Add optional token-based kubeconfig generation for CAPI cluster (#890)

* Add playbook for creating CAPI service account and token-based kubeconfig

* Add comments to variables

* Fix linting issues

* Fix linting issues

* Apply suggestions from code review

* Fix linting

* Fix linting

* fix lint

* Standardise capi-mgmt service account resource names

* Address comments on PR

* Fix changes according to reviews

---------

Co-authored-by: Scott Davidson <[email protected]>

Author: JasleenKaurSethi

roles/capi_cluster/defaults/main.yml

@@ -1,5 +1,4 @@
 ---
-
 # The chart to use
 capi_cluster_chart_repo: https://azimuth-cloud.github.io/capi-helm-charts
 capi_cluster_chart_name: openstack-cluster
@@ -581,6 +580,33 @@ capi_cluster_release_values: >-
 # The name of the file into which the kubeconfig of the cluster should be output
 capi_cluster_kubeconfig_path: "{{ ansible_env.HOME }}/kubeconfig"
 
+# Optional configuration for the creation of service account, secret and a clusterrole
+# to generate a long-lived, token-based kubeconfig.
+# The default certificate-based kubeconfig generated by CAPI has a lifetime of one
+# year by default. The version of this file which is stored inside the k3s cluster
+# as a k8s secret gets periodically refreshed by CAPI so never expires but if the
+# kubeconfig is extracted and provided to an external service (e.g. the magnum-capi-helm
+# driver) then a non-expiring token-based kubeconfig is required.
+capi_cluster_service_account_enabled: false
+capi_cluster_service_account_name: capi-mgmt
+capi_cluster_service_account_namespace: capi-mgmt
+capi_cluster_service_account_secret_name: capi-mgmt-service-account
+capi_cluster_clusterrolebinding_name: capi-mgmt
+
+# Name of an existing cluster role which the service account should be bound to
+# Note: This defaults to the cluster-admin role since capi-helm-charts needs permission to
+# create a role and role binding anyway (for the CAPI autoscaler deployment). Therefore,
+# restricting to anything less privileged than admin still allows trivial privilege escalation via
+# the creation of new roles and role bindings.
+capi_cluster_service_account_role_name: cluster-admin
+
+# Optional flag to delete the existing service account and generate
+# a new service account and token instead. This should only be used
+# if the existing token is leaked needs to be rotated.
+# The token rotation method is to set this variable at run time with
+# `ansible-playbook -e capi_cluster_service_account_rotate_secret=true ...`
+capi_cluster_service_account_rotate_secret: false
+
 # The volumes policy for the cluster (keep or delete)
 # Determines what happens to Cinder volumes created for PVCs when the cluster is deleted
 capi_cluster_volumes_policy: keep

roles/capi_cluster/tasks/capi-cluster-service-account.yml

@@ -0,0 +1,124 @@
+- name: Create namespace for a new service account
+  ansible.builtin.command: kubectl create namespace {{ capi_cluster_service_account_namespace }}
+  register: magnum_create_namespace
+  changed_when: magnum_create_namespace.rc == 0
+  failed_when: >-
+    magnum_create_namespace.rc != 0 and
+    'AlreadyExists' not in magnum_create_namespace.stderr
+
+- name: Delete service account
+  ansible.builtin.command: >-
+    kubectl delete serviceaccount
+    -n {{ capi_cluster_service_account_namespace }}
+    {{ capi_cluster_service_account_name }}
+  register: magnum_delete_service_account
+  changed_when: magnum_delete_service_account.rc == 0
+  failed_when: >-
+    magnum_delete_service_account.rc != 0 and
+    'NotFound' not in magnum_delete_service_account.stderr
+  when: capi_cluster_service_account_rotate_secret
+
+- name: Create service account
+  ansible.builtin.command: kubectl apply -f -
+  args:
+    stdin: "{{ sa_definition | to_nice_yaml }}"
+  vars:
+    sa_definition:
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: "{{ capi_cluster_service_account_name }}"
+        namespace: "{{ capi_cluster_service_account_namespace }}"
+  changed_when: false
+
+- name: Create token secret for service account
+  ansible.builtin.command: kubectl apply -f -
+  args:
+    stdin: "{{ sa_secret_definition | to_nice_yaml }}"
+  vars:
+    sa_secret_definition:
+      apiVersion: v1
+      kind: Secret
+      type: kubernetes.io/service-account-token
+      metadata:
+        name: "{{ capi_cluster_service_account_secret_name }}"
+        namespace: "{{ capi_cluster_service_account_namespace }}"
+        annotations:
+          kubernetes.io/service-account.name: "{{ capi_cluster_service_account_name }}"
+  register: token_based_secret_applied
+  until: token_based_secret_applied is succeeded
+  retries: 30
+  delay: 10
+  changed_when: false
+
+# Grant cluster-admin permissions via ClusterRoleBinding to allow generation of all Helm releases.
+# Strict access control isn’t enforced here, as the user can escalate privileges using ServiceAccounts, Roles, and RoleBindings anyway.
+# which is necessary for the management cluster to operate on resources.
+- name: Create cluster role binding of cluster-admin configuration for kubeconfig service account
+  ansible.builtin.command: kubectl apply -f -
+  args:
+    stdin: "{{ sa_clusterrolebinding | to_nice_yaml }}"
+  vars:
+    sa_clusterrolebinding:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: ClusterRoleBinding
+      metadata:
+        name: "{{ capi_cluster_clusterrolebinding_name }}"
+      subjects:
+        - kind: ServiceAccount
+          name: "{{ capi_cluster_service_account_name }}"
+          namespace: "{{ capi_cluster_service_account_namespace }}"
+      roleRef:
+        kind: ClusterRole
+        name: "{{ capi_cluster_service_account_role_name }}"
+        apiGroup: rbac.authorization.k8s.io
+  changed_when: false
+
+- name: Extract token for the service account
+  no_log: true
+  ansible.builtin.command: >-
+    kubectl get secret
+    -n {{ capi_cluster_service_account_namespace }}
+    {{ capi_cluster_service_account_secret_name }}
+    -o jsonpath='{.data.token}'
+  register: sa_token_encoded
+  changed_when: false
+
+- name: Decode token for service account
+  no_log: true
+  ansible.builtin.set_fact:
+    sa_token: "{{ sa_token_encoded.stdout | b64decode }}"
+
+- name: Read saved kubeconfig file
+  no_log: true
+  ansible.builtin.slurp:
+    src: "{{ capi_cluster_kubeconfig_path }}"
+  register: kubeconfig_file_raw
+
+- name: Decode kubeconfig content from base64
+  no_log: true
+  ansible.builtin.set_fact:
+    kubeconfig_content: "{{ kubeconfig_file_raw.content | b64decode | from_yaml }}"
+
+- name: Strip client cert/key and add token to create token-based kubeconfig
+  no_log: true
+  ansible.builtin.set_fact:
+    modified_kubeconfig: >-
+      {{
+        kubeconfig_content | combine({
+          "users": [
+            {
+              "name": kubeconfig_content.users[0].name,
+              "user": {
+                "token": sa_token
+              }
+            }
+          ]
+        }, recursive=True)
+      }}
+
+- name: Save token-based kubeconfig to capi cluster kubeconfig path
+  ansible.builtin.copy:
+    content: "{{ modified_kubeconfig | to_nice_yaml }}"
+    dest: "{{ capi_cluster_kubeconfig_path }}"
+    mode: '0600'

roles/capi_cluster/tasks/main.yml

@@ -104,6 +104,15 @@
         dest: "{{ capi_cluster_kubeconfig_path }}"
         mode: u=rw,g=,o=
 
+- name: Including token-based kubeconfig tasks to generate token-based kubeconfig
+  when: capi_cluster_service_account_enabled
+  environment:
+    KUBECONFIG: "{{ capi_cluster_kubeconfig_path }}"
+  block:
+    - name: Include token-based kubeconfig task file
+      ansible.builtin.include_tasks: capi-cluster-service-account.yml
+
+
 - name: Delete CAPI cluster
   when: capi_cluster_release_state == 'absent'
   block: