Merge pull request #4940 from muraee/rosa-external-oidc-docs

k8s-ci-robot · web-flow · commit 0977141bc69b · 2024-04-23T11:03:02.000-07:00
🐛 ROSA: Fix missing permissions &amp; Add external OIDC docs
diff --git a/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml b/config/crd/bases/controlplane.cluster.x-k8s.io_rosacontrolplanes.yaml
@@ -335,13 +335,12 @@ spec:
                             If unset, system trust is used instead.
                           properties:
                             name:
-                              description: |-
-                                Name of the referent.
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Add other useful fields. apiVersion, kind, uid?
+                              description: Name is the metadata.name of the referenced
+                                object.
                               type: string
+                          required:
+                          - name
                           type: object
-                          x-kubernetes-map-type: atomic
                         issuerURL:
                           description: |-
                             URL is the serving URL of the token issuer.
@@ -376,15 +375,12 @@ spec:
                               contains the client secret in the `clientSecret` key of the `.data` field
                             properties:
                               name:
-                                description: name is unique within a namespace to
-                                  reference a secret resource.
-                                type: string
-                              namespace:
-                                description: namespace defines the space within which
-                                  the secret name must be unique.
+                                description: Name is the metadata.name of the referenced
+                                  object.
                                 type: string
+                            required:
+                            - name
                             type: object
-                            x-kubernetes-map-type: atomic
                           componentName:
                             description: |-
                               ComponentName is the name of the component that is supposed to consume this
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -4,6 +4,18 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
diff --git a/controlplane/rosa/api/v1beta2/external_auth_types.go b/controlplane/rosa/api/v1beta2/external_auth_types.go
@@ -1,7 +1,5 @@
 package v1beta2
 
-import corev1 "k8s.io/api/core/v1"
-
 // ExternalAuthProvider is an external OIDC identity provider that can issue tokens for this cluster
 type ExternalAuthProvider struct {
 	// Name of the OIDC provider
@@ -68,7 +66,7 @@ type TokenIssuer struct {
 	// configuration namespace. The .data of the configMap must contain
 	// the "ca-bundle.crt" key.
 	// If unset, system trust is used instead.
-	CertificateAuthority *corev1.LocalObjectReference `json:"issuerCertificateAuthority,omitempty"`
+	CertificateAuthority *LocalObjectReference `json:"issuerCertificateAuthority,omitempty"`
 }
 
 // OIDCClientConfig contains configuration for the platform's client that
@@ -101,7 +99,7 @@ type OIDCClientConfig struct {
 
 	// ClientSecret refers to a secret that
 	// contains the client secret in the `clientSecret` key of the `.data` field
-	ClientSecret corev1.SecretReference `json:"clientSecret"` //TODO: required or optional?
+	ClientSecret LocalObjectReference `json:"clientSecret"`
 
 	// ExtraScopes is an optional set of scopes to request tokens with.
 	//
@@ -240,3 +238,12 @@ type TokenRequiredClaim struct {
 	// +required
 	RequiredValue string `json:"requiredValue"`
 }
+
+// LocalObjectReference references an object in the same namespace.
+type LocalObjectReference struct {
+	// Name is the metadata.name of the referenced object.
+	//
+	// +kubebuilder:validation:Required
+	// +required
+	Name string `json:"name"`
+}
diff --git a/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go b/controlplane/rosa/api/v1beta2/zz_generated.deepcopy.go
diff --git a/controlplane/rosa/controllers/rosacontrolplane_controller.go b/controlplane/rosa/controllers/rosacontrolplane_controller.go
@@ -121,6 +121,7 @@ func (r *ROSAControlPlaneReconciler) SetupWithManager(ctx context.Context, mgr c
 
 // +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch
 // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;delete;patch
+// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;delete;patch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=clusters;clusters/status,verbs=get;list;watch
 // +kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch
diff --git a/docs/book/src/SUMMARY_PREFIX.md b/docs/book/src/SUMMARY_PREFIX.md
@@ -26,6 +26,7 @@
     - [Creating a cluster](./topics/rosa/creating-a-cluster.md)
     - [Creating MachinePools](./topics/rosa/creating-rosa-machinepools.md)
     - [Upgrades](./topics/rosa/upgrades.md)
+    - [External Auth Providers](./topics/rosa/external-auth.md)
   - [Bring Your Own AWS Infrastructure](./topics/bring-your-own-aws-infrastructure.md)
   - [Specifying the IAM Role to use for Management Components](./topics/specify-management-iam-role.md)
   - [Using external cloud provider with EBS CSI driver](./topics/external-cloud-provider-with-ebs-csi-driver.md)
diff --git a/docs/book/src/crd/index.md b/docs/book/src/crd/index.md
@@ -8635,6 +8635,35 @@ ID token into a cluster identity</p>
 </tr>
 </tbody>
 </table>
+<h3 id="controlplane.cluster.x-k8s.io/v1beta2.LocalObjectReference">LocalObjectReference
+</h3>
+<p>
+(<em>Appears on:</em><a href="#controlplane.cluster.x-k8s.io/v1beta2.OIDCClientConfig">OIDCClientConfig</a>, <a href="#controlplane.cluster.x-k8s.io/v1beta2.TokenIssuer">TokenIssuer</a>)
+</p>
+<p>
+<p>LocalObjectReference references an object in the same namespace.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>name</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Name is the metadata.name of the referenced object.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="controlplane.cluster.x-k8s.io/v1beta2.NetworkSpec">NetworkSpec
 </h3>
 <p>
@@ -8769,8 +8798,8 @@ string
 <td>
 <code>clientSecret</code><br/>
 <em>
-<a href="https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#secretreference-v1-core">
-Kubernetes core/v1.SecretReference
+<a href="#controlplane.cluster.x-k8s.io/v1beta2.LocalObjectReference">
+LocalObjectReference
 </a>
 </em>
 </td>
@@ -9702,8 +9731,7 @@ private node communication with the control plane.</p>
 (<em>Appears on:</em><a href="#controlplane.cluster.x-k8s.io/v1beta2.TokenIssuer">TokenIssuer</a>)
 </p>
 <p>
-<pre><code>TokenAudience is the audience that the token was issued for.
-</code></pre>
+<p>TokenAudience is the audience that the token was issued for.</p>
 </p>
 <h3 id="controlplane.cluster.x-k8s.io/v1beta2.TokenClaimMappings">TokenClaimMappings
 </h3>
@@ -9848,8 +9876,8 @@ Must be set to exactly one value.</p>
 <td>
 <code>issuerCertificateAuthority</code><br/>
 <em>
-<a href="https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#localobjectreference-v1-core">
-Kubernetes core/v1.LocalObjectReference
+<a href="#controlplane.cluster.x-k8s.io/v1beta2.LocalObjectReference">
+LocalObjectReference
 </a>
 </em>
 </td>
@@ -10001,6 +10029,25 @@ string
 <p>
 <p>UsernamePrefixPolicy specifies how a prefix should apply.</p>
 </p>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;&#34;</p></td>
+<td><p>NoOpinion let&rsquo;s the cluster assign prefixes.  If the username claim is email, there is no prefix
+If the username claim is anything else, it is prefixed by the issuerURL</p>
+</td>
+</tr><tr><td><p>&#34;NoPrefix&#34;</p></td>
+<td><p>NoPrefix means the username claim value will not have any  prefix</p>
+</td>
+</tr><tr><td><p>&#34;Prefix&#34;</p></td>
+<td><p>Prefix means the prefix value must be specified.  It cannot be empty</p>
+</td>
+</tr></tbody>
+</table>
 <hr/>
 <h2 id="infrastructure.cluster.x-k8s.io/v1beta1">infrastructure.cluster.x-k8s.io/v1beta1</h2>
 <p>
diff --git a/docs/book/src/topics/rosa/external-auth.md b/docs/book/src/topics/rosa/external-auth.md
@@ -0,0 +1,113 @@
+# External Auth Providers (BYOI)
+
+ROSA allows you to Bring Your Own Identity (BYOI) to manage and authenticate cluster users.
+
+## Enabling
+
+To enable this feature, `enableExternalAuthProviders` field should be set to `true` on cluster creation. Changing this field afterwards will have no effect:
+```yaml
+---
+apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+kind: ROSAControlPlane
+metadata:
+  name: "capi-rosa-quickstart-control-plane"
+spec:
+  enableExternalAuthProviders: true
+  ....
+```
+
+Note: This feauture requires OpenShift version `4.15.5` or newer.
+
+## Usage
+
+After creating and configuring your OIDC provider of choice, the next step is to configure ROSAControlPlane `externalAuthProviders` as follows:
+```yaml
+---
+apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+kind: ROSAControlPlane
+metadata:
+  name: "capi-rosa-quickstart-control-plane"
+spec:
+  enableExternalAuthProviders: true
+  externalAuthProviders:
+  - name: my-oidc-provider
+    issuer:
+      issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Microsoft Entra ID
+      audiences:  # audiences that will be trusted by the kube-apiserver
+      - "audience1" # usually the client ID
+    claimMappings:
+      username:
+        claim: email
+        prefixPolicy: ""
+      groups:
+        claim: groups
+  ....
+```
+
+Note: `oidcProviders` only accepts one entry at the moment.
+
+## Accessing the cluster
+
+### Setting up RBAC
+
+When `enableExternalAuthProviders` is set to `true`, ROSA provider will generate a temporary admin kubeconfig secret in the same namespace named `<cluster-name>-bootstrap-kubeconfig`. This kubeconfig can be used to access the cluster to setup RBAC for OIDC users/groups.
+
+The following example binds the `cluster-admin` role to an OIDC group, giving all users in that group admin permissions.
+```shell
+kubectl get secret <cluster-name>-bootstrap-kubeconfig -o jsonpath='{.data.value}' | base64 -d > /tmp/capi-admin-kubeconfig
+export KUBECONFIG=/tmp/capi-admin-kubeconfig
+
+kubectl create clusterrolebinding oidc-cluster-admins --clusterrole cluster-admin --group <group-id>
+```
+
+Note: The generated bootstrap kubeconfig is only valid for 24h, and will not be usable afterwards. However, users can opt to manually delete the secret object to trigger the generation of a new one which will be valid for another 24h.
+
+### Login using the cli
+
+The [kubelogin kubectl plugin](https://github.com/int128/kubelogin/tree/master) can be used to login with OIDC credentials using the cli. 
+
+### Configuring OpenShift Console
+
+The OpenShift Console needs to be configured before it can be used to authenticate and login to the cluster. 
+1. Setup a new client in your OIDC provider with the following Redirect URL: `<console-url>/auth/callback`. You can find the console URL in the status field of the `ROSAControlPlane` once the cluster is ready:
+    ```shell
+    kubectl get rosacontrolplane <control-plane-name> -o jsonpath='{.status.consoleURL}'
+    ```
+
+2. Create a new client secret in your OIDC provider and store the value in a kubernetes secret in the same namespace as your cluster:
+    ```shell
+    kubectl create secret generic console-client-secret --from-literal=clientSecret='<client-secret-value>' 
+    ```
+
+3. Configure `ROSAControlPlane` external auth provider with the created client:
+    ```yaml
+    ---
+    apiVersion: controlplane.cluster.x-k8s.io/v1beta2
+    kind: ROSAControlPlane
+    metadata:
+      name: "capi-rosa-quickstart-control-plane"
+    spec:
+      enableExternalAuthProviders: true
+      externalAuthProviders:
+      - name: my-oidc-provider
+        issuer:
+          issuerURL: https://login.microsoftonline.com/<tenant-id>/v2.0 # e.g. if using Microsoft Entra ID
+          audiences:  # audiences that will be trusted by the kube-apiserver
+          - "audience1"
+          - <console-client-id> # <----New
+        claimMappings:
+          username:
+            claim: email
+            prefixPolicy: ""
+          groups:
+            claim: groups
+        oidcClients:  # <----New
+          - componentName: console
+            componentNamespace: openshift-console
+            clientID: <console-client-id>
+            clientSecret:
+              name: console-client-secret # secret name created in step 2
+      ....
+    ```
+
+see [ROSAControlPlane CRD Reference](https://cluster-api-aws.sigs.k8s.io/crd/#controlplane.cluster.x-k8s.io/v1beta2.ExternalAuthProvider) for all possible configurations.
diff --git a/docs/book/src/topics/rosa/index.md b/docs/book/src/topics/rosa/index.md
@@ -21,4 +21,5 @@ A new template is available in the templates folder for creating a managed ROSA
 * [Enabling ROSA Support](enabling.md)
 * [Creating a cluster](creating-a-cluster.md)
 * [Creating MachinePools](creating-rosa-machinepools.md)
-* [Upgrades](upgrades.md)
+* [Upgrades](upgrades.md)
+* [External Auth Providers](external-auth.md)
