OIDC flags are no longer optional

2022-06-07 09:29:20 +02:00 · 2022-06-07 09:29:20 +02:00 · 921d1b8ce0
parent 2e4105a79f
commit 921d1b8ce0
7 changed files with 64 additions and 25 deletions
--- a/nodeup/pkg/model/kube_apiserver.go
+++ b/nodeup/pkg/model/kube_apiserver.go
@ -109,12 +109,10 @@ func (b *KubeAPIServerBuilder) Build(c *fi.ModelBuilderContext) error {

 	// Set the signing key if we're using Service Account Token VolumeProjection
 	if kubeAPIServer.ServiceAccountSigningKeyFile == nil {
-		if fi.StringValue(kubeAPIServer.ServiceAccountIssuer) != "" {
-			s := filepath.Join(pathSrvKAPI, "service-account.key")
-			kubeAPIServer.ServiceAccountSigningKeyFile = &s
-			if err := b.BuildPrivateKeyTask(c, "service-account", pathSrvKAPI, "service-account", nil, nil); err != nil {
-				return err
-			}
+		s := filepath.Join(pathSrvKAPI, "service-account.key")
+		kubeAPIServer.ServiceAccountSigningKeyFile = &s
+		if err := b.BuildPrivateKeyTask(c, "service-account", pathSrvKAPI, "service-account", nil, nil); err != nil {
+			return err
 		}
 	}

--- a/nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
+++ b/nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml
@ -37,6 +37,7 @@ contents: |
    - args:
      - --allow-privileged=true
      - --anonymous-auth=false
+      - --api-audiences=kubernetes.svc.default
      - --apiserver-count=1
      - --authentication-token-webhook-config-file=/etc/kubernetes/authn.config
      - --authorization-mode=AlwaysAllow
@ -62,7 +63,10 @@ contents: |
      - --requestheader-group-headers=X-Remote-Group
      - --requestheader-username-headers=X-Remote-User
      - --secure-port=443
+      - --service-account-issuer=https://api.internal.minimal.example.com
+      - --service-account-jwks-uri=https://api.internal.minimal.example.com/openid/v1/jwks
      - --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
+      - --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
      - --service-cluster-ip-range=100.64.0.0/13
      - --storage-backend=etcd3
      - --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
@ -354,6 +358,20 @@ mode: "0600"
 path: /srv/kubernetes/kube-apiserver/server.key
 type: file
 ---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIBPQIBAAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKmXVSysPKgE80QSU4tZ6m4
+  9pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQJBAKt/gmpHqP3qA3u8RA5R
+  2W6L360Z2Mnza1FmkI/9StCCkJGjuE5yDhxU4JcVnFyX/nMxm2ockEEQDqRSu7Oo
+  xTECIQD2QsUsgFL4FnXWzTclySJ6ajE4Cte3gSDOIvyMNMireQIhAOEnsV8UaSI+
+  ZyL7NMLzMPLCgtsrPnlamr8gdrEHf9ITAiEAxCCLbpTI/4LL2QZZrINTLVGT34Fr
+  Kl/yI5pjrrp/M2kCIQDfOktQyRuzJ8t5kzWsUxCkntS+FxHJn1rtQ3Jp8dV4oQIh
+  AOyiVWDyLZJvg7Y24Ycmp86BZjM9Wk/BfWpBXKnl9iDY
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/service-account.key
+type: file
+---
 contents: |
  -----BEGIN RSA PUBLIC KEY-----
  MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm
--- a/nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml
+++ b/nodeup/pkg/model/tests/golden/dedicated-apiserver/tasks-kube-apiserver.yaml
@ -16,6 +16,7 @@ contents: |
    - args:
      - --allow-privileged=true
      - --anonymous-auth=false
+      - --api-audiences=kubernetes.svc.default
      - --apiserver-count=1
      - --authorization-mode=AlwaysAllow
      - --bind-address=0.0.0.0
@ -40,7 +41,10 @@ contents: |
      - --requestheader-group-headers=X-Remote-Group
      - --requestheader-username-headers=X-Remote-User
      - --secure-port=443
+      - --service-account-issuer=https://api.internal.minimal.example.com
+      - --service-account-jwks-uri=https://api.internal.minimal.example.com/openid/v1/jwks
      - --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
+      - --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
      - --service-cluster-ip-range=100.64.0.0/13
      - --storage-backend=etcd3
      - --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
@ -292,6 +296,20 @@ mode: "0600"
 path: /srv/kubernetes/kube-apiserver/server.key
 type: file
 ---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIBPQIBAAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKmXVSysPKgE80QSU4tZ6m4
+  9pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQJBAKt/gmpHqP3qA3u8RA5R
+  2W6L360Z2Mnza1FmkI/9StCCkJGjuE5yDhxU4JcVnFyX/nMxm2ockEEQDqRSu7Oo
+  xTECIQD2QsUsgFL4FnXWzTclySJ6ajE4Cte3gSDOIvyMNMireQIhAOEnsV8UaSI+
+  ZyL7NMLzMPLCgtsrPnlamr8gdrEHf9ITAiEAxCCLbpTI/4LL2QZZrINTLVGT34Fr
+  Kl/yI5pjrrp/M2kCIQDfOktQyRuzJ8t5kzWsUxCkntS+FxHJn1rtQ3Jp8dV4oQIh
+  AOyiVWDyLZJvg7Y24Ycmp86BZjM9Wk/BfWpBXKnl9iDY
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/service-account.key
+type: file
+---
 contents: |
  -----BEGIN RSA PUBLIC KEY-----
  MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm
--- a/nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml
+++ b/nodeup/pkg/model/tests/golden/without-etcd-events/tasks-kube-apiserver.yaml
@ -16,6 +16,7 @@ contents: |
    - args:
      - --allow-privileged=true
      - --anonymous-auth=false
+      - --api-audiences=kubernetes.svc.default
      - --apiserver-count=1
      - --authorization-mode=AlwaysAllow
      - --bind-address=0.0.0.0
@ -39,7 +40,10 @@ contents: |
      - --requestheader-group-headers=X-Remote-Group
      - --requestheader-username-headers=X-Remote-User
      - --secure-port=443
+      - --service-account-issuer=https://api.internal.minimal.example.com
+      - --service-account-jwks-uri=https://api.internal.minimal.example.com/openid/v1/jwks
      - --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
+      - --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
      - --service-cluster-ip-range=100.64.0.0/13
      - --storage-backend=etcd3
      - --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
@ -291,6 +295,20 @@ mode: "0600"
 path: /srv/kubernetes/kube-apiserver/server.key
 type: file
 ---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIBPQIBAAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKmXVSysPKgE80QSU4tZ6m4
+  9pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQJBAKt/gmpHqP3qA3u8RA5R
+  2W6L360Z2Mnza1FmkI/9StCCkJGjuE5yDhxU4JcVnFyX/nMxm2ockEEQDqRSu7Oo
+  xTECIQD2QsUsgFL4FnXWzTclySJ6ajE4Cte3gSDOIvyMNMireQIhAOEnsV8UaSI+
+  ZyL7NMLzMPLCgtsrPnlamr8gdrEHf9ITAiEAxCCLbpTI/4LL2QZZrINTLVGT34Fr
+  Kl/yI5pjrrp/M2kCIQDfOktQyRuzJ8t5kzWsUxCkntS+FxHJn1rtQ3Jp8dV4oQIh
+  AOyiVWDyLZJvg7Y24Ycmp86BZjM9Wk/BfWpBXKnl9iDY
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/service-account.key
+type: file
+---
 contents: |
  -----BEGIN RSA PUBLIC KEY-----
  MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm
--- a/pkg/apis/kops/validation/validation_test.go
+++ b/pkg/apis/kops/validation/validation_test.go
@ -252,7 +252,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
 					Authorization: &kops.AuthorizationSpec{
 						RBAC: &kops.RBACAuthorizationSpec{},
 					},
-					KubernetesVersion: "1.19.0",
+					KubernetesVersion: "1.25.0",
 					CloudProvider: kops.CloudProviderSpec{
 						AWS: &kops.AWSSpec{},
 					},
@ -271,7 +271,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
 					Authorization: &kops.AuthorizationSpec{
 						RBAC: &kops.RBACAuthorizationSpec{},
 					},
-					KubernetesVersion: "1.19.0",
+					KubernetesVersion: "1.25.0",
 					CloudProvider: kops.CloudProviderSpec{
 						AWS: &kops.AWSSpec{},
 					},
@ -287,7 +287,7 @@ func TestValidateKubeAPIServer(t *testing.T) {
 					Authorization: &kops.AuthorizationSpec{
 						RBAC: &kops.RBACAuthorizationSpec{},
 					},
-					KubernetesVersion: "1.19.0",
+					KubernetesVersion: "1.25.0",
 					CloudProvider: kops.CloudProviderSpec{
 						AWS: &kops.AWSSpec{},
 					},
--- a/pkg/model/components/discovery.go
+++ b/pkg/model/components/discovery.go
@ -40,17 +40,6 @@ func (b *DiscoveryOptionsBuilder) BuildOptions(o interface{}) error {
 		clusterSpec.KubeAPIServer = &kops.KubeAPIServerConfig{}
 	}

-	if b.IsKubernetesLT("1.20") {
-		// TODO when dropping support for 1.19, remove the logic in nodeup's KubeAPIServerBuilder
-		// and apply_cluster for handling an empty ServiceAccountIssuer.
-		if clusterSpec.KubeAPIServer.FeatureGates == nil {
-			return nil
-		}
-		if _, ok := clusterSpec.KubeAPIServer.FeatureGates["ServiceAccountIssuerDiscovery"]; !ok {
-			return nil
-		}
-	}
-
 	kubeAPIServer := clusterSpec.KubeAPIServer

 	if len(kubeAPIServer.APIAudiences) == 0 {
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -80,9 +80,9 @@ const (
 	starline = "*********************************************************************************"

 	// OldestSupportedKubernetesVersion is the oldest kubernetes version that is supported in kOps.
-	OldestSupportedKubernetesVersion = "1.19.0"
+	OldestSupportedKubernetesVersion = "1.20.0"
 	// OldestRecommendedKubernetesVersion is the oldest kubernetes version that is not deprecated in kOps.
-	OldestRecommendedKubernetesVersion = "1.21.0"
+	OldestRecommendedKubernetesVersion = "1.22.0"
 )

 // TerraformCloudProviders is the list of cloud providers with terraform target support
@ -1342,9 +1342,7 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 					return nil, nil, err
 				}
 			}
-			if cluster.Spec.KubeAPIServer != nil && fi.StringValue(cluster.Spec.KubeAPIServer.ServiceAccountIssuer) != "" {
-				config.KeypairIDs["service-account"] = keysets["service-account"].Primary.Id
-			}
+			config.KeypairIDs["service-account"] = keysets["service-account"].Primary.Id

 			config.APIServerConfig.EncryptionConfigSecretHash = n.encryptionConfigSecretHash
 			serviceAccountPublicKeys, err := keysets["service-account"].ToPublicKeys()