraFlags }}
+          {{ . }} \
+          {{- end }}
           --storage-backend=etcd3
         {{- else }}
         - kube-apiserver
@@ -144,6 +147,9 @@ spec:
         - --requestheader-group-headers=X-Remote-Group
         - --requestheader-username-headers=X-Remote-User
         {{- end }}
+        {{- range .Values.apiserver.extraFlags }}
+        - {{ . }}
+        {{- end }}
         {{- end }}
         env:
         - name: POD_IP

diff --git a/assets/lokomotive-kubernetes/bootkube/resources/charts/kube-apiserver/values.yaml b/assets/lokomotive-kubernetes/bootkube/resources/charts/kube-apiserver/values.yaml
@@ -20,3 +20,4 @@ apiserver:
   # service (kubernetes.default.svc) and on all interfaces on port 6443.
   # If false, it will be exposed only on HostIP on port 6443.
   exposeOnAllInterfaces: false
+  extraFlags: []
diff --git a/assets/lokomotive-kubernetes/bootkube/variables.tf b/assets/lokomotive-kubernetes/bootkube/variables.tf
@@ -144,3 +144,9 @@ variable "disable_self_hosted_kubelet" {
   description = "Disable the self hosted kubelet installed by default"
   type        = bool
 }
+
+variable "kube_apiserver_extra_flags" {
+  description = "Extra flags passed to self-hosted kube-apiserver."
+  type        = list(string)
+  default     = []
+}
diff --git a/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/bootkube.tf b/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/bootkube.tf
@@ -27,4 +27,6 @@ module "bootkube" {
 
   # Disable the self hosted kubelet.
   disable_self_hosted_kubelet = var.disable_self_hosted_kubelet
+  # Extra flags to API server.  
+  kube_apiserver_extra_flags = var.kube_apiserver_extra_flags
 }
diff --git a/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/variables.tf b/assets/lokomotive-kubernetes/packet/flatcar-linux/kubernetes/variables.tf
@@ -186,3 +186,9 @@ variable "nodes_depend_on" {
   type        = list(any)
   default     = null
 }
+
+variable "kube_apiserver_extra_flags" {
+  description = "Extra flags passed to self-hosted kube-apiserver."
+  type        = list(string)
+  default     = []
+}
diff --git a/ci/aws/aws-cluster.lokocfg.envsubst b/ci/aws/aws-cluster.lokocfg.envsubst
@@ -26,6 +26,11 @@ cluster "aws" {
       "deployment" = "ci"
     }
   }
+
+  # Adds oidc flags to API server with default values.
+  # Acts as a smoke test to check if API server is functional after addition
+  # of extra flags.
+  oidc {}
 }
 
 component "openebs-operator" {}

diff --git a/ci/baremetal/baremetal-cluster.lokocfg.envsubst b/ci/baremetal/baremetal-cluster.lokocfg.envsubst
@@ -1,15 +1,15 @@
 # Note: number of worker nodes has to match `pxe-testbed --num-nodes ...` count
 cluster "bare-metal" {
-  asset_dir = pathexpand("~/lokoctl-assets")
-  ssh_pubkeys = [file(pathexpand("~/.ssh/id_rsa.pub"))]
-  cached_install = "true"
-  matchbox_ca_path = pathexpand("~/pxe-testbed/.matchbox/ca.crt")
+  asset_dir                 = pathexpand("~/lokoctl-assets")
+  ssh_pubkeys               = [file(pathexpand("~/.ssh/id_rsa.pub"))]
+  cached_install            = "true"
+  matchbox_ca_path          = pathexpand("~/pxe-testbed/.matchbox/ca.crt")
   matchbox_client_cert_path = pathexpand("~/pxe-testbed/.matchbox/client.crt")
-  matchbox_client_key_path = pathexpand("~/pxe-testbed/.matchbox/client.key")
-  matchbox_endpoint = "matchbox.example.com:8081"
-  matchbox_http_endpoint = "http://matchbox.example.com:8080"
-  cluster_name = "mercury"
-  k8s_domain_name = "node1.example.com"
+  matchbox_client_key_path  = pathexpand("~/pxe-testbed/.matchbox/client.key")
+  matchbox_endpoint         = "matchbox.example.com:8081"
+  matchbox_http_endpoint    = "http://matchbox.example.com:8080"
+  cluster_name              = "mercury"
+  k8s_domain_name           = "node1.example.com"
   controller_domains = [
     "node1.example.com",
   ]
@@ -31,4 +31,8 @@ cluster "bare-metal" {
     "node2",
     "node3",
   ]
+  # Adds oidc flags to API server with default values.
+  # Acts as a smoke test to check if API server is functional after addition
+  # of extra flags.
+  oidc {}
 }
diff --git a/ci/packet-arm/packet-arm-cluster.lokocfg.envsubst b/ci/packet-arm/packet-arm-cluster.lokocfg.envsubst
@@ -13,7 +13,7 @@ cluster "packet" {
     }
   }
 
-  facility    = "$PACKET_LOCATION"
+  facility = "$PACKET_LOCATION"
 
   project_id = "$PACKET_PROJECT_ID"
 
@@ -33,4 +33,9 @@ cluster "packet" {
     os_channel      = "alpha"
     node_type       = "c2.large.arm"
   }
+
+  # Adds oidc flags to API server with default values.
+  # Acts as a smoke test to check if API server is functional after addition
+  # of extra flags.
+  oidc {}
 }
diff --git a/ci/packet/packet-cluster.lokocfg.envsubst b/ci/packet/packet-cluster.lokocfg.envsubst
@@ -13,7 +13,7 @@ cluster "packet" {
     }
   }
 
-  facility    = "$PACKET_LOCATION"
+  facility = "$PACKET_LOCATION"
 
   project_id = "$PACKET_PROJECT_ID"
 
@@ -24,8 +24,13 @@ cluster "packet" {
   worker_pool "pool-1" {
     count     = 2
     node_type = "c2.medium.x86"
-    labels = "testing.io=yes,roleofnode=testing"
+    labels    = "testing.io=yes,roleofnode=testing"
   }
+
+  # Adds oidc flags to API server with default values.
+  # Acts as a smoke test to check if API server is functional after addition
+  # of extra flags.
+  oidc {}
 }
 
 component "openebs-operator" {}
@@ -70,8 +75,8 @@ component "external-dns"{
   policy   = "sync"
   owner_id = "$CLUSTER_ID"
   aws {
-    zone_id = "$AWS_DNS_ZONE_ID"
-    aws_access_key_id = "$AWS_ACCESS_KEY_ID"
+    zone_id               = "$AWS_DNS_ZONE_ID"
+    aws_access_key_id     = "$AWS_ACCESS_KEY_ID"
     aws_secret_access_key = "$AWS_SECRET_ACCESS_KEY"
   }
 
@@ -86,13 +91,13 @@ component "dex" {
   certmanager_cluster_issuer = "letsencrypt-staging"
 
   connector "github" {
-    id = "github"
+    id   = "github"
     name = "GitHub"
 
     config {
-      client_id = "$GITHUB_CLIENT_ID"
+      client_id     = "$GITHUB_CLIENT_ID"
       client_secret = "$GITHUB_CLIENT_SECRET"
-      redirect_uri = "$REDIRECT_URI"
+      redirect_uri  = "$REDIRECT_URI"
 
       team_name_field = "slug"
 
@@ -151,7 +156,7 @@ component "cluster-autoscaler" {
 
   packet {
     project_id = "$PACKET_PROJECT_ID"
-    facility = "$PACKET_LOCATION"
+    facility   = "$PACKET_LOCATION"
   }
 
   service_monitor = true

diff --git a/docs/configuration-reference/platforms/aws.md b/docs/configuration-reference/platforms/aws.md
@@ -52,6 +52,10 @@ variable "worker_spot_price" {}
 variable "lb_http_port" {}
 variable "lb_https_port" {}
 variable "target_groups" {}
+variable "oidc_issuer_url" {}
+variable "oidc_client_id" {}
+variable "oidc_username_claim" {}
+variable "oidc_groups_claim" {}
 
 backend "s3" {
   bucket         = var.state_s3_bucket
@@ -117,6 +121,13 @@ cluster "aws" {
 
   enable_reporting = false
 
+  oidc {
+    issuer_url     = var.oidc_issuer_url
+    client_id      = var.oidc_client_id
+    username_claim = var.oidc_username_claim
+    groups_claim   = var.oidc_groups_claim
+  }
+
   worker_pool "my-worker-pool" {
     count = 2
 
@@ -186,6 +197,11 @@ worker_pool "my-worker-pool" {
 | `os_version`                  | Flatcar Container Linux version to install. Version such as "2303.3.1" or "current".                                                                                                       | "current"       | false    |
 | `dns_zone`                    | Route 53 DNS Zone.                                                                                                                                                                         | -               | true     |
 | `dns_zone_id`                 | Route 53 DNS Zone ID.                                                                                                                                                                      | -               | true     |
+| `oidc`                        | OIDC configuration block.                                                                                                                                                                  | -               | false    |
+| `oidc.issuer_url`             | URL of the provider which allows the API server to discover public signing keys. Only URLs which use the https:// scheme are accepted.                                                     | -               | false    |
+| `oidc.client_id`              | A client id that all tokens must be issued for.                                                                                                                                            | "gangway"       | false    |
+| `oidc.username_claim`         | JWT claim to use as the user name.                                                                                                                                                         | "email"         | false    |
+| `oidc.groups_claim`           | JWT claim to use as the user’s group.                                                                                                                                                      | "groups"        | false    |
 | `expose_nodeports`            | Expose node ports `30000-32767` in the security group, if set to `true`.                                                                                                                   | false           | false    |
 | `ssh_pubkeys`                 | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...".               | -               | true     |
 | `controller_count`            | Number of controller nodes.                                                                                                                                                                | 1               | false    |

diff --git a/docs/configuration-reference/platforms/baremetal.md b/docs/configuration-reference/platforms/baremetal.md
@@ -46,6 +46,10 @@ variable "management_cidrs" {}
 variable "node_private_cidr" {}
 variable "state_s3_bucket" {}
 variable "lock_dynamodb_table" {}
+variable "oidc_issuer_url" {}
+variable "oidc_client_id" {}
+variable "oidc_username_claim" {}
+variable "oidc_groups_claim" {}
 
 cluster "bare-metal" {
   asset_dir = var.asset_dir
@@ -83,6 +87,13 @@ cluster "bare-metal" {
   os_version = "current"
 
   os_channel = "flatcar-stable"
+
+  oidc {
+    issuer_url     = var.oidc_issuer_url
+    client_id      = var.oidc_client_id
+    username_claim = var.oidc_username_claim
+    groups_claim   = var.oidc_groups_claim
+  }
 }
 ```
 
@@ -128,9 +139,14 @@ os_version = var.custom_default_os_version
 | `worker_names`              | Ordered list of worker names. Example: ["node2", "node3"]                                                                                                                    | -                | true     |
 | `worker_macs`               | Ordered list of worker identifying MAC addresses. Example ["52:54:00:b2:2f:86", "52:54:00:c3:61:77"]                                                                         | -                | true     |
 | `worker_domains`            | Ordered list of worker FQDNs. Example ["node2.example.com", "node3.example.com"]                                                                                             | -                | true     |
-| `ssh_pubkeys`               | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...". | -               | true     |
+| `ssh_pubkeys`               | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...". | -                | true     |
 | `os_version`                | Flatcar Container Linux version to install. Version such as "2303.3.1" or "current".                                                                                         | "current"        | false    |
 | `os_channel`                | Flatcar Container Linux channel to install from ("flatcar-stable", "flatcar-beta", "flatcar-alpha", "flatcar-edge").                                                         | "flatcar-stable" | false    |
+| `oidc`                      | OIDC configuration block.                                                                                                                                                    | -                | false    |
+| `oidc.issuer_url`           | URL of the provider which allows the API server to discover public signing keys. Only URLs which use the https:// scheme are accepted.                                       | -                | false    |
+| `oidc.client_id`            | A client id that all tokens must be issued for.                                                                                                                              | "gangway"        | false    |
+| `oidc.username_claim`       | JWT claim to use as the user name.                                                                                                                                           | "email"          | false    |
+| `oidc.groups_claim`         | JWT claim to use as the user’s group.                                                                                                                                        | "groups"         | false    |
 
 ## Applying
 

diff --git a/docs/configuration-reference/platforms/packet.md b/docs/configuration-reference/platforms/packet.md
@@ -44,6 +44,10 @@ variable "management_cidrs" {}
 variable "node_private_cidr" {}
 variable "state_s3_bucket" {}
 variable "lock_dynamodb_table" {}
+variable "oidc_issuer_url" {}
+variable "oidc_client_id" {}
+variable "oidc_username_claim" {}
+variable "oidc_groups_claim" {}
 
 backend "s3" {
   bucket         = var.state_s3_bucket
@@ -122,6 +126,13 @@ cluster "packet" {
 
   certs_validity_period_hours = 8760
 
+  oidc {
+    issuer_url     = var.oidc_issuer_url
+    client_id      = var.oidc_client_id
+    username_claim = var.oidc_username_claim
+    groups_claim   = var.oidc_groups_claim
+  }
+
   worker_pool "worker-pool-1" {
     count = var.workers_count
 
@@ -192,6 +203,11 @@ node_type = var.custom_default_worker_type
 | `dns.provider.route53.zone_id`        | Route 53 DNS Zone ID.                                                                                                                                                         | -               | true     |
 | `dns.provider.route53.aws_creds_path` | AWS credentials for managing Route 53 DNS.                                                                                                                                    | -               | false    |
 | `dns.provider.manual`                 | Manual DNS configuration.                                                                                                                                                     | -               | false    |
+| `oidc`                                | OIDC configuration block.                                                                                                                                                     | -               | false    |
+| `oidc.issuer_url`                     | URL of the provider which allows the API server to discover public signing keys. Only URLs which use the https:// scheme are accepted.                                        | -               | false    |
+| `oidc.client_id`                      | A client id that all tokens must be issued for.                                                                                                                               | "gangway"       | false    |
+| `oidc.username_claim`                 | JWT claim to use as the user name.                                                                                                                                            | "email"         | false    |
+| `oidc.groups_claim`                   | JWT claim to use as the user’s group.                                                                                                                                         | "groups"        | false    |
 | `facility`                            | Packet facility to use for deploying the cluster.                                                                                                                             | -               | false    |
 | `project_id`                          | Packet project ID.                                                                                                                                                            | -               | true     |
 | `ssh_pubkeys`                         | List of SSH public keys for user `core`. Each element must be specified in a valid OpenSSH public key format, as defined in RFC 4253 Section 6.6, e.g. "ssh-rsa AAAAB3N...".  | -               | true     |