Make auth options configurable
Change-Id: I2a91397f6182a32c4ec905947fe316aa5c383369
diff --git a/README.rst b/README.rst
index 01178fe..b0b8e7d 100644
--- a/README.rst
+++ b/README.rst
@@ -378,6 +378,36 @@
version: v1.2.4
+Enable basic, token and http authentication, disable ssl auth, create some
+static users:
+
+.. code-block:: yaml
+
+ kubernetes:
+ master:
+ auth:
+ basic:
+ enabled: true
+ user:
+ jdoe:
+ password: dummy
+ groups:
+ - system:admin
+ http:
+ enabled: true
+ header:
+ user: X-Remote-User
+ group: X-Remote-Group
+ ssl:
+ enabled: false
+ token:
+ enabled: true
+ user:
+ jdoe:
+ token: dummytoken
+ groups:
+ - system:admin
+
Kubernetes with OpenContrail network plugin
------------------------------------------------
diff --git a/kubernetes/files/basic_auth.csv b/kubernetes/files/basic_auth.csv
index 00ee9c6..8faa760 100644
--- a/kubernetes/files/basic_auth.csv
+++ b/kubernetes/files/basic_auth.csv
@@ -1,2 +1,5 @@
-{%- from "kubernetes/map.jinja" import master with context %}
-{{ master.admin.password }},{{ master.admin.username }},admin
\ No newline at end of file
+{%- from "kubernetes/map.jinja" import master with context -%}
+{{ master.admin.password }},{{ master.admin.username }},admin
+{%- for name, user in master.auth.basic.get('user', {}).iteritems() %}
+{{ user.password }},{{ user.name|default(name) }},{{ user.get('uid', user.get('name', name)) }}{% if user.groups is defined %},"{{ user.groups|join(',') }}"{% endif %}
+{%- endfor %}
diff --git a/kubernetes/files/known_tokens.csv b/kubernetes/files/known_tokens.csv
index caea56a..328bedd 100644
--- a/kubernetes/files/known_tokens.csv
+++ b/kubernetes/files/known_tokens.csv
@@ -12,3 +12,6 @@
{{ master.token.monitoring }},system:monitoring,system:monitoring
{%- endif %}
{{ master.token.dns }},system:dns,system:dns
+{%- for name, user in master.auth.token.get('user', {}).iteritems() %}
+{{ user.token }},{{ user.name|default(name) }},{{ user.get('uid', user.get('name', name)) }}{% if user.groups is defined %},"{{ user.groups|join(',') }}"{% endif %}
+{%- endfor %}
diff --git a/kubernetes/files/manifest/kube-apiserver.manifest b/kubernetes/files/manifest/kube-apiserver.manifest
index b363766..3cf76c8 100644
--- a/kubernetes/files/manifest/kube-apiserver.manifest
+++ b/kubernetes/files/manifest/kube-apiserver.manifest
@@ -20,13 +20,28 @@
--etcd-servers={% for member in master.etcd.members %}http://{{ member.host }}:4001{% if not loop.last %},{% endif %}{% endfor %}
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
--service-cluster-ip-range={{ master.service_addresses }}
- --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
- --basic-auth-file=/srv/kubernetes/basic_auth.csv
+ {%- if master.auth.get('ssl', {}).enabled|default(True) %}
+ --client-ca-file={{ master.auth.get('ssl', {}).ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
+ {%- endif %}
+ {%- if master.auth.get('proxy', {}).enabled|default(False) %}
+ --requestheader-username-headers={{ master.auth.proxy.header.user }}
+ --requestheader-group-headers={{ master.auth.proxy.header.group }}
+ --requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
+ --requestheader-client-ca-file={{ master.auth.proxy.ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
+ {%- endif %}
+ {%- if master.auth.get('anonymous', False) %}
+ --anonymous-auth=true
+ {%- endif %}
+ {%- if master.auth.get('basic', {}).enabled|default(True) %}
+ --basic-auth-file={{ master.auth.basic.file|default("/srv/kubernetes/basic_auth.csv") }}
+ {%- endif %}
--tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
--secure-port={{ master.apiserver.secure_port }}
--bind-address={{ master.apiserver.address }}
- --token-auth-file=/srv/kubernetes/known_tokens.csv
+ {%- if master.auth.get('token', {}).enabled|default(True) %}
+ --token-auth-file={{ master.auth.token.file|default("/srv/kubernetes/known_tokens.csv") }}
+ {%- endif %}
--apiserver-count={{ master.apiserver.get('count', 1) }}
--etcd-quorum-read=true
--v={{ master.get('verbosity', 2) }}
diff --git a/kubernetes/map.jinja b/kubernetes/map.jinja
index 4382f88..f426e3c 100644
--- a/kubernetes/map.jinja
+++ b/kubernetes/map.jinja
@@ -17,10 +17,58 @@
'Debian': {
'pkgs': [],
'services': ['kube-apiserver','kube-scheduler','kube-controller-manager'],
+ 'auth': {
+ 'token': {
+ 'enabled': true,
+ 'file': '/srv/kubernetes/known_tokens.csv',
+ },
+ 'ssl': {
+ 'enabled': true,
+ },
+ 'basic': {
+ 'enabled': true,
+ 'file': '/srv/kubernetes/basic_auth.csv',
+ },
+ 'http': {
+ 'enabled': false,
+ 'header': {
+ 'user': 'X-Remote-User',
+ 'group': 'X-Remote-Group',
+ 'extra': 'X-Remote-Extra-',
+ },
+ },
+ 'anonymous': {
+ 'enabled': false,
+ },
+ },
},
'RedHat': {
'pkgs': [],
'services': ['kube-apiserver','kube-scheduler','kube-controller-manager'],
+ 'auth': {
+ 'token': {
+ 'enabled': true,
+ 'file': '/srv/kubernetes/known_tokens.csv',
+ },
+ 'ssl': {
+ 'enabled': true,
+ },
+ 'basic': {
+ 'enabled': true,
+ 'file': '/srv/kubernetes/basic_auth.csv',
+ },
+ 'http': {
+ 'enabled': false,
+ 'header': {
+ 'user': 'X-Remote-User',
+ 'group': 'X-Remote-Group',
+ 'extra': 'X-Remote-Extra-',
+ },
+ },
+ 'anonymous': {
+ 'enabled': false,
+ },
+ },
},
}, merge=salt['pillar.get']('kubernetes:master')) %}
diff --git a/kubernetes/master/controller.sls b/kubernetes/master/controller.sls
index b112336..108bb07 100644
--- a/kubernetes/master/controller.sls
+++ b/kubernetes/master/controller.sls
@@ -2,23 +2,37 @@
{%- from "kubernetes/map.jinja" import common with context %}
{%- if master.enabled %}
-/srv/kubernetes/known_tokens.csv:
+{%- if master.auth.get('token', {}).enabled|default(True) %}
+kubernetes_known_tokens:
file.managed:
+ - name: {{ master.auth.token.file|default("/srv/kubernetes/known_tokens.csv") }}
- source: salt://kubernetes/files/known_tokens.csv
- template: jinja
- user: root
- group: root
- mode: 644
- makedirs: true
+ {%- if not master.get('container', 'true') %}
+ - watch_in:
+ - service: master_services
+ {%- endif %}
+{%- endif %}
-/srv/kubernetes/basic_auth.csv:
+{%- if master.auth.get('basic', {}).enabled|default(True) %}
+kubernetes_basic_auth:
file.managed:
+ - name: {{ master.auth.basic.file|default("/srv/kubernetes/basic_auth.csv") }}
- source: salt://kubernetes/files/basic_auth.csv
- template: jinja
- user: root
- group: root
- mode: 644
- makedirs: true
+ {%- if not master.get('container', 'true') %}
+ - watch_in:
+ - service: master_services
+ {%- endif %}
+{%- endif %}
{%- if master.get('container', 'true') %}
@@ -81,9 +95,22 @@
DAEMON_ARGS="
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,DefaultStorageClass
--allow-privileged=True
- --basic-auth-file=/srv/kubernetes/basic_auth.csv
+ {%- if master.auth.get('basic', {}).enabled|default(True) %}
+ --basic-auth-file={{ master.auth.basic.file|default("/srv/kubernetes/basic_auth.csv") }}
+ {%- endif %}
--bind-address={{ master.apiserver.get('bind_address', master.apiserver.address) }}
- --client-ca-file=/etc/kubernetes/ssl/ca-{{ master.ca }}.crt
+ {%- if master.auth.get('ssl', {}).enabled|default(True) %}
+ --client-ca-file={{ master.auth.get('ssl', {}).ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
+ {%- endif %}
+ {%- if master.auth.get('proxy', {}).enabled|default(False) %}
+ --requestheader-username-headers={{ master.auth.proxy.header.user }}
+ --requestheader-group-headers={{ master.auth.proxy.header.group }}
+ --requestheader-extra-headers-prefix={{ master.auth.proxy.header.extra }}
+ --requestheader-client-ca-file={{ master.auth.proxy.ca_file|default("/etc/kubernetes/ssl/ca-"+master.ca+".crt") }}
+ {%- endif %}
+ {%- if master.auth.get('anonymous', False) %}
+ --anonymous-auth=true
+ {%- endif %}
--etcd-quorum-read=true
--insecure-bind-address={{ master.apiserver.insecure_address }}
--insecure-port={{ master.apiserver.insecure_port }}
@@ -91,7 +118,9 @@
--service-cluster-ip-range={{ master.service_addresses }}
--tls-cert-file=/etc/kubernetes/ssl/kubernetes-server.crt
--tls-private-key-file=/etc/kubernetes/ssl/kubernetes-server.key
- --token-auth-file=/srv/kubernetes/known_tokens.csv
+ {%- if master.auth.get('token', {}).enabled|default(True) %}
+ --token-auth-file={{ master.auth.token.file|default("/srv/kubernetes/known_tokens.csv") }}
+ {%- endif %}
--apiserver-count={{ master.apiserver.get('count', 1) }}
--v={{ master.get('verbosity', 2) }}
--advertise-address={{ master.apiserver.address }}