Merge pull request #35 from xrstf/authz-webhook-config

✨ Allow to configure an authorization webhook

Author: kcp-ci-bot

config/crd/bases/operator.kcp.io_rootshards.yaml

@@ -120,6 +120,36 @@ spec:
                         type: string
                     type: object
                 type: object
+              authorization:
+                properties:
+                  webhook:
+                    properties:
+                      allowPaths:
+                        description: |-
+                          A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server.
+                          If specified, completely overwrites the default of [/healthz,/readyz,/livez].
+                        items:
+                          type: string
+                        type: array
+                      cacheAuthorizedTTL:
+                        description: The duration to cache 'authorized' responses
+                          from the webhook authorizer.
+                        type: string
+                      cacheUnauthorizedTTL:
+                        description: The duration to cache 'unauthorized' responses
+                          from the webhook authorizer.
+                        type: string
+                      configSecretName:
+                        description: |-
+                          Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
+                          authorization webhook configuration.
+                        type: string
+                      version:
+                        description: The API version of the authorization.k8s.io SubjectAccessReview
+                          to send to and expect from the webhook.
+                        type: string
+                    type: object
+                type: object
               cache:
                 description: Cache configures the cache server (with a Kubernetes-like
                   API) used by a sharded kcp instance.

config/crd/bases/operator.kcp.io_shards.yaml

@@ -120,6 +120,36 @@ spec:
                         type: string
                     type: object
                 type: object
+              authorization:
+                properties:
+                  webhook:
+                    properties:
+                      allowPaths:
+                        description: |-
+                          A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server.
+                          If specified, completely overwrites the default of [/healthz,/readyz,/livez].
+                        items:
+                          type: string
+                        type: array
+                      cacheAuthorizedTTL:
+                        description: The duration to cache 'authorized' responses
+                          from the webhook authorizer.
+                        type: string
+                      cacheUnauthorizedTTL:
+                        description: The duration to cache 'unauthorized' responses
+                          from the webhook authorizer.
+                        type: string
+                      configSecretName:
+                        description: |-
+                          Name of a Kubernetes Secret that contains a kubeconfig formatted file that defines the
+                          authorization webhook configuration.
+                        type: string
+                      version:
+                        description: The API version of the authorization.k8s.io SubjectAccessReview
+                          to send to and expect from the webhook.
+                        type: string
+                    type: object
+                type: object
               clusterDomain:
                 type: string
               etcd:

internal/resources/rootshard/deployment.go

@@ -18,7 +18,6 @@ package rootshard
 
 import (
 	"fmt"
-	"strings"
 
 	"k8c.io/reconciler/pkg/reconciling"
 
@@ -79,23 +78,8 @@ func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.Nam
 				MountPath:  getCAMountPath(operatorv1alpha1.RootCA),
 			}}
 
-			image, _ := resources.GetImageSettings(rootShard.Spec.Image)
 			args := getArgs(rootShard)
 
-			if rootShard.Spec.Etcd.TLSConfig != nil {
-				secretMounts = append(secretMounts, utils.SecretMount{
-					VolumeName: "etcd-client-cert",
-					SecretName: rootShard.Spec.Etcd.TLSConfig.SecretRef.Name,
-					MountPath:  "/etc/etcd/tls",
-				})
-
-				args = append(args,
-					"--etcd-certfile=/etc/etcd/tls/tls.crt",
-					"--etcd-keyfile=/etc/etcd/tls/tls.key",
-					"--etcd-cafile=/etc/etcd/tls/ca.crt",
-				)
-			}
-
 			for _, cert := range []operatorv1alpha1.Certificate{
 				// requires server CA and the logical-cluster-admin cert to be mounted
 				operatorv1alpha1.LogicalClusterAdminCertificate,
@@ -146,7 +130,6 @@ func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.Nam
 
 			dep.Spec.Template.Spec.Containers = []corev1.Container{{
 				Name:         ServerContainerName,
-				Image:        image,
 				Command:      []string{"/kcp", "start"},
 				Args:         args,
 				VolumeMounts: volumeMounts,
@@ -158,19 +141,9 @@ func DeploymentReconciler(rootShard *operatorv1alpha1.RootShard) reconciling.Nam
 			}}
 			dep.Spec.Template.Spec.Volumes = volumes
 
-			// explicitly set the replicas if it is configured in the RootShard
-			// object or if the existing Deployment object doesn't have replicas
-			// configured. This will allow a HPA to interact with the replica
-			// count.
-			if rootShard.Spec.Replicas != nil {
-				dep.Spec.Replicas = rootShard.Spec.Replicas
-			} else if dep.Spec.Replicas == nil {
-				dep.Spec.Replicas = ptr.To[int32](2)
-			}
-
-			dep, err := utils.ApplyAuditConfiguration(dep, rootShard.Spec.Audit)
+			dep, err := utils.ApplyCommonShardConfig(dep, &rootShard.Spec.CommonShardSpec)
 			if err != nil {
-				return nil, fmt.Errorf("failed to apply audit configuration: %w", err)
+				return nil, fmt.Errorf("failed to shard configuration: %w", err)
 			}
 
 			return dep, nil
@@ -196,9 +169,6 @@ func getArgs(rootShard *operatorv1alpha1.RootShard) []string {
 		fmt.Sprintf("--service-account-key-file=%s/tls.crt", getCertificateMountPath(operatorv1alpha1.ServiceAccountCertificate)),
 		fmt.Sprintf("--service-account-private-key-file=%s/tls.key", getCertificateMountPath(operatorv1alpha1.ServiceAccountCertificate)),
 
-		// Etcd client configuration.
-		fmt.Sprintf("--etcd-servers=%s", strings.Join(rootShard.Spec.Etcd.Endpoints, ",")),
-
 		// General shard configuration.
 		fmt.Sprintf("--shard-base-url=%s", resources.GetRootShardBaseURL(rootShard)),
 		fmt.Sprintf("--shard-external-url=https://%s:%d", rootShard.Spec.External.Hostname, rootShard.Spec.External.Port),

internal/resources/shard/deployment.go

@@ -18,7 +18,6 @@ package shard
 
 import (
 	"fmt"
-	"strings"
 
 	"k8c.io/reconciler/pkg/reconciling"
 
@@ -78,23 +77,8 @@ func DeploymentReconciler(shard *operatorv1alpha1.Shard, rootShard *operatorv1al
 				MountPath:  getCAMountPath(operatorv1alpha1.RootCA),
 			}}
 
-			image, _ := resources.GetImageSettings(shard.Spec.Image)
 			args := getArgs(shard, rootShard)
 
-			if shard.Spec.Etcd.TLSConfig != nil {
-				secretMounts = append(secretMounts, utils.SecretMount{
-					VolumeName: "etcd-client-cert",
-					SecretName: rootShard.Spec.Etcd.TLSConfig.SecretRef.Name,
-					MountPath:  "/etc/etcd/tls",
-				})
-
-				args = append(args,
-					"--etcd-certfile=/etc/etcd/tls/tls.crt",
-					"--etcd-keyfile=/etc/etcd/tls/tls.key",
-					"--etcd-cafile=/etc/etcd/tls/ca.crt",
-				)
-			}
-
 			for _, cert := range []operatorv1alpha1.Certificate{
 				// requires server CA and the shard client cert to be mounted
 				operatorv1alpha1.ClientCertificate,
@@ -143,7 +127,6 @@ func DeploymentReconciler(shard *operatorv1alpha1.Shard, rootShard *operatorv1al
 
 			dep.Spec.Template.Spec.Containers = []corev1.Container{{
 				Name:         ServerContainerName,
-				Image:        image,
 				Command:      []string{"/kcp", "start"},
 				Args:         args,
 				VolumeMounts: volumeMounts,
@@ -155,19 +138,9 @@ func DeploymentReconciler(shard *operatorv1alpha1.Shard, rootShard *operatorv1al
 			}}
 			dep.Spec.Template.Spec.Volumes = volumes
 
-			// explicitly set the replicas if it is configured in the RootShard
-			// object or if the existing Deployment object doesn't have replicas
-			// configured. This will allow a HPA to interact with the replica
-			// count.
-			if shard.Spec.Replicas != nil {
-				dep.Spec.Replicas = shard.Spec.Replicas
-			} else if dep.Spec.Replicas == nil {
-				dep.Spec.Replicas = ptr.To[int32](2)
-			}
-
-			dep, err := utils.ApplyAuditConfiguration(dep, shard.Spec.Audit)
+			dep, err := utils.ApplyCommonShardConfig(dep, &shard.Spec.CommonShardSpec)
 			if err != nil {
-				return nil, fmt.Errorf("failed to apply audit configuration: %w", err)
+				return nil, fmt.Errorf("failed to shard configuration: %w", err)
 			}
 
 			return dep, nil
@@ -195,9 +168,6 @@ func getArgs(shard *operatorv1alpha1.Shard, rootShard *operatorv1alpha1.RootShar
 		fmt.Sprintf("--shard-client-key-file=%s/tls.crt", getCertificateMountPath(operatorv1alpha1.ClientCertificate)),
 		fmt.Sprintf("--shard-client-cert-file=%s/tls.key", getCertificateMountPath(operatorv1alpha1.ClientCertificate)),
 
-		// Etcd client configuration.
-		fmt.Sprintf("--etcd-servers=%s", strings.Join(shard.Spec.Etcd.Endpoints, ",")),
-
 		// General shard configuration.
 		fmt.Sprintf("--shard-name=%s", shard.Name),
 		fmt.Sprintf("--external-hostname=%s", resources.GetShardBaseHost(shard)),

internal/resources/utils/audit.go

@@ -17,7 +17,6 @@ limitations under the License.
 package utils
 
 import (
-	"errors"
 	"fmt"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -26,16 +25,12 @@ import (
 	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
 )
 
-func ApplyAuditConfiguration(deployment *appsv1.Deployment, config *operatorv1alpha1.AuditSpec) (*appsv1.Deployment, error) {
-	if len(deployment.Spec.Template.Spec.Containers) == 0 {
-		return deployment, errors.New("Deployment does not contain any containers")
-	}
-
+func applyAuditConfiguration(deployment *appsv1.Deployment, config *operatorv1alpha1.AuditSpec) *appsv1.Deployment {
 	if config == nil || config.Webhook == nil {
-		return deployment, nil
+		return deployment
 	}
 
-	return applyAuditWebhookConfiguration(deployment, *config.Webhook), nil
+	return applyAuditWebhookConfiguration(deployment, *config.Webhook)
 }
 
 func applyAuditWebhookConfiguration(deployment *appsv1.Deployment, config operatorv1alpha1.AuditWebhookSpec) *appsv1.Deployment {

internal/resources/utils/authorization.go

@@ -0,0 +1,83 @@
+/*
+Copyright 2025 The KCP Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package utils
+
+import (
+	"fmt"
+	"strings"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+
+	operatorv1alpha1 "github.com/kcp-dev/kcp-operator/sdk/apis/operator/v1alpha1"
+)
+
+func applyAuthorizationConfiguration(deployment *appsv1.Deployment, config *operatorv1alpha1.AuthorizationSpec) *appsv1.Deployment {
+	if config == nil || config.Webhook == nil {
+		return deployment
+	}
+
+	return applyAuthorizationWebhookConfiguration(deployment, *config.Webhook)
+}
+
+func applyAuthorizationWebhookConfiguration(deployment *appsv1.Deployment, config operatorv1alpha1.AuthorizationWebhookSpec) *appsv1.Deployment {
+	podSpec := deployment.Spec.Template.Spec
+
+	var extraArgs []string
+
+	if vals := config.AllowPaths; len(vals) > 0 {
+		extraArgs = append(extraArgs, fmt.Sprintf("--authorization-always-allow-paths=%s", strings.Join(vals, ",")))
+	}
+
+	if val := config.CacheAuthorizedTTL; val != nil {
+		extraArgs = append(extraArgs, fmt.Sprintf("--authorization-webhook-cache-authorized-ttl=%v", val.String()))
+	}
+
+	if val := config.CacheUnauthorizedTTL; val != nil {
+		extraArgs = append(extraArgs, fmt.Sprintf("--authorization-webhook-cache-unauthorized-ttl=%v", val.String()))
+	}
+
+	if val := config.Version; val != "" {
+		extraArgs = append(extraArgs, fmt.Sprintf("--authorization-webhook-version=%s", val))
+	}
+
+	if val := config.ConfigSecretName; val != "" {
+		volumeName := "authorization-webhook-config"
+		mountPath := "/etc/kcp/authorization/webhook"
+
+		extraArgs = append(extraArgs, fmt.Sprintf("--authorization-webhook-config-file=%s/kubeconfig", mountPath))
+		podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{
+			Name:      volumeName,
+			ReadOnly:  true,
+			MountPath: mountPath,
+		})
+
+		deployment.Spec.Template.Spec.Volumes = append(deployment.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: volumeName,
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: val,
+				},
+			},
+		})
+	}
+
+	podSpec.Containers[0].Args = append(podSpec.Containers[0].Args, extraArgs...)
+	deployment.Spec.Template.Spec = podSpec
+
+	return deployment
+}