Structured authentication for Garden kube-apiserver (#517)

Author: simcod

control-plane/roles/gardener-operator/defaults/main/virtual_garden.yaml

@@ -12,3 +12,5 @@ gardener_operator_virtual_garden_oidc_groups_prefix:
 gardener_operator_virtual_garden_oidc_ca:
 
 gardener_operator_expose_virtual_garden_through_ingress_nginx: false
+
+gardener_operator_virtual_garden_api_server_structured_authentication:

control-plane/roles/gardener-operator/tasks/operator.yaml

@@ -29,6 +29,21 @@
     label: "{{ provider.name }}"
   no_log: yes
 
+- name: Create kube-apiserver authentication configmap
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: authentication-config
+        namespace: garden
+      data:
+        config.yaml: |-
+          {{ gardener_operator_virtual_garden_api_server_structured_authentication }}
+    apply: yes
+  when: gardener_operator_virtual_garden_api_server_structured_authentication
+  no_log: yes
+
 - name: Deploy Gardener Operator
   include_role:
     name: ansible-common/roles/helm-chart

control-plane/roles/gardener-operator/templates/garden.yaml

@@ -89,33 +89,37 @@ spec:
     kubernetes:
       version: {{ gardener_virtual_garden_api_server_version }}
       kubeAPIServer:
+{% if gardener_operator_virtual_garden_api_server_structured_authentication %}
+        structuredAuthentication:
+          configMapName: authentication-config
+{% endif %}
       #   eventTTL: 1h
       #   featureGates:
       #     SomeKubernetesFeature: true
       #   runtimeConfig:
       #     scheduling.k8s.io/v1alpha1: true
         oidcConfig:
 {% if gardener_operator_virtual_garden_oidc_issuer_url %}
-        issuerURL: {{ gardener_operator_virtual_garden_oidc_issuer_url }}
+          issuerURL: {{ gardener_operator_virtual_garden_oidc_issuer_url }}
 {% endif %}
 {% if gardener_operator_virtual_garden_oidc_client_id %}
-        clientID: {{ gardener_operator_virtual_garden_oidc_client_id }}
+          clientID: {{ gardener_operator_virtual_garden_oidc_client_id }}
 {% endif %}
 {% if gardener_operator_virtual_garden_oidc_username_claim %}
-        usernameClaim: {{ gardener_operator_virtual_garden_oidc_username_claim }}
+          usernameClaim: {{ gardener_operator_virtual_garden_oidc_username_claim }}
 {% endif %}
 {% if gardener_operator_virtual_garden_oidc_username_prefix %}
-        usernamePrefix: "{{ gardener_operator_virtual_garden_oidc_username_prefix }}"
+          usernamePrefix: "{{ gardener_operator_virtual_garden_oidc_username_prefix }}"
 {% endif %}
 {% if gardener_operator_virtual_garden_oidc_groups_claim %}
-        groupsClaim: {{ gardener_operator_virtual_garden_oidc_groups_claim }}
+          groupsClaim: {{ gardener_operator_virtual_garden_oidc_groups_claim }}
 {% endif %}
 {% if gardener_operator_virtual_garden_oidc_groups_prefix %}
-        groupsPrefix: "{{ gardener_operator_virtual_garden_oidc_groups_prefix }}"
+          groupsPrefix: "{{ gardener_operator_virtual_garden_oidc_groups_prefix }}"
 {% endif %}
 {% if gardener_operator_virtual_garden_oidc_ca %}
-        caBundle: |
-          {{ gardener_operator_virtual_garden_oidc_ca | indent(width=12, first=false) }}
+          caBundle: |
+          {{ gardener_operator_virtual_garden_oidc_ca | indent(width=14, first=false) }}
 {% endif %}
     #     clientID: client-id
     #     signingAlgs: # See https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 for the list of valid algorithms