Add Authorization / RBAC option to schema

2017-03-28 13:02:33 -04:00 · 2017-03-28 13:02:33 -04:00 · 533efb7c51
parent a7a0b38123
commit 533efb7c51
6 changed files with 192 additions and 0 deletions
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@ -236,10 +236,24 @@ type ClusterSpec struct {
 	// API field controls how the API is exposed outside the cluster
 	API *AccessSpec `json:"api,omitempty"`

+	// Authorization field controls how the cluster is configured for authorization
+	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
+
 	// Tags for AWS instance groups
 	CloudLabels map[string]string `json:"cloudLabels,omitempty"`
 }

+type AuthorizationSpec struct {
+	RBAC *RBACAuthorizationSpec `json:"rbac,omitempty"`
+}
+
+func (s *AuthorizationSpec) IsEmpty() bool {
+	return s.RBAC == nil
+}
+
+type RBACAuthorizationSpec struct {
+}
+
 type AccessSpec struct {
 	DNS          *DNSAccessSpec          `json:"dns,omitempty"`
 	LoadBalancer *LoadBalancerAccessSpec `json:"loadBalancer,omitempty"`
--- a/pkg/apis/kops/v1alpha1/cluster.go
+++ b/pkg/apis/kops/v1alpha1/cluster.go
@ -234,10 +234,24 @@ type ClusterSpec struct {
 	// API field controls how the API is exposed outside the cluster
 	API *AccessSpec `json:"api,omitempty"`

+	// Authorization field controls how the cluster is configured for authorization
+	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
+
 	// Tags for AWS instance groups
 	CloudLabels map[string]string `json:"cloudLabels,omitempty"`
 }

+type AuthorizationSpec struct {
+	RBAC *RBACAuthorizationSpec `json:"rbac,omitempty"`
+}
+
+func (s *AuthorizationSpec) IsEmpty() bool {
+	return s.RBAC == nil
+}
+
+type RBACAuthorizationSpec struct {
+}
+
 type AccessSpec struct {
 	DNS          *DNSAccessSpec          `json:"dns,omitempty"`
 	LoadBalancer *LoadBalancerAccessSpec `json:"loadBalancer,omitempty"`
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@ -37,6 +37,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 	return scheme.AddGeneratedConversionFuncs(
 		Convert_v1alpha1_AccessSpec_To_kops_AccessSpec,
 		Convert_kops_AccessSpec_To_v1alpha1_AccessSpec,
+		Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec,
+		Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec,
 		Convert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec,
 		Convert_kops_CNINetworkingSpec_To_v1alpha1_CNINetworkingSpec,
 		Convert_v1alpha1_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec,
@ -101,6 +103,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_kops_LoadBalancerAccessSpec_To_v1alpha1_LoadBalancerAccessSpec,
 		Convert_v1alpha1_NetworkingSpec_To_kops_NetworkingSpec,
 		Convert_kops_NetworkingSpec_To_v1alpha1_NetworkingSpec,
+		Convert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec,
+		Convert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec,
 		Convert_v1alpha1_WeaveNetworkingSpec_To_kops_WeaveNetworkingSpec,
 		Convert_kops_WeaveNetworkingSpec_To_v1alpha1_WeaveNetworkingSpec,
 	)
@ -158,6 +162,40 @@ func Convert_kops_AccessSpec_To_v1alpha1_AccessSpec(in *kops.AccessSpec, out *Ac
 	return autoConvert_kops_AccessSpec_To_v1alpha1_AccessSpec(in, out, s)
 }

+func autoConvert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error {
+	if in.RBAC != nil {
+		in, out := &in.RBAC, &out.RBAC
+		*out = new(kops.RBACAuthorizationSpec)
+		if err := Convert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.RBAC = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(in, out, s)
+}
+
+func autoConvert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error {
+	if in.RBAC != nil {
+		in, out := &in.RBAC, &out.RBAC
+		*out = new(RBACAuthorizationSpec)
+		if err := Convert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.RBAC = nil
+	}
+	return nil
+}
+
+func Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha1_CNINetworkingSpec_To_kops_CNINetworkingSpec(in *CNINetworkingSpec, out *kops.CNINetworkingSpec, s conversion.Scope) error {
 	return nil
 }
@ -451,6 +489,15 @@ func autoConvert_v1alpha1_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.API = nil
 	}
+	if in.Authorization != nil {
+		in, out := &in.Authorization, &out.Authorization
+		*out = new(kops.AuthorizationSpec)
+		if err := Convert_v1alpha1_AuthorizationSpec_To_kops_AuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Authorization = nil
+	}
 	out.CloudLabels = in.CloudLabels
 	return nil
 }
@ -598,6 +645,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha1_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.API = nil
 	}
+	if in.Authorization != nil {
+		in, out := &in.Authorization, &out.Authorization
+		*out = new(AuthorizationSpec)
+		if err := Convert_kops_AuthorizationSpec_To_v1alpha1_AuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Authorization = nil
+	}
 	out.CloudLabels = in.CloudLabels
 	return nil
 }
@ -1552,6 +1608,22 @@ func Convert_kops_NetworkingSpec_To_v1alpha1_NetworkingSpec(in *kops.NetworkingS
 	return autoConvert_kops_NetworkingSpec_To_v1alpha1_NetworkingSpec(in, out, s)
 }

+func autoConvert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error {
+	return nil
+}
+
+func Convert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha1_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in, out, s)
+}
+
+func autoConvert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error {
+	return nil
+}
+
+func Convert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_kops_RBACAuthorizationSpec_To_v1alpha1_RBACAuthorizationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha1_WeaveNetworkingSpec_To_kops_WeaveNetworkingSpec(in *WeaveNetworkingSpec, out *kops.WeaveNetworkingSpec, s conversion.Scope) error {
 	return nil
 }
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@ -156,10 +156,24 @@ type ClusterSpec struct {
 	// API field controls how the API is exposed outside the cluster
 	API *AccessSpec `json:"api,omitempty"`

+	// Authorization field controls how the cluster is configured for authorization
+	Authorization *AuthorizationSpec `json:"authorization,omitempty"`
+
 	// Tags for AWS resources
 	CloudLabels map[string]string `json:"cloudLabels,omitempty"`
 }

+type AuthorizationSpec struct {
+	RBAC *RBACAuthorizationSpec `json:"rbac,omitempty"`
+}
+
+func (s *AuthorizationSpec) IsEmpty() bool {
+	return s.RBAC == nil
+}
+
+type RBACAuthorizationSpec struct {
+}
+
 type AccessSpec struct {
 	DNS          *DNSAccessSpec          `json:"dns,omitempty"`
 	LoadBalancer *LoadBalancerAccessSpec `json:"loadBalancer,omitempty"`
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@ -37,6 +37,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 	return scheme.AddGeneratedConversionFuncs(
 		Convert_v1alpha2_AccessSpec_To_kops_AccessSpec,
 		Convert_kops_AccessSpec_To_v1alpha2_AccessSpec,
+		Convert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec,
+		Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec,
 		Convert_v1alpha2_BastionSpec_To_kops_BastionSpec,
 		Convert_kops_BastionSpec_To_v1alpha2_BastionSpec,
 		Convert_v1alpha2_CNINetworkingSpec_To_kops_CNINetworkingSpec,
@ -105,6 +107,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_kops_LoadBalancerAccessSpec_To_v1alpha2_LoadBalancerAccessSpec,
 		Convert_v1alpha2_NetworkingSpec_To_kops_NetworkingSpec,
 		Convert_kops_NetworkingSpec_To_v1alpha2_NetworkingSpec,
+		Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec,
+		Convert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec,
 		Convert_v1alpha2_TopologySpec_To_kops_TopologySpec,
 		Convert_kops_TopologySpec_To_v1alpha2_TopologySpec,
 		Convert_v1alpha2_WeaveNetworkingSpec_To_kops_WeaveNetworkingSpec,
@ -164,6 +168,40 @@ func Convert_kops_AccessSpec_To_v1alpha2_AccessSpec(in *kops.AccessSpec, out *Ac
 	return autoConvert_kops_AccessSpec_To_v1alpha2_AccessSpec(in, out, s)
 }

+func autoConvert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error {
+	if in.RBAC != nil {
+		in, out := &in.RBAC, &out.RBAC
+		*out = new(kops.RBACAuthorizationSpec)
+		if err := Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.RBAC = nil
+	}
+	return nil
+}
+
+func Convert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(in *AuthorizationSpec, out *kops.AuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(in, out, s)
+}
+
+func autoConvert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error {
+	if in.RBAC != nil {
+		in, out := &in.RBAC, &out.RBAC
+		*out = new(RBACAuthorizationSpec)
+		if err := Convert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.RBAC = nil
+	}
+	return nil
+}
+
+func Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in *kops.AuthorizationSpec, out *AuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha2_BastionSpec_To_kops_BastionSpec(in *BastionSpec, out *kops.BastionSpec, s conversion.Scope) error {
 	out.BastionPublicName = in.BastionPublicName
 	out.IdleTimeoutSeconds = in.IdleTimeoutSeconds
@ -487,6 +525,15 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	} else {
 		out.API = nil
 	}
+	if in.Authorization != nil {
+		in, out := &in.Authorization, &out.Authorization
+		*out = new(kops.AuthorizationSpec)
+		if err := Convert_v1alpha2_AuthorizationSpec_To_kops_AuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Authorization = nil
+	}
 	out.CloudLabels = in.CloudLabels
 	return nil
 }
@ -648,6 +695,15 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec,
 	} else {
 		out.API = nil
 	}
+	if in.Authorization != nil {
+		in, out := &in.Authorization, &out.Authorization
+		*out = new(AuthorizationSpec)
+		if err := Convert_kops_AuthorizationSpec_To_v1alpha2_AuthorizationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.Authorization = nil
+	}
 	out.CloudLabels = in.CloudLabels
 	return nil
 }
@ -1650,6 +1706,22 @@ func Convert_kops_NetworkingSpec_To_v1alpha2_NetworkingSpec(in *kops.NetworkingS
 	return autoConvert_kops_NetworkingSpec_To_v1alpha2_NetworkingSpec(in, out, s)
 }

+func autoConvert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error {
+	return nil
+}
+
+func Convert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in *RBACAuthorizationSpec, out *kops.RBACAuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha2_RBACAuthorizationSpec_To_kops_RBACAuthorizationSpec(in, out, s)
+}
+
+func autoConvert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error {
+	return nil
+}
+
+func Convert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(in *kops.RBACAuthorizationSpec, out *RBACAuthorizationSpec, s conversion.Scope) error {
+	return autoConvert_kops_RBACAuthorizationSpec_To_v1alpha2_RBACAuthorizationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha2_TopologySpec_To_kops_TopologySpec(in *TopologySpec, out *kops.TopologySpec, s conversion.Scope) error {
 	out.Masters = in.Masters
 	out.Nodes = in.Nodes
--- a/pkg/model/components/apiserver.go
+++ b/pkg/model/components/apiserver.go
@ -75,6 +75,12 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 		}
 	}

+	if clusterSpec.Authorization != nil {
+		if clusterSpec.Authorization.RBAC != nil {
+			clusterSpec.KubeAPIServer.AuthorizationMode = fi.String("RBAC")
+		}
+	}
+
 	return nil
 }