v1alpha3: Move most OIDC settings to authentication.oidc

docs/cluster_spec.md

@@ -1605,6 +1605,12 @@ the removal of fields no longer in use.
 | kubeAPIServer.authorizationWebhookCacheAuthorizedTtl   | kubeAPIServer.authorizationWebhookCacheAuthorizedTTL           |
 | kubeAPIServer.authorizationWebhookCacheUnauthorizedTtl | kubeAPIServer.authorizationWebhookCacheUnauthorizedTTL         |
 | kubeAPIServer.etcdCaFile                               | kubeAPIServer.etcdCAFile                                       |
+| kubeAPIServer.oidcClientID                             | authentication.oidc.clientID                                   |
+| kubeAPIServer.oidcGroupsPrefix                         | authentication.oidc.groupsPrefix                               |
+| kubeAPIServer.oidcIssuerURL                            | authentication.oidc.issuerURL                                  |
+| kubeAPIServer.oidcRequiredClaim (list)                 | authentication.oidc.oidcRequiredClaims (map)                   |
+| kubeAPIServer.oidcUsernameClaim                        | authentication.oidc.usernameClaim                              |
+| kubeAPIServer.oidcUsernamePrefix                       | authentication.oidc.usernamePrefix                             |
 | kubeAPIServer.targetRamMb                              | kubeAPIServer.targetRamMB                                      |
 | kubeControllerManager.concurrentRcSyncs                | kubeControllerManager.concurrentRCSyncs                        |
 | kubelet.authenticationTokenWebhookCacheTtl             | kubelet.authenticationTokenWebhookCacheTTL                     |

nodeup/pkg/model/kube_apiserver.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"path/filepath"
+	"sort"
 	"strings"
 
 	"k8s.io/kops/pkg/apis/kops"
@@ -76,6 +77,7 @@ func (b *KubeAPIServerBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 		}
 	}
 
+	b.configureOIDC(&kubeAPIServer)
 	if err := b.writeAuthenticationConfig(c, &kubeAPIServer); err != nil {
 		return err
 	}
@@ -218,12 +220,39 @@ func (b *KubeAPIServerBuilder) Build(c *fi.NodeupModelBuilderContext) error {
 	return nil
 }
 
+func (b *KubeAPIServerBuilder) configureOIDC(kubeAPIServer *kops.KubeAPIServerConfig) {
+	if b.NodeupConfig.APIServerConfig.Authentication == nil || b.NodeupConfig.APIServerConfig.Authentication.OIDC == nil {
+		return
+	}
+
+	oidc := b.NodeupConfig.APIServerConfig.Authentication.OIDC
+	kubeAPIServer.OIDCClientID = oidc.ClientID
+	if oidc.GroupsClaims != nil {
+		join := strings.Join(oidc.GroupsClaims, ",")
+		kubeAPIServer.OIDCGroupsClaim = &join
+	}
+	kubeAPIServer.OIDCGroupsPrefix = oidc.GroupsPrefix
+	kubeAPIServer.OIDCIssuerURL = oidc.IssuerURL
+	if oidc.RequiredClaims != nil {
+		kubeAPIServer.OIDCRequiredClaim = make([]string, 0, len(oidc.RequiredClaims))
+		for claim, value := range oidc.RequiredClaims {
+			kubeAPIServer.OIDCRequiredClaim = append(kubeAPIServer.OIDCRequiredClaim, claim+"="+value)
+		}
+		sort.Strings(kubeAPIServer.OIDCRequiredClaim)
+	}
+	kubeAPIServer.OIDCUsernameClaim = oidc.UsernameClaim
+	kubeAPIServer.OIDCUsernamePrefix = oidc.UsernamePrefix
+}
+
 func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.NodeupModelBuilderContext, kubeAPIServer *kops.KubeAPIServerConfig) error {
-	if b.Cluster.Spec.Authentication == nil || b.Cluster.Spec.Authentication.IsEmpty() {
+	if b.NodeupConfig.APIServerConfig.Authentication == nil {
+		return nil
+	}
+	if b.NodeupConfig.APIServerConfig.Authentication.AWS == nil && b.NodeupConfig.APIServerConfig.Authentication.Kopeio == nil {
 		return nil
 	}
 
-	if b.Cluster.Spec.Authentication.Kopeio != nil {
+	if b.NodeupConfig.APIServerConfig.Authentication.Kopeio != nil {
 		cluster := kubeconfig.KubectlCluster{
 			Server: "http://127.0.0.1:9001/hooks/authn",
 		}
@@ -263,7 +292,7 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.NodeupModelBuilde
 		return nil
 	}
 
-	if b.Cluster.Spec.Authentication.AWS != nil {
+	if b.NodeupConfig.APIServerConfig.Authentication.AWS != nil {
 		id := "aws-iam-authenticator"
 		kubeAPIServer.AuthenticationTokenWebhookConfigFile = fi.PtrTo(PathAuthnConfig)
 
@@ -353,7 +382,7 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.NodeupModelBuilde
 		return nil
 	}
 
-	return fmt.Errorf("unrecognized authentication config %v", b.Cluster.Spec.Authentication)
+	return fmt.Errorf("unrecognized authentication config %v", b.NodeupConfig.APIServerConfig.Authentication)
 }
 
 func (b *KubeAPIServerBuilder) writeServerCertificate(c *fi.NodeupModelBuilderContext, kubeAPIServer *kops.KubeAPIServerConfig) error {
@@ -699,8 +728,8 @@ func (b *KubeAPIServerBuilder) buildPod(ctx context.Context, kubeAPIServer *kops
 		kubemanifest.AddHostPathMapping(pod, container, "auditconfigdir", auditConfigDir)
 	}
 
-	if b.Cluster.Spec.Authentication != nil {
-		if b.Cluster.Spec.Authentication.Kopeio != nil || b.Cluster.Spec.Authentication.AWS != nil {
+	if b.NodeupConfig.APIServerConfig.Authentication != nil {
+		if b.NodeupConfig.APIServerConfig.Authentication.Kopeio != nil || b.NodeupConfig.APIServerConfig.Authentication.AWS != nil {
 			kubemanifest.AddHostPathMapping(pod, container, "authn-config", PathAuthnConfig)
 		}
 	}

nodeup/pkg/model/kube_apiserver_test.go

@@ -155,6 +155,13 @@ func TestAuditConfigAPIServerBuilder(t *testing.T) {
 	})
 }
 
+func TestOIDCConfigAPIServerBuilder(t *testing.T) {
+	RunGoldenTest(t, "tests/golden/oidc", "kube-apiserver", func(nodeupModelContext *NodeupModelContext, target *fi.NodeupModelBuilderContext) error {
+		builder := KubeAPIServerBuilder{NodeupModelContext: nodeupModelContext}
+		return builder.Build(target)
+	})
+}
+
 func TestDeddicatedAPIServerBuilder(t *testing.T) {
 	RunGoldenTest(t, "tests/golden/dedicated-apiserver", "kube-apiserver", func(nodeupModelContext *NodeupModelContext, target *fi.NodeupModelBuilderContext) error {
 		builder := KubeAPIServerBuilder{NodeupModelContext: nodeupModelContext}

nodeup/pkg/model/tests/golden/oidc/cluster.yaml

@@ -0,0 +1,76 @@
+apiVersion: kops.k8s.io/v1alpha2
+kind: Cluster
+metadata:
+  name: minimal.example.com
+spec:
+  kubernetesApiAccess:
+  - 0.0.0.0/0
+  channel: stable
+  cloudProvider: aws
+  configBase: memfs://clusters.example.com/minimal.example.com
+  etcdClusters:
+  - cpuRequest: 200m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: main
+    provider: Manager
+    backups:
+      backupStore: memfs://clusters.example.com/minimal.example.com/backups/etcd-main
+  - cpuRequest: 100m
+    etcdMembers:
+    - instanceGroup: master-us-test-1a
+      name: us-test-1a
+    memoryRequest: 100Mi
+    name: events
+    provider: Manager
+    backups:
+      backupStore: memfs://clusters.example.com/minimal.example.com/backups/etcd-events
+  iam: {}
+  kubeAPIServer:
+    oidcClientID: oidc-client
+    oidcGroupsClaim: groupclaim1,groupclaim2
+    oidcGroupsPrefix: 'oidcgroup:'
+    oidcIssuerURL: https://oidc-issuer.nonexistent
+    oidcRequiredClaim:
+    - claim1=value1
+    - claim2=value2
+    oidcUsernameClaim: user
+    oidcUsernamePrefix: 'oidc:'
+  kubelet:
+    anonymousAuth: false
+  kubernetesVersion: v1.23.0
+  masterPublicName: api.minimal.example.com
+  networkCIDR: 172.20.0.0/16
+  networking:
+    kubenet: {}
+  nonMasqueradeCIDR: 100.64.0.0/10
+  sshAccess:
+  - 0.0.0.0/0
+  topology:
+    masters: public
+    nodes: public
+  subnets:
+  - cidr: 172.20.32.0/19
+    name: us-test-1a
+    type: Public
+    zone: us-test-1a
+
+---
+
+apiVersion: kops.k8s.io/v1alpha2
+kind: InstanceGroup
+metadata:
+  name: master-us-test-1a
+  labels:
+    kops.k8s.io/cluster: minimal.example.com
+spec:
+  associatePublicIp: true
+  image: ami-1234
+  machineType: m3.medium
+  maxSize: 1
+  minSize: 1
+  role: Master
+  subnets:
+  - us-test-1a

nodeup/pkg/model/tests/golden/oidc/tasks-kops-controller.yaml

@@ -0,0 +1,112 @@
+mode: "0755"
+path: /etc/kubernetes/kops-controller
+type: directory
+---
+contents: |
+  kubernetes-ca: "3"
+  service-account: "2"
+mode: "0600"
+owner: kops-controller
+path: /etc/kubernetes/kops-controller/keypair-ids.yaml
+type: file
+---
+contents:
+  task:
+    Name: kops-controller
+    alternateNames:
+    - kops-controller.internal.minimal.example.com
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kops-controller
+    type: server
+mode: "0644"
+owner: kops-controller
+path: /etc/kubernetes/kops-controller/kops-controller.crt
+type: file
+---
+contents:
+  task:
+    Name: kops-controller
+    alternateNames:
+    - kops-controller.internal.minimal.example.com
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kops-controller
+    type: server
+mode: "0600"
+owner: kops-controller
+path: /etc/kubernetes/kops-controller/kops-controller.key
+type: file
+---
+contents: |
+  -----BEGIN CERTIFICATE-----
+  MIIC2DCCAcCgAwIBAgIRALJXAkVj964tq67wMSI8oJQwDQYJKoZIhvcNAQELBQAw
+  FTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0xNzEyMjcyMzUyNDBaFw0yNzEyMjcy
+  MzUyNDBaMBUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQDgnCkSmtnmfxEgS3qNPaUCH5QOBGDH/inHbWCODLBCK9gd
+  XEcBl7FVv8T2kFr1DYb0HVDtMI7tixRVFDLgkwNlW34xwWdZXB7GeoFgU1xWOQSY
+  OACC8JgYTQ/139HBEvgq4sej67p+/s/SNcw34Kk7HIuFhlk1rRk5kMexKIlJBKP1
+  YYUYetsJ/QpUOkqJ5HW4GoetE76YtHnORfYvnybviSMrh2wGGaN6r/s4ChOaIbZC
+  An8/YiPKGIDaZGpj6GXnmXARRX/TIdgSQkLwt0aTDBnPZ4XvtpI8aaL8DYJIqAzA
+  NPH2b4/uNylat5jDo0b0G54agMi97+2AUrC9UUXpAgMBAAGjIzAhMA4GA1UdDwEB
+  /wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBVGR2r
+  hzXzRMU5wriPQAJScszNORvoBpXfZoZ09FIupudFxBVU3d4hV9StKnQgPSGA5XQO
+  HE97+BxJDuA/rB5oBUsMBjc7y1cde/T6hmi3rLoEYBSnSudCOXJE4G9/0f8byAJe
+  rN8+No1r2VgZvZh6p74TEkXv/l3HBPWM7IdUV0HO9JDhSgOVF1fyQKJxRuLJR8jt
+  O6mPH2UX0vMwVa4jvwtkddqk2OAdYQvH9rbDjjbzaiW0KnmdueRo92KHAN7BsDZy
+  VpXHpqo1Kzg7D3fpaXCf5si7lqqrdJVXH4JC72zxsPehqgi8eIuqOBkiDWmRxAxh
+  8yGeRx9AbknHh4Ia
+  -----END CERTIFICATE-----
+mode: "0600"
+owner: kops-controller
+path: /etc/kubernetes/kops-controller/kubernetes-ca.crt
+type: file
+---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA4JwpEprZ5n8RIEt6jT2lAh+UDgRgx/4px21gjgywQivYHVxH
+  AZexVb/E9pBa9Q2G9B1Q7TCO7YsUVRQy4JMDZVt+McFnWVwexnqBYFNcVjkEmDgA
+  gvCYGE0P9d/RwRL4KuLHo+u6fv7P0jXMN+CpOxyLhYZZNa0ZOZDHsSiJSQSj9WGF
+  GHrbCf0KVDpKieR1uBqHrRO+mLR5zkX2L58m74kjK4dsBhmjeq/7OAoTmiG2QgJ/
+  P2IjyhiA2mRqY+hl55lwEUV/0yHYEkJC8LdGkwwZz2eF77aSPGmi/A2CSKgMwDTx
+  9m+P7jcpWreYw6NG9BueGoDIve/tgFKwvVFF6QIDAQABAoIBAA0ktjaTfyrAxsTI
+  Bezb7Zr5NBW55dvuII299cd6MJo+rI/TRYhvUv48kY8IFXp/hyUjzgeDLunxmIf9
+  /Zgsoic9Ol44/g45mMduhcGYPzAAeCdcJ5OB9rR9VfDCXyjYLlN8H8iU0734tTqM
+  0V13tQ9zdSqkGPZOIcq/kR/pylbOZaQMe97BTlsAnOMSMKDgnftY4122Lq3GYy+t
+  vpr+bKVaQZwvkLoSU3rECCaKaghgwCyX7jft9aEkhdJv+KlwbsGY6WErvxOaLWHd
+  cuMQjGapY1Fa/4UD00mvrA260NyKfzrp6+P46RrVMwEYRJMIQ8YBAk6N6Hh7dc0G
+  8Z6i1m0CgYEA9HeCJR0TSwbIQ1bDXUrzpftHuidG5BnSBtax/ND9qIPhR/FBW5nj
+  22nwLc48KkyirlfIULd0ae4qVXJn7wfYcuX/cJMLDmSVtlM5Dzmi/91xRiFgIzx1
+  AsbBzaFjISP2HpSgL+e9FtSXaaqeZVrflitVhYKUpI/AKV31qGHf04sCgYEA6zTV
+  99Sb49Wdlns5IgsfnXl6ToRttB18lfEKcVfjAM4frnkk06JpFAZeR+9GGKUXZHqs
+  z2qcplw4d/moCC6p3rYPBMLXsrGNEUFZqBlgz72QA6BBq3X0Cg1Bc2ZbK5VIzwkg
+  ST2SSux6ccROfgULmN5ZiLOtdUKNEZpFF3i3qtsCgYADT/s7dYFlatobz3kmMnXK
+  sfTu2MllHdRys0YGHu7Q8biDuQkhrJwhxPW0KS83g4JQym+0aEfzh36bWcl+u6R7
+  KhKj+9oSf9pndgk345gJz35RbPJYh+EuAHNvzdgCAvK6x1jETWeKf6btj5pF1U1i
+  Q4QNIw/QiwIXjWZeubTGsQKBgQCbduLu2rLnlyyAaJZM8DlHZyH2gAXbBZpxqU8T
+  t9mtkJDUS/KRiEoYGFV9CqS0aXrayVMsDfXY6B/S/UuZjO5u7LtklDzqOf1aKG3Q
+  dGXPKibknqqJYH+bnUNjuYYNerETV57lijMGHuSYCf8vwLn3oxBfERRX61M/DU8Z
+  worz/QKBgQDCTJI2+jdXg26XuYUmM4XXfnocfzAXhXBULt1nENcogNf1fcptAVtu
+  BAiz4/HipQKqoWVUYmxfgbbLRKKLK0s0lOWKbYdVjhEm/m2ZU8wtXTagNwkIGoyq
+  Y/C1Lox4f1ROJnCjc/hfcOjcxX5M8A8peecHWlVtUPKTJgxQ7oMKcw==
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+owner: kops-controller
+path: /etc/kubernetes/kops-controller/kubernetes-ca.key
+type: file
+---
+Name: kops-controller
+alternateNames:
+- kops-controller.internal.minimal.example.com
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: kops-controller
+type: server
+---
+Name: kops-controller
+home: ""
+shell: /sbin/nologin
+uid: 10011

nodeup/pkg/model/tests/golden/oidc/tasks-kube-apiserver.yaml

@@ -0,0 +1,368 @@
+contents: |
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    annotations:
+      dns.alpha.kubernetes.io/external: api.minimal.example.com
+      dns.alpha.kubernetes.io/internal: api.internal.minimal.example.com
+      kubectl.kubernetes.io/default-container: kube-apiserver
+    creationTimestamp: null
+    labels:
+      k8s-app: kube-apiserver
+    name: kube-apiserver
+    namespace: kube-system
+  spec:
+    containers:
+    - args:
+      - --log-file=/var/log/kube-apiserver.log
+      - --also-stdout
+      - /usr/local/bin/kube-apiserver
+      - --allow-privileged=true
+      - --anonymous-auth=false
+      - --api-audiences=kubernetes.svc.default
+      - --apiserver-count=1
+      - --authorization-mode=AlwaysAllow
+      - --bind-address=0.0.0.0
+      - --client-ca-file=/srv/kubernetes/ca.crt
+      - --cloud-config=/etc/kubernetes/in-tree-cloud.config
+      - --cloud-provider=aws
+      - --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota
+      - --etcd-cafile=/srv/kubernetes/kube-apiserver/etcd-ca.crt
+      - --etcd-certfile=/srv/kubernetes/kube-apiserver/etcd-client.crt
+      - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
+      - --etcd-servers-overrides=/events#https://127.0.0.1:4002
+      - --etcd-servers=https://127.0.0.1:4001
+      - --feature-gates=CSIMigrationAWS=true,InTreePluginAWSUnregister=true
+      - --kubelet-client-certificate=/srv/kubernetes/kube-apiserver/kubelet-api.crt
+      - --kubelet-client-key=/srv/kubernetes/kube-apiserver/kubelet-api.key
+      - --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP
+      - --proxy-client-cert-file=/srv/kubernetes/kube-apiserver/apiserver-aggregator.crt
+      - --proxy-client-key-file=/srv/kubernetes/kube-apiserver/apiserver-aggregator.key
+      - --requestheader-allowed-names=aggregator
+      - --requestheader-client-ca-file=/srv/kubernetes/kube-apiserver/apiserver-aggregator-ca.crt
+      - --requestheader-extra-headers-prefix=X-Remote-Extra-
+      - --requestheader-group-headers=X-Remote-Group
+      - --requestheader-username-headers=X-Remote-User
+      - --secure-port=443
+      - --service-account-issuer=https://api.internal.minimal.example.com
+      - --service-account-jwks-uri=https://api.internal.minimal.example.com/openid/v1/jwks
+      - --service-account-key-file=/srv/kubernetes/kube-apiserver/service-account.pub
+      - --service-account-signing-key-file=/srv/kubernetes/kube-apiserver/service-account.key
+      - --service-cluster-ip-range=100.64.0.0/13
+      - --storage-backend=etcd3
+      - --tls-cert-file=/srv/kubernetes/kube-apiserver/server.crt
+      - --tls-private-key-file=/srv/kubernetes/kube-apiserver/server.key
+      - --v=2
+      command:
+      - /go-runner
+      image: registry.k8s.io/kube-apiserver:v1.23.0
+      livenessProbe:
+        httpGet:
+          host: 127.0.0.1
+          path: /healthz
+          port: 443
+          scheme: HTTPS
+        initialDelaySeconds: 45
+        timeoutSeconds: 15
+      name: kube-apiserver
+      ports:
+      - containerPort: 443
+        hostPort: 443
+        name: https
+      resources:
+        requests:
+          cpu: 150m
+      volumeMounts:
+      - mountPath: /var/log/kube-apiserver.log
+        name: logfile
+      - mountPath: /etc/ssl
+        name: etcssl
+        readOnly: true
+      - mountPath: /etc/pki/tls
+        name: etcpkitls
+        readOnly: true
+      - mountPath: /etc/pki/ca-trust
+        name: etcpkica-trust
+        readOnly: true
+      - mountPath: /usr/share/ssl
+        name: usrsharessl
+        readOnly: true
+      - mountPath: /usr/ssl
+        name: usrssl
+        readOnly: true
+      - mountPath: /usr/lib/ssl
+        name: usrlibssl
+        readOnly: true
+      - mountPath: /usr/local/openssl
+        name: usrlocalopenssl
+        readOnly: true
+      - mountPath: /var/ssl
+        name: varssl
+        readOnly: true
+      - mountPath: /etc/openssl
+        name: etcopenssl
+        readOnly: true
+      - mountPath: /etc/kubernetes/in-tree-cloud.config
+        name: cloudconfig
+        readOnly: true
+      - mountPath: /srv/kubernetes/ca.crt
+        name: kubernetesca
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-apiserver
+        name: srvkapi
+        readOnly: true
+      - mountPath: /srv/sshproxy
+        name: srvsshproxy
+        readOnly: true
+    hostNetwork: true
+    priorityClassName: system-cluster-critical
+    tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    volumes:
+    - hostPath:
+        path: /var/log/kube-apiserver.log
+      name: logfile
+    - hostPath:
+        path: /etc/ssl
+      name: etcssl
+    - hostPath:
+        path: /etc/pki/tls
+      name: etcpkitls
+    - hostPath:
+        path: /etc/pki/ca-trust
+      name: etcpkica-trust
+    - hostPath:
+        path: /usr/share/ssl
+      name: usrsharessl
+    - hostPath:
+        path: /usr/ssl
+      name: usrssl
+    - hostPath:
+        path: /usr/lib/ssl
+      name: usrlibssl
+    - hostPath:
+        path: /usr/local/openssl
+      name: usrlocalopenssl
+    - hostPath:
+        path: /var/ssl
+      name: varssl
+    - hostPath:
+        path: /etc/openssl
+      name: etcopenssl
+    - hostPath:
+        path: /etc/kubernetes/in-tree-cloud.config
+      name: cloudconfig
+    - hostPath:
+        path: /srv/kubernetes/ca.crt
+      name: kubernetesca
+    - hostPath:
+        path: /srv/kubernetes/kube-apiserver
+      name: srvkapi
+    - hostPath:
+        path: /srv/sshproxy
+      name: srvsshproxy
+  status: {}
+path: /etc/kubernetes/manifests/kube-apiserver.manifest
+type: file
+---
+mode: "0755"
+path: /srv/kubernetes/kube-apiserver
+type: directory
+---
+contents: ""
+mode: "0644"
+path: /srv/kubernetes/kube-apiserver/apiserver-aggregator-ca.crt
+type: file
+---
+contents:
+  task:
+    Name: apiserver-aggregator
+    keypairID: ""
+    signer: apiserver-aggregator-ca
+    subject:
+      CommonName: aggregator
+    type: client
+mode: "0644"
+path: /srv/kubernetes/kube-apiserver/apiserver-aggregator.crt
+type: file
+---
+contents:
+  task:
+    Name: apiserver-aggregator
+    keypairID: ""
+    signer: apiserver-aggregator-ca
+    subject:
+      CommonName: aggregator
+    type: client
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/apiserver-aggregator.key
+type: file
+---
+contents: ""
+mode: "0644"
+path: /srv/kubernetes/kube-apiserver/etcd-ca.crt
+type: file
+---
+contents:
+  task:
+    Name: etcd-client
+    keypairID: ""
+    signer: etcd-clients-ca
+    subject:
+      CommonName: kube-apiserver
+    type: client
+mode: "0644"
+path: /srv/kubernetes/kube-apiserver/etcd-client.crt
+type: file
+---
+contents:
+  task:
+    Name: etcd-client
+    keypairID: ""
+    signer: etcd-clients-ca
+    subject:
+      CommonName: kube-apiserver
+    type: client
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/etcd-client.key
+type: file
+---
+contents:
+  task:
+    Name: kubelet-api
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubelet-api
+    type: client
+mode: "0644"
+path: /srv/kubernetes/kube-apiserver/kubelet-api.crt
+type: file
+---
+contents:
+  task:
+    Name: kubelet-api
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubelet-api
+    type: client
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/kubelet-api.key
+type: file
+---
+contents:
+  task:
+    Name: master
+    alternateNames:
+    - kubernetes
+    - kubernetes.default
+    - kubernetes.default.svc
+    - kubernetes.default.svc.cluster.local
+    - api.minimal.example.com
+    - api.internal.minimal.example.com
+    - 100.64.0.1
+    - 127.0.0.1
+    includeRootCertificate: true
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubernetes-master
+    type: server
+mode: "0644"
+path: /srv/kubernetes/kube-apiserver/server.crt
+type: file
+---
+contents:
+  task:
+    Name: master
+    alternateNames:
+    - kubernetes
+    - kubernetes.default
+    - kubernetes.default.svc
+    - kubernetes.default.svc.cluster.local
+    - api.minimal.example.com
+    - api.internal.minimal.example.com
+    - 100.64.0.1
+    - 127.0.0.1
+    includeRootCertificate: true
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubernetes-master
+    type: server
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/server.key
+type: file
+---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIBPQIBAAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKmXVSysPKgE80QSU4tZ6m4
+  9pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQJBAKt/gmpHqP3qA3u8RA5R
+  2W6L360Z2Mnza1FmkI/9StCCkJGjuE5yDhxU4JcVnFyX/nMxm2ockEEQDqRSu7Oo
+  xTECIQD2QsUsgFL4FnXWzTclySJ6ajE4Cte3gSDOIvyMNMireQIhAOEnsV8UaSI+
+  ZyL7NMLzMPLCgtsrPnlamr8gdrEHf9ITAiEAxCCLbpTI/4LL2QZZrINTLVGT34Fr
+  Kl/yI5pjrrp/M2kCIQDfOktQyRuzJ8t5kzWsUxCkntS+FxHJn1rtQ3Jp8dV4oQIh
+  AOyiVWDyLZJvg7Y24Ycmp86BZjM9Wk/BfWpBXKnl9iDY
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/service-account.key
+type: file
+---
+contents: |
+  -----BEGIN RSA PUBLIC KEY-----
+  MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKm
+  XVSysPKgE80QSU4tZ6m49pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQ==
+  -----END RSA PUBLIC KEY-----
+  -----BEGIN RSA PUBLIC KEY-----
+  MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKOE64nZbH+GM91AIrqf7HEk4hvzqsZF
+  Ftxc+8xir1XC3mI/RhCCrs6AdVRZNZ26A6uHArhi33c2kHQkCjyLA7sCAwEAAQ==
+  -----END RSA PUBLIC KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-apiserver/service-account.pub
+type: file
+---
+contents: ""
+ifNotExists: true
+mode: "0400"
+path: /var/log/kube-apiserver.log
+type: file
+---
+Name: apiserver-aggregator
+keypairID: ""
+signer: apiserver-aggregator-ca
+subject:
+  CommonName: aggregator
+type: client
+---
+Name: etcd-client
+keypairID: ""
+signer: etcd-clients-ca
+subject:
+  CommonName: kube-apiserver
+type: client
+---
+Name: kubelet-api
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: kubelet-api
+type: client
+---
+Name: master
+alternateNames:
+- kubernetes
+- kubernetes.default
+- kubernetes.default.svc
+- kubernetes.default.svc.cluster.local
+- api.minimal.example.com
+- api.internal.minimal.example.com
+- 100.64.0.1
+- 127.0.0.1
+includeRootCertificate: true
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: kubernetes-master
+type: server

nodeup/pkg/model/tests/golden/oidc/tasks-kube-controller-manager.yaml

@@ -0,0 +1,332 @@
+contents: |
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    creationTimestamp: null
+    labels:
+      k8s-app: kube-controller-manager
+    name: kube-controller-manager
+    namespace: kube-system
+  spec:
+    containers:
+    - args:
+      - --log-file=/var/log/kube-controller-manager.log
+      - --also-stdout
+      - /usr/local/bin/kube-controller-manager
+      - --allocate-node-cidrs=true
+      - --attach-detach-reconcile-sync-period=1m0s
+      - --authentication-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --cloud-config=/etc/kubernetes/in-tree-cloud.config
+      - --cloud-provider=aws
+      - --cluster-cidr=100.96.0.0/11
+      - --cluster-name=minimal.example.com
+      - --cluster-signing-cert-file=/srv/kubernetes/kube-controller-manager/ca.crt
+      - --cluster-signing-key-file=/srv/kubernetes/kube-controller-manager/ca.key
+      - --configure-cloud-routes=true
+      - --enable-leader-migration=true
+      - --feature-gates=CSIMigrationAWS=true,InTreePluginAWSUnregister=true
+      - --flex-volume-plugin-dir=/usr/libexec/kubernetes/kubelet-plugins/volume/exec/
+      - --kubeconfig=/var/lib/kube-controller-manager/kubeconfig
+      - --leader-elect=true
+      - --root-ca-file=/srv/kubernetes/ca.crt
+      - --service-account-private-key-file=/srv/kubernetes/kube-controller-manager/service-account.key
+      - --tls-cert-file=/srv/kubernetes/kube-controller-manager/server.crt
+      - --tls-private-key-file=/srv/kubernetes/kube-controller-manager/server.key
+      - --use-service-account-credentials=true
+      - --v=2
+      command:
+      - /go-runner
+      image: registry.k8s.io/kube-controller-manager:v1.23.0
+      livenessProbe:
+        httpGet:
+          host: 127.0.0.1
+          path: /healthz
+          port: 10257
+          scheme: HTTPS
+        initialDelaySeconds: 15
+        timeoutSeconds: 15
+      name: kube-controller-manager
+      resources:
+        requests:
+          cpu: 100m
+      volumeMounts:
+      - mountPath: /var/log/kube-controller-manager.log
+        name: logfile
+      - mountPath: /etc/ssl
+        name: etcssl
+        readOnly: true
+      - mountPath: /etc/pki/tls
+        name: etcpkitls
+        readOnly: true
+      - mountPath: /etc/pki/ca-trust
+        name: etcpkica-trust
+        readOnly: true
+      - mountPath: /usr/share/ssl
+        name: usrsharessl
+        readOnly: true
+      - mountPath: /usr/ssl
+        name: usrssl
+        readOnly: true
+      - mountPath: /usr/lib/ssl
+        name: usrlibssl
+        readOnly: true
+      - mountPath: /usr/local/openssl
+        name: usrlocalopenssl
+        readOnly: true
+      - mountPath: /var/ssl
+        name: varssl
+        readOnly: true
+      - mountPath: /etc/openssl
+        name: etcopenssl
+        readOnly: true
+      - mountPath: /etc/kubernetes/in-tree-cloud.config
+        name: cloudconfig
+        readOnly: true
+      - mountPath: /srv/kubernetes/ca.crt
+        name: cabundle
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-controller-manager
+        name: srvkcm
+        readOnly: true
+      - mountPath: /var/lib/kube-controller-manager
+        name: varlibkcm
+        readOnly: true
+      - mountPath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
+        name: volplugins
+    hostNetwork: true
+    priorityClassName: system-cluster-critical
+    tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    volumes:
+    - hostPath:
+        path: /var/log/kube-controller-manager.log
+      name: logfile
+    - hostPath:
+        path: /etc/ssl
+      name: etcssl
+    - hostPath:
+        path: /etc/pki/tls
+      name: etcpkitls
+    - hostPath:
+        path: /etc/pki/ca-trust
+      name: etcpkica-trust
+    - hostPath:
+        path: /usr/share/ssl
+      name: usrsharessl
+    - hostPath:
+        path: /usr/ssl
+      name: usrssl
+    - hostPath:
+        path: /usr/lib/ssl
+      name: usrlibssl
+    - hostPath:
+        path: /usr/local/openssl
+      name: usrlocalopenssl
+    - hostPath:
+        path: /var/ssl
+      name: varssl
+    - hostPath:
+        path: /etc/openssl
+      name: etcopenssl
+    - hostPath:
+        path: /etc/kubernetes/in-tree-cloud.config
+      name: cloudconfig
+    - hostPath:
+        path: /srv/kubernetes/ca.crt
+      name: cabundle
+    - hostPath:
+        path: /srv/kubernetes/kube-controller-manager
+      name: srvkcm
+    - hostPath:
+        path: /var/lib/kube-controller-manager
+      name: varlibkcm
+    - hostPath:
+        path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
+      name: volplugins
+  status: {}
+path: /etc/kubernetes/manifests/kube-controller-manager.manifest
+type: file
+---
+mode: "0755"
+path: /srv/kubernetes/kube-controller-manager
+type: directory
+---
+contents: |
+  -----BEGIN CERTIFICATE-----
+  MIIC2DCCAcCgAwIBAgIRALJXAkVj964tq67wMSI8oJQwDQYJKoZIhvcNAQELBQAw
+  FTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0xNzEyMjcyMzUyNDBaFw0yNzEyMjcy
+  MzUyNDBaMBUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQDgnCkSmtnmfxEgS3qNPaUCH5QOBGDH/inHbWCODLBCK9gd
+  XEcBl7FVv8T2kFr1DYb0HVDtMI7tixRVFDLgkwNlW34xwWdZXB7GeoFgU1xWOQSY
+  OACC8JgYTQ/139HBEvgq4sej67p+/s/SNcw34Kk7HIuFhlk1rRk5kMexKIlJBKP1
+  YYUYetsJ/QpUOkqJ5HW4GoetE76YtHnORfYvnybviSMrh2wGGaN6r/s4ChOaIbZC
+  An8/YiPKGIDaZGpj6GXnmXARRX/TIdgSQkLwt0aTDBnPZ4XvtpI8aaL8DYJIqAzA
+  NPH2b4/uNylat5jDo0b0G54agMi97+2AUrC9UUXpAgMBAAGjIzAhMA4GA1UdDwEB
+  /wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBVGR2r
+  hzXzRMU5wriPQAJScszNORvoBpXfZoZ09FIupudFxBVU3d4hV9StKnQgPSGA5XQO
+  HE97+BxJDuA/rB5oBUsMBjc7y1cde/T6hmi3rLoEYBSnSudCOXJE4G9/0f8byAJe
+  rN8+No1r2VgZvZh6p74TEkXv/l3HBPWM7IdUV0HO9JDhSgOVF1fyQKJxRuLJR8jt
+  O6mPH2UX0vMwVa4jvwtkddqk2OAdYQvH9rbDjjbzaiW0KnmdueRo92KHAN7BsDZy
+  VpXHpqo1Kzg7D3fpaXCf5si7lqqrdJVXH4JC72zxsPehqgi8eIuqOBkiDWmRxAxh
+  8yGeRx9AbknHh4Ia
+  -----END CERTIFICATE-----
+mode: "0600"
+path: /srv/kubernetes/kube-controller-manager/ca.crt
+type: file
+---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEA4JwpEprZ5n8RIEt6jT2lAh+UDgRgx/4px21gjgywQivYHVxH
+  AZexVb/E9pBa9Q2G9B1Q7TCO7YsUVRQy4JMDZVt+McFnWVwexnqBYFNcVjkEmDgA
+  gvCYGE0P9d/RwRL4KuLHo+u6fv7P0jXMN+CpOxyLhYZZNa0ZOZDHsSiJSQSj9WGF
+  GHrbCf0KVDpKieR1uBqHrRO+mLR5zkX2L58m74kjK4dsBhmjeq/7OAoTmiG2QgJ/
+  P2IjyhiA2mRqY+hl55lwEUV/0yHYEkJC8LdGkwwZz2eF77aSPGmi/A2CSKgMwDTx
+  9m+P7jcpWreYw6NG9BueGoDIve/tgFKwvVFF6QIDAQABAoIBAA0ktjaTfyrAxsTI
+  Bezb7Zr5NBW55dvuII299cd6MJo+rI/TRYhvUv48kY8IFXp/hyUjzgeDLunxmIf9
+  /Zgsoic9Ol44/g45mMduhcGYPzAAeCdcJ5OB9rR9VfDCXyjYLlN8H8iU0734tTqM
+  0V13tQ9zdSqkGPZOIcq/kR/pylbOZaQMe97BTlsAnOMSMKDgnftY4122Lq3GYy+t
+  vpr+bKVaQZwvkLoSU3rECCaKaghgwCyX7jft9aEkhdJv+KlwbsGY6WErvxOaLWHd
+  cuMQjGapY1Fa/4UD00mvrA260NyKfzrp6+P46RrVMwEYRJMIQ8YBAk6N6Hh7dc0G
+  8Z6i1m0CgYEA9HeCJR0TSwbIQ1bDXUrzpftHuidG5BnSBtax/ND9qIPhR/FBW5nj
+  22nwLc48KkyirlfIULd0ae4qVXJn7wfYcuX/cJMLDmSVtlM5Dzmi/91xRiFgIzx1
+  AsbBzaFjISP2HpSgL+e9FtSXaaqeZVrflitVhYKUpI/AKV31qGHf04sCgYEA6zTV
+  99Sb49Wdlns5IgsfnXl6ToRttB18lfEKcVfjAM4frnkk06JpFAZeR+9GGKUXZHqs
+  z2qcplw4d/moCC6p3rYPBMLXsrGNEUFZqBlgz72QA6BBq3X0Cg1Bc2ZbK5VIzwkg
+  ST2SSux6ccROfgULmN5ZiLOtdUKNEZpFF3i3qtsCgYADT/s7dYFlatobz3kmMnXK
+  sfTu2MllHdRys0YGHu7Q8biDuQkhrJwhxPW0KS83g4JQym+0aEfzh36bWcl+u6R7
+  KhKj+9oSf9pndgk345gJz35RbPJYh+EuAHNvzdgCAvK6x1jETWeKf6btj5pF1U1i
+  Q4QNIw/QiwIXjWZeubTGsQKBgQCbduLu2rLnlyyAaJZM8DlHZyH2gAXbBZpxqU8T
+  t9mtkJDUS/KRiEoYGFV9CqS0aXrayVMsDfXY6B/S/UuZjO5u7LtklDzqOf1aKG3Q
+  dGXPKibknqqJYH+bnUNjuYYNerETV57lijMGHuSYCf8vwLn3oxBfERRX61M/DU8Z
+  worz/QKBgQDCTJI2+jdXg26XuYUmM4XXfnocfzAXhXBULt1nENcogNf1fcptAVtu
+  BAiz4/HipQKqoWVUYmxfgbbLRKKLK0s0lOWKbYdVjhEm/m2ZU8wtXTagNwkIGoyq
+  Y/C1Lox4f1ROJnCjc/hfcOjcxX5M8A8peecHWlVtUPKTJgxQ7oMKcw==
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-controller-manager/ca.key
+type: file
+---
+contents:
+  task:
+    Name: kube-controller-manager-server
+    alternateNames:
+    - kube-controller-manager.kube-system.svc.cluster.local
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kube-controller-manager
+    type: server
+mode: "0644"
+path: /srv/kubernetes/kube-controller-manager/server.crt
+type: file
+---
+contents:
+  task:
+    Name: kube-controller-manager-server
+    alternateNames:
+    - kube-controller-manager.kube-system.svc.cluster.local
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kube-controller-manager
+    type: server
+mode: "0600"
+path: /srv/kubernetes/kube-controller-manager/server.key
+type: file
+---
+contents: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MIIBPQIBAAJBANiW3hfHTcKnxCig+uWhpVbOfH1pANKmXVSysPKgE80QSU4tZ6m4
+  9pAEeIMsvwvDMaLsb2v6JvXe0qvCmueU+/sCAwEAAQJBAKt/gmpHqP3qA3u8RA5R
+  2W6L360Z2Mnza1FmkI/9StCCkJGjuE5yDhxU4JcVnFyX/nMxm2ockEEQDqRSu7Oo
+  xTECIQD2QsUsgFL4FnXWzTclySJ6ajE4Cte3gSDOIvyMNMireQIhAOEnsV8UaSI+
+  ZyL7NMLzMPLCgtsrPnlamr8gdrEHf9ITAiEAxCCLbpTI/4LL2QZZrINTLVGT34Fr
+  Kl/yI5pjrrp/M2kCIQDfOktQyRuzJ8t5kzWsUxCkntS+FxHJn1rtQ3Jp8dV4oQIh
+  AOyiVWDyLZJvg7Y24Ycmp86BZjM9Wk/BfWpBXKnl9iDY
+  -----END RSA PRIVATE KEY-----
+mode: "0600"
+path: /srv/kubernetes/kube-controller-manager/service-account.key
+type: file
+---
+contents:
+  task:
+    CA:
+      task:
+        Name: kube-controller-manager
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-controller-manager
+        type: client
+    Cert:
+      task:
+        Name: kube-controller-manager
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-controller-manager
+        type: client
+    Key:
+      task:
+        Name: kube-controller-manager
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-controller-manager
+        type: client
+    Name: kube-controller-manager
+    ServerURL: https://127.0.0.1
+mode: "0400"
+path: /var/lib/kube-controller-manager/kubeconfig
+type: file
+---
+contents: ""
+ifNotExists: true
+mode: "0400"
+path: /var/log/kube-controller-manager.log
+type: file
+---
+Name: kube-controller-manager
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: system:kube-controller-manager
+type: client
+---
+Name: kube-controller-manager-server
+alternateNames:
+- kube-controller-manager.kube-system.svc.cluster.local
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: kube-controller-manager
+type: server
+---
+CA:
+  task:
+    Name: kube-controller-manager
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-controller-manager
+    type: client
+Cert:
+  task:
+    Name: kube-controller-manager
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-controller-manager
+    type: client
+Key:
+  task:
+    Name: kube-controller-manager
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-controller-manager
+    type: client
+Name: kube-controller-manager
+ServerURL: https://127.0.0.1

nodeup/pkg/model/tests/golden/oidc/tasks-kube-proxy.yaml

@@ -0,0 +1,145 @@
+contents: |
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    creationTimestamp: null
+    labels:
+      k8s-app: kube-proxy
+      kubernetes.io/managed-by: nodeup
+      tier: node
+    name: kube-proxy
+    namespace: kube-system
+  spec:
+    containers:
+    - args:
+      - --log-file=/var/log/kube-proxy.log
+      - --also-stdout
+      - /usr/local/bin/kube-proxy
+      - --cluster-cidr=100.96.0.0/11
+      - --conntrack-max-per-core=131072
+      - --kubeconfig=/var/lib/kube-proxy/kubeconfig
+      - --master=https://127.0.0.1
+      - --oom-score-adj=-998
+      - --v=2
+      command:
+      - /go-runner
+      image: registry.k8s.io/kube-proxy:v1.23.0
+      name: kube-proxy
+      resources:
+        requests:
+          cpu: 100m
+      securityContext:
+        privileged: true
+      volumeMounts:
+      - mountPath: /var/log/kube-proxy.log
+        name: logfile
+      - mountPath: /var/lib/kube-proxy/kubeconfig
+        name: kubeconfig
+        readOnly: true
+      - mountPath: /lib/modules
+        name: modules
+        readOnly: true
+      - mountPath: /etc/ssl/certs
+        name: ssl-certs-hosts
+        readOnly: true
+      - mountPath: /run/xtables.lock
+        name: iptableslock
+    hostNetwork: true
+    priorityClassName: system-node-critical
+    tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    volumes:
+    - hostPath:
+        path: /var/log/kube-proxy.log
+      name: logfile
+    - hostPath:
+        path: /var/lib/kube-proxy/kubeconfig
+      name: kubeconfig
+    - hostPath:
+        path: /lib/modules
+      name: modules
+    - hostPath:
+        path: /usr/share/ca-certificates
+      name: ssl-certs-hosts
+    - hostPath:
+        path: /run/xtables.lock
+        type: FileOrCreate
+      name: iptableslock
+  status: {}
+path: /etc/kubernetes/manifests/kube-proxy.manifest
+type: file
+---
+beforeServices:
+- kubelet.service
+contents:
+  task:
+    CA:
+      task:
+        Name: kube-proxy
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-proxy
+        type: client
+    Cert:
+      task:
+        Name: kube-proxy
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-proxy
+        type: client
+    Key:
+      task:
+        Name: kube-proxy
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-proxy
+        type: client
+    Name: kube-proxy
+    ServerURL: https://127.0.0.1
+mode: "0400"
+path: /var/lib/kube-proxy/kubeconfig
+type: file
+---
+contents: ""
+ifNotExists: true
+mode: "0400"
+path: /var/log/kube-proxy.log
+type: file
+---
+Name: kube-proxy
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: system:kube-proxy
+type: client
+---
+CA:
+  task:
+    Name: kube-proxy
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-proxy
+    type: client
+Cert:
+  task:
+    Name: kube-proxy
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-proxy
+    type: client
+Key:
+  task:
+    Name: kube-proxy
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-proxy
+    type: client
+Name: kube-proxy
+ServerURL: https://127.0.0.1

nodeup/pkg/model/tests/golden/oidc/tasks-kube-scheduler.yaml

@@ -0,0 +1,187 @@
+contents: |
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    creationTimestamp: null
+    labels:
+      k8s-app: kube-scheduler
+    name: kube-scheduler
+    namespace: kube-system
+  spec:
+    containers:
+    - args:
+      - --log-file=/var/log/kube-scheduler.log
+      - --also-stdout
+      - /usr/local/bin/kube-scheduler
+      - --authentication-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --authorization-kubeconfig=/var/lib/kube-scheduler/kubeconfig
+      - --config=/var/lib/kube-scheduler/config.yaml
+      - --feature-gates=CSIMigrationAWS=true,InTreePluginAWSUnregister=true
+      - --leader-elect=true
+      - --tls-cert-file=/srv/kubernetes/kube-scheduler/server.crt
+      - --tls-private-key-file=/srv/kubernetes/kube-scheduler/server.key
+      - --v=2
+      command:
+      - /go-runner
+      image: registry.k8s.io/kube-scheduler:v1.23.0
+      livenessProbe:
+        httpGet:
+          host: 127.0.0.1
+          path: /healthz
+          port: 10259
+          scheme: HTTPS
+        initialDelaySeconds: 15
+        timeoutSeconds: 15
+      name: kube-scheduler
+      resources:
+        requests:
+          cpu: 100m
+      volumeMounts:
+      - mountPath: /var/lib/kube-scheduler
+        name: varlibkubescheduler
+        readOnly: true
+      - mountPath: /srv/kubernetes/kube-scheduler
+        name: srvscheduler
+        readOnly: true
+      - mountPath: /var/log/kube-scheduler.log
+        name: logfile
+    hostNetwork: true
+    priorityClassName: system-cluster-critical
+    tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    volumes:
+    - hostPath:
+        path: /var/lib/kube-scheduler
+      name: varlibkubescheduler
+    - hostPath:
+        path: /srv/kubernetes/kube-scheduler
+      name: srvscheduler
+    - hostPath:
+        path: /var/log/kube-scheduler.log
+      name: logfile
+  status: {}
+path: /etc/kubernetes/manifests/kube-scheduler.manifest
+type: file
+---
+mode: "0755"
+path: /srv/kubernetes/kube-scheduler
+type: directory
+---
+contents:
+  task:
+    Name: kube-scheduler-server
+    alternateNames:
+    - kube-scheduler.kube-system.svc.cluster.local
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kube-scheduler
+    type: server
+mode: "0644"
+path: /srv/kubernetes/kube-scheduler/server.crt
+type: file
+---
+contents:
+  task:
+    Name: kube-scheduler-server
+    alternateNames:
+    - kube-scheduler.kube-system.svc.cluster.local
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kube-scheduler
+    type: server
+mode: "0600"
+path: /srv/kubernetes/kube-scheduler/server.key
+type: file
+---
+contents: |
+  apiVersion: kubescheduler.config.k8s.io/v1beta2
+  clientConnection:
+    kubeconfig: /var/lib/kube-scheduler/kubeconfig
+  kind: KubeSchedulerConfiguration
+mode: "0400"
+path: /var/lib/kube-scheduler/config.yaml
+type: file
+---
+contents:
+  task:
+    CA:
+      task:
+        Name: kube-scheduler
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-scheduler
+        type: client
+    Cert:
+      task:
+        Name: kube-scheduler
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-scheduler
+        type: client
+    Key:
+      task:
+        Name: kube-scheduler
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: system:kube-scheduler
+        type: client
+    Name: kube-scheduler
+    ServerURL: https://127.0.0.1
+mode: "0400"
+path: /var/lib/kube-scheduler/kubeconfig
+type: file
+---
+contents: ""
+ifNotExists: true
+mode: "0400"
+path: /var/log/kube-scheduler.log
+type: file
+---
+Name: kube-scheduler
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: system:kube-scheduler
+type: client
+---
+Name: kube-scheduler-server
+alternateNames:
+- kube-scheduler.kube-system.svc.cluster.local
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: kube-scheduler
+type: server
+---
+CA:
+  task:
+    Name: kube-scheduler
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-scheduler
+    type: client
+Cert:
+  task:
+    Name: kube-scheduler
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-scheduler
+    type: client
+Key:
+  task:
+    Name: kube-scheduler
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: system:kube-scheduler
+    type: client
+Name: kube-scheduler
+ServerURL: https://127.0.0.1

nodeup/pkg/model/tests/golden/oidc/tasks-kubectl.yaml

@@ -0,0 +1,87 @@
+contents:
+  Asset:
+    AssetPath: /path/to/kubectl/asset
+    Key: kubectl
+mode: "0755"
+path: /opt/kops/bin/kubectl
+type: file
+---
+contents:
+  task:
+    CA:
+      task:
+        Name: kubecfg
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: kubecfg
+          Organization:
+          - system:masters
+        type: client
+    Cert:
+      task:
+        Name: kubecfg
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: kubecfg
+          Organization:
+          - system:masters
+        type: client
+    Key:
+      task:
+        Name: kubecfg
+        keypairID: "3"
+        signer: kubernetes-ca
+        subject:
+          CommonName: kubecfg
+          Organization:
+          - system:masters
+        type: client
+    Name: kubecfg
+    ServerURL: https://127.0.0.1
+mode: "0400"
+path: /var/lib/kubectl/kubeconfig
+type: file
+---
+Name: kubecfg
+keypairID: "3"
+signer: kubernetes-ca
+subject:
+  CommonName: kubecfg
+  Organization:
+  - system:masters
+type: client
+---
+CA:
+  task:
+    Name: kubecfg
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubecfg
+      Organization:
+      - system:masters
+    type: client
+Cert:
+  task:
+    Name: kubecfg
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubecfg
+      Organization:
+      - system:masters
+    type: client
+Key:
+  task:
+    Name: kubecfg
+    keypairID: "3"
+    signer: kubernetes-ca
+    subject:
+      CommonName: kubecfg
+      Organization:
+      - system:masters
+    type: client
+Name: kubecfg
+ServerURL: https://127.0.0.1

nodeup/pkg/model/tests/golden/oidc/tasks-secret.yaml

@@ -0,0 +1,32 @@
+contents: |
+  -----BEGIN CERTIFICATE-----
+  MIIC2DCCAcCgAwIBAgIRALJXAkVj964tq67wMSI8oJQwDQYJKoZIhvcNAQELBQAw
+  FTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0xNzEyMjcyMzUyNDBaFw0yNzEyMjcy
+  MzUyNDBaMBUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUA
+  A4IBDwAwggEKAoIBAQDgnCkSmtnmfxEgS3qNPaUCH5QOBGDH/inHbWCODLBCK9gd
+  XEcBl7FVv8T2kFr1DYb0HVDtMI7tixRVFDLgkwNlW34xwWdZXB7GeoFgU1xWOQSY
+  OACC8JgYTQ/139HBEvgq4sej67p+/s/SNcw34Kk7HIuFhlk1rRk5kMexKIlJBKP1
+  YYUYetsJ/QpUOkqJ5HW4GoetE76YtHnORfYvnybviSMrh2wGGaN6r/s4ChOaIbZC
+  An8/YiPKGIDaZGpj6GXnmXARRX/TIdgSQkLwt0aTDBnPZ4XvtpI8aaL8DYJIqAzA
+  NPH2b4/uNylat5jDo0b0G54agMi97+2AUrC9UUXpAgMBAAGjIzAhMA4GA1UdDwEB
+  /wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBVGR2r
+  hzXzRMU5wriPQAJScszNORvoBpXfZoZ09FIupudFxBVU3d4hV9StKnQgPSGA5XQO
+  HE97+BxJDuA/rB5oBUsMBjc7y1cde/T6hmi3rLoEYBSnSudCOXJE4G9/0f8byAJe
+  rN8+No1r2VgZvZh6p74TEkXv/l3HBPWM7IdUV0HO9JDhSgOVF1fyQKJxRuLJR8jt
+  O6mPH2UX0vMwVa4jvwtkddqk2OAdYQvH9rbDjjbzaiW0KnmdueRo92KHAN7BsDZy
+  VpXHpqo1Kzg7D3fpaXCf5si7lqqrdJVXH4JC72zxsPehqgi8eIuqOBkiDWmRxAxh
+  8yGeRx9AbknHh4Ia
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIBZzCCARGgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9zZXJ2
+  aWNlLWFjY291bnQwHhcNMjEwNTAyMjAzMjE3WhcNMzEwNTAyMjAzMjE3WjAaMRgw
+  FgYDVQQDEw9zZXJ2aWNlLWFjY291bnQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA
+  o4Tridlsf4Yz3UAiup/scSTiG/OqxkUW3Fz7zGKvVcLeYj9GEIKuzoB1VFk1nboD
+  q4cCuGLfdzaQdCQKPIsDuwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+  AQH/BAUwAwEB/zAdBgNVHQ4EFgQUhPbxEmUbwVOCa+fZgxreFhf67UEwDQYJKoZI
+  hvcNAQELBQADQQALMsyK2Q7C/bk27eCvXyZKUfrLvor10hEjwGhv14zsKWDeTj/J
+  A1LPYp7U9VtFfgFOkVbkLE9Rstc0ltNrPqxA
+  -----END CERTIFICATE-----
+mode: "0600"
+path: /srv/kubernetes/ca.crt
+type: file

pkg/apis/kops/cluster.go

@@ -382,10 +382,11 @@ type ExecContainerAction struct {
 type AuthenticationSpec struct {
 	Kopeio *KopeioAuthenticationSpec `json:"kopeio,omitempty"`
 	AWS    *AWSAuthenticationSpec    `json:"aws,omitempty"`
+	OIDC   *OIDCAuthenticationSpec   `json:"oidc,omitempty"`
 }
 
 func (s *AuthenticationSpec) IsEmpty() bool {
-	return s.Kopeio == nil && s.AWS == nil
+	return s.Kopeio == nil && s.AWS == nil && s.OIDC == nil
 }
 
 type KopeioAuthenticationSpec struct{}
@@ -418,6 +419,32 @@ type AWSAuthenticationIdentityMappingSpec struct {
 	Groups []string `json:"groups,omitempty"`
 }
 
+type OIDCAuthenticationSpec struct {
+	// UsernameClaim is the OpenID claim to use as the username.
+	// Note that claims other than the default ('sub') are not guaranteed to be
+	// unique and immutable.
+	UsernameClaim *string `json:"usernameClaim,omitempty"`
+	// UsernamePrefix is the prefix prepended to username claims to prevent
+	// clashes with existing names (such as 'system:' users).
+	UsernamePrefix *string `json:"usernamePrefix,omitempty"`
+	// GroupsClaims are the names of the custom OpenID Connect claims for
+	// specifying user groups (optional).
+	GroupsClaims []string `json:"groupsClaims,omitempty"`
+	// GroupsPrefix is the prefix prepended to group claims to prevent
+	// clashes with existing names (such as 'system:' groups).
+	GroupsPrefix *string `json:"groupsPrefix,omitempty"`
+	// IssuerURL is the URL of the OpenID issuer. Only the HTTPS scheme will
+	// be accepted.
+	// If set, will be used to verify the OIDC JSON Web Token (JWT).
+	IssuerURL *string `json:"issuerURL,omitempty"`
+	// ClientID is the client ID for the OpenID Connect client. Must be set
+	// if issuerURL is set.
+	ClientID *string `json:"clientID,omitempty"`
+	// RequiredClaims are key/value pairs that describe required claims in the ID Token.
+	// If set, the claims are verified to be present in the ID Token with corresponding values.
+	RequiredClaims map[string]string `json:"requiredClaims,omitempty"`
+}
+
 type AuthorizationSpec struct {
 	AlwaysAllow *AlwaysAllowAuthorizationSpec `json:"alwaysAllow,omitempty"`
 	RBAC        *RBACAuthorizationSpec        `json:"rbac,omitempty"`

pkg/apis/kops/componentconfig.go

@@ -366,28 +366,28 @@ type KubeAPIServerConfig struct {
 	// OIDCUsernameClaim is the OpenID claim to use as the user name.
 	// Note that claims other than the default ('sub') is not guaranteed to be
 	// unique and immutable.
-	OIDCUsernameClaim *string `json:"oidcUsernameClaim,omitempty" flag:"oidc-username-claim"`
+	OIDCUsernameClaim *string `json:"-" flag:"oidc-username-claim"`
 	// OIDCUsernamePrefix is the prefix prepended to username claims to prevent
 	// clashes with existing names (such as 'system:' users).
-	OIDCUsernamePrefix *string `json:"oidcUsernamePrefix,omitempty" flag:"oidc-username-prefix"`
+	OIDCUsernamePrefix *string `json:"-" flag:"oidc-username-prefix"`
 	// OIDCGroupsClaim if provided, the name of a custom OpenID Connect claim for
 	// specifying user groups.
 	// The claim value is expected to be a string or array of strings.
-	OIDCGroupsClaim *string `json:"oidcGroupsClaim,omitempty" flag:"oidc-groups-claim"`
+	OIDCGroupsClaim *string `json:"-" flag:"oidc-groups-claim"`
 	// OIDCGroupsPrefix is the prefix prepended to group claims to prevent
 	// clashes with existing names (such as 'system:' groups)
-	OIDCGroupsPrefix *string `json:"oidcGroupsPrefix,omitempty" flag:"oidc-groups-prefix"`
+	OIDCGroupsPrefix *string `json:"-" flag:"oidc-groups-prefix"`
 	// OIDCIssuerURL is the URL of the OpenID issuer, only HTTPS scheme will
 	// be accepted.
 	// If set, it will be used to verify the OIDC JSON Web Token (JWT).
-	OIDCIssuerURL *string `json:"oidcIssuerURL,omitempty" flag:"oidc-issuer-url"`
+	OIDCIssuerURL *string `json:"-" flag:"oidc-issuer-url"`
 	// OIDCClientID is the client ID for the OpenID Connect client, must be set
 	// if oidc-issuer-url is set.
-	OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"`
+	OIDCClientID *string `json:"-" flag:"oidc-client-id"`
 	// A key=value pair that describes a required claim in the ID Token.
 	// If set, the claim is verified to be present in the ID Token with a matching value.
 	// Repeat this flag to specify multiple claims.
-	OIDCRequiredClaim []string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim,repeat"`
+	OIDCRequiredClaim []string `json:"-" flag:"oidc-required-claim,repeat"`
 	// OIDCCAFile if set, the OpenID server's certificate will be verified by one
 	// of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`

pkg/apis/kops/v1alpha2/cluster.go

@@ -389,8 +389,9 @@ type ExecContainerAction struct {
 }
 
 type AuthenticationSpec struct {
-	Kopeio *KopeioAuthenticationSpec `json:"kopeio,omitempty"`
-	AWS    *AWSAuthenticationSpec    `json:"aws,omitempty"`
+	Kopeio *KopeioAuthenticationSpec    `json:"kopeio,omitempty"`
+	AWS    *AWSAuthenticationSpec       `json:"aws,omitempty"`
+	OIDC   *kops.OIDCAuthenticationSpec `json:"-"`
 }
 
 func (s *AuthenticationSpec) IsEmpty() bool {

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -366,27 +366,34 @@ type KubeAPIServerConfig struct {
 	// OIDCUsernameClaim is the OpenID claim to use as the user name.
 	// Note that claims other than the default ('sub') is not guaranteed to be
 	// unique and immutable.
+	// +k8s:conversion-gen=false
 	OIDCUsernameClaim *string `json:"oidcUsernameClaim,omitempty" flag:"oidc-username-claim"`
 	// OIDCUsernamePrefix is the prefix prepended to username claims to prevent
 	// clashes with existing names (such as 'system:' users).
+	// +k8s:conversion-gen=false
 	OIDCUsernamePrefix *string `json:"oidcUsernamePrefix,omitempty" flag:"oidc-username-prefix"`
 	// OIDCGroupsClaim if provided, the name of a custom OpenID Connect claim for
 	// specifying user groups.
 	// The claim value is expected to be a string or array of strings.
+	// +k8s:conversion-gen=false
 	OIDCGroupsClaim *string `json:"oidcGroupsClaim,omitempty" flag:"oidc-groups-claim"`
 	// OIDCGroupsPrefix is the prefix prepended to group claims to prevent
 	// clashes with existing names (such as 'system:' groups)
+	// +k8s:conversion-gen=false
 	OIDCGroupsPrefix *string `json:"oidcGroupsPrefix,omitempty" flag:"oidc-groups-prefix"`
 	// OIDCIssuerURL is the URL of the OpenID issuer, only HTTPS scheme will
 	// be accepted.
 	// If set, it will be used to verify the OIDC JSON Web Token (JWT).
+	// +k8s:conversion-gen=false
 	OIDCIssuerURL *string `json:"oidcIssuerURL,omitempty" flag:"oidc-issuer-url"`
 	// OIDCClientID is the client ID for the OpenID Connect client, must be set
 	// if oidc-issuer-url is set.
+	// +k8s:conversion-gen=false
 	OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"`
 	// A key=value pair that describes a required claim in the ID Token.
 	// If set, the claim is verified to be present in the ID Token with a matching value.
 	// Repeat this flag to specify multiple claims.
+	// +k8s:conversion-gen=false
 	OIDCRequiredClaim []string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim,repeat"`
 	// OIDCCAFile if set, the OpenID server's certificate will be verified by one
 	// of the authorities in the oidc-ca-file

pkg/apis/kops/v1alpha2/conversion.go

@@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha2
 
 import (
+	"sort"
+	"strings"
+
 	"k8s.io/apimachinery/pkg/conversion"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kops/pkg/apis/kops"
@@ -94,6 +97,40 @@ func Convert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *kops
 		}
 		out.ExternalPolicies = policies
 	}
+	if in.KubeAPIServer != nil {
+		kube := in.KubeAPIServer
+		if kube.OIDCClientID != nil ||
+			kube.OIDCGroupsClaim != nil ||
+			kube.OIDCGroupsPrefix != nil ||
+			kube.OIDCIssuerURL != nil ||
+			kube.OIDCRequiredClaim != nil ||
+			kube.OIDCUsernameClaim != nil ||
+			kube.OIDCUsernamePrefix != nil {
+			if out.Authentication == nil {
+				out.Authentication = &kops.AuthenticationSpec{}
+			}
+			if out.Authentication.OIDC == nil {
+				out.Authentication.OIDC = &kops.OIDCAuthenticationSpec{}
+			}
+
+			oidc := out.Authentication.OIDC
+			oidc.ClientID = kube.OIDCClientID
+			if kube.OIDCGroupsClaim != nil {
+				oidc.GroupsClaims = strings.Split(*kube.OIDCGroupsClaim, ",")
+			}
+			oidc.GroupsPrefix = kube.OIDCGroupsPrefix
+			oidc.IssuerURL = kube.OIDCIssuerURL
+			if kube.OIDCRequiredClaim != nil {
+				oidc.RequiredClaims = make(map[string]string, len(kube.OIDCRequiredClaim))
+				for _, claim := range kube.OIDCRequiredClaim {
+					split := strings.SplitN(claim, "=", 2)
+					oidc.RequiredClaims[split[0]] = split[1]
+				}
+			}
+			oidc.UsernameClaim = kube.OIDCUsernameClaim
+			oidc.UsernamePrefix = kube.OIDCUsernamePrefix
+		}
+	}
 	if in.LegacyNetworking != nil {
 		if err := autoConvert_v1alpha2_NetworkingSpec_To_kops_NetworkingSpec(in.LegacyNetworking, &out.Networking, s); err != nil {
 			return err
@@ -324,6 +361,29 @@ func Convert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec, out
 			out.AdditionalPolicies[k] = v
 		}
 	}
+	if in.Authentication != nil && in.Authentication.OIDC != nil {
+		if out.KubeAPIServer == nil {
+			out.KubeAPIServer = &KubeAPIServerConfig{}
+		}
+		oidc := in.Authentication.OIDC
+		kube := out.KubeAPIServer
+		kube.OIDCClientID = oidc.ClientID
+		if oidc.GroupsClaims != nil {
+			join := strings.Join(oidc.GroupsClaims, ",")
+			kube.OIDCGroupsClaim = &join
+		}
+		kube.OIDCGroupsPrefix = oidc.GroupsPrefix
+		kube.OIDCIssuerURL = oidc.IssuerURL
+		if oidc.RequiredClaims != nil {
+			kube.OIDCRequiredClaim = make([]string, 0, len(oidc.RequiredClaims))
+			for claim, value := range oidc.RequiredClaims {
+				kube.OIDCRequiredClaim = append(kube.OIDCRequiredClaim, claim+"="+value)
+			}
+			sort.Strings(kube.OIDCRequiredClaim)
+		}
+		kube.OIDCUsernameClaim = oidc.UsernameClaim
+		kube.OIDCUsernamePrefix = oidc.UsernamePrefix
+	}
 	if in.ExternalPolicies != nil {
 		out.ExternalPolicies = make(map[string][]string, len(in.ExternalPolicies))
 		for k, v := range in.ExternalPolicies {

pkg/apis/kops/v1alpha2/zz_generated.conversion.go

@@ -1568,6 +1568,7 @@ func autoConvert_v1alpha2_AuthenticationSpec_To_kops_AuthenticationSpec(in *Auth
 	} else {
 		out.AWS = nil
 	}
+	out.OIDC = in.OIDC
 	return nil
 }
 
@@ -1595,6 +1596,7 @@ func autoConvert_kops_AuthenticationSpec_To_v1alpha2_AuthenticationSpec(in *kops
 	} else {
 		out.AWS = nil
 	}
+	out.OIDC = in.OIDC
 	return nil
 }
 
@@ -4766,13 +4768,13 @@ func autoConvert_v1alpha2_KubeAPIServerConfig_To_kops_KubeAPIServerConfig(in *Ku
 	out.AnonymousAuth = in.AnonymousAuth
 	out.KubeletPreferredAddressTypes = in.KubeletPreferredAddressTypes
 	out.StorageBackend = in.StorageBackend
-	out.OIDCUsernameClaim = in.OIDCUsernameClaim
-	out.OIDCUsernamePrefix = in.OIDCUsernamePrefix
-	out.OIDCGroupsClaim = in.OIDCGroupsClaim
-	out.OIDCGroupsPrefix = in.OIDCGroupsPrefix
-	out.OIDCIssuerURL = in.OIDCIssuerURL
-	out.OIDCClientID = in.OIDCClientID
-	out.OIDCRequiredClaim = in.OIDCRequiredClaim
+	// INFO: in.OIDCUsernameClaim opted out of conversion generation
+	// INFO: in.OIDCUsernamePrefix opted out of conversion generation
+	// INFO: in.OIDCGroupsClaim opted out of conversion generation
+	// INFO: in.OIDCGroupsPrefix opted out of conversion generation
+	// INFO: in.OIDCIssuerURL opted out of conversion generation
+	// INFO: in.OIDCClientID opted out of conversion generation
+	// INFO: in.OIDCRequiredClaim opted out of conversion generation
 	out.OIDCCAFile = in.OIDCCAFile
 	out.ProxyClientCertFile = in.ProxyClientCertFile
 	out.ProxyClientKeyFile = in.ProxyClientKeyFile

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -289,6 +289,11 @@ func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec) {
 		*out = new(AWSAuthenticationSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.OIDC != nil {
+		in, out := &in.OIDC, &out.OIDC
+		*out = new(kops.OIDCAuthenticationSpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 

pkg/apis/kops/v1alpha3/cluster.go

@@ -352,10 +352,11 @@ type ExecContainerAction struct {
 type AuthenticationSpec struct {
 	Kopeio *KopeioAuthenticationSpec `json:"kopeio,omitempty"`
 	AWS    *AWSAuthenticationSpec    `json:"aws,omitempty"`
+	OIDC   *OIDCAuthenticationSpec   `json:"oidc,omitempty"`
 }
 
 func (s *AuthenticationSpec) IsEmpty() bool {
-	return s.Kopeio == nil && s.AWS == nil
+	return s.Kopeio == nil && s.AWS == nil && s.OIDC == nil
 }
 
 type KopeioAuthenticationSpec struct{}
@@ -388,6 +389,32 @@ type AWSAuthenticationIdentityMappingSpec struct {
 	Groups []string `json:"groups,omitempty"`
 }
 
+type OIDCAuthenticationSpec struct {
+	// UsernameClaim is the OpenID claim to use as the username.
+	// Note that claims other than the default ('sub') are not guaranteed to be
+	// unique and immutable.
+	UsernameClaim *string `json:"usernameClaim,omitempty"`
+	// UsernamePrefix is the prefix prepended to username claims to prevent
+	// clashes with existing names (such as 'system:' users).
+	UsernamePrefix *string `json:"usernamePrefix,omitempty"`
+	// GroupsClaims are the names of the custom OpenID Connect claims for
+	// specifying user groups (optional).
+	GroupsClaims []string `json:"groupsClaims,omitempty"`
+	// GroupsPrefix is the prefix prepended to group claims to prevent
+	// clashes with existing names (such as 'system:' groups).
+	GroupsPrefix *string `json:"groupsPrefix,omitempty"`
+	// IssuerURL is the URL of the OpenID issuer. Only the HTTPS scheme will
+	// be accepted.
+	// If set, will be used to verify the OIDC JSON Web Token (JWT).
+	IssuerURL *string `json:"issuerURL,omitempty"`
+	// ClientID is the client ID for the OpenID Connect client. Must be set
+	// if issuerURL is set.
+	ClientID *string `json:"clientID,omitempty"`
+	// RequiredClaims are key/value pairs that describe required claims in the ID Token.
+	// If set, the claims are verified to be present in the ID Token with corresponding values.
+	RequiredClaims map[string]string `json:"requiredClaims,omitempty"`
+}
+
 type AuthorizationSpec struct {
 	AlwaysAllow *AlwaysAllowAuthorizationSpec `json:"alwaysAllow,omitempty"`
 	RBAC        *RBACAuthorizationSpec        `json:"rbac,omitempty"`

pkg/apis/kops/v1alpha3/componentconfig.go

@@ -364,28 +364,28 @@ type KubeAPIServerConfig struct {
 	// OIDCUsernameClaim is the OpenID claim to use as the user name.
 	// Note that claims other than the default ('sub') is not guaranteed to be
 	// unique and immutable.
-	OIDCUsernameClaim *string `json:"oidcUsernameClaim,omitempty" flag:"oidc-username-claim"`
+	OIDCUsernameClaim *string `json:"-" flag:"oidc-username-claim"`
 	// OIDCUsernamePrefix is the prefix prepended to username claims to prevent
 	// clashes with existing names (such as 'system:' users).
-	OIDCUsernamePrefix *string `json:"oidcUsernamePrefix,omitempty" flag:"oidc-username-prefix"`
+	OIDCUsernamePrefix *string `json:"-" flag:"oidc-username-prefix"`
 	// OIDCGroupsClaim if provided, the name of a custom OpenID Connect claim for
 	// specifying user groups.
 	// The claim value is expected to be a string or array of strings.
-	OIDCGroupsClaim *string `json:"oidcGroupsClaim,omitempty" flag:"oidc-groups-claim"`
+	OIDCGroupsClaim *string `json:"-" flag:"oidc-groups-claim"`
 	// OIDCGroupsPrefix is the prefix prepended to group claims to prevent
 	// clashes with existing names (such as 'system:' groups)
-	OIDCGroupsPrefix *string `json:"oidcGroupsPrefix,omitempty" flag:"oidc-groups-prefix"`
+	OIDCGroupsPrefix *string `json:"-" flag:"oidc-groups-prefix"`
 	// OIDCIssuerURL is the URL of the OpenID issuer, only HTTPS scheme will
 	// be accepted.
 	// If set, it will be used to verify the OIDC JSON Web Token (JWT).
-	OIDCIssuerURL *string `json:"oidcIssuerURL,omitempty" flag:"oidc-issuer-url"`
+	OIDCIssuerURL *string `json:"-" flag:"oidc-issuer-url"`
 	// OIDCClientID is the client ID for the OpenID Connect client, must be set
 	// if oidc-issuer-url is set.
-	OIDCClientID *string `json:"oidcClientID,omitempty" flag:"oidc-client-id"`
+	OIDCClientID *string `json:"-" flag:"oidc-client-id"`
 	// A key=value pair that describes a required claim in the ID Token.
 	// If set, the claim is verified to be present in the ID Token with a matching value.
 	// Repeat this flag to specify multiple claims.
-	OIDCRequiredClaim []string `json:"oidcRequiredClaim,omitempty" flag:"oidc-required-claim,repeat"`
+	OIDCRequiredClaim []string `json:"-" flag:"oidc-required-claim,repeat"`
 	// OIDCCAFile if set, the OpenID server's certificate will be verified by one
 	// of the authorities in the oidc-ca-file
 	OIDCCAFile *string `json:"oidcCAFile,omitempty" flag:"oidc-ca-file"`

pkg/apis/kops/v1alpha3/zz_generated.conversion.go

@@ -964,6 +964,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*OIDCAuthenticationSpec)(nil), (*kops.OIDCAuthenticationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1alpha3_OIDCAuthenticationSpec_To_kops_OIDCAuthenticationSpec(a.(*OIDCAuthenticationSpec), b.(*kops.OIDCAuthenticationSpec), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*kops.OIDCAuthenticationSpec)(nil), (*OIDCAuthenticationSpec)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_kops_OIDCAuthenticationSpec_To_v1alpha3_OIDCAuthenticationSpec(a.(*kops.OIDCAuthenticationSpec), b.(*OIDCAuthenticationSpec), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*OpenstackBlockStorageConfig)(nil), (*kops.OpenstackBlockStorageConfig)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1alpha3_OpenstackBlockStorageConfig_To_kops_OpenstackBlockStorageConfig(a.(*OpenstackBlockStorageConfig), b.(*kops.OpenstackBlockStorageConfig), scope)
 	}); err != nil {
@@ -1706,6 +1716,15 @@ func autoConvert_v1alpha3_AuthenticationSpec_To_kops_AuthenticationSpec(in *Auth
 	} else {
 		out.AWS = nil
 	}
+	if in.OIDC != nil {
+		in, out := &in.OIDC, &out.OIDC
+		*out = new(kops.OIDCAuthenticationSpec)
+		if err := Convert_v1alpha3_OIDCAuthenticationSpec_To_kops_OIDCAuthenticationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.OIDC = nil
+	}
 	return nil
 }
 
@@ -1733,6 +1752,15 @@ func autoConvert_kops_AuthenticationSpec_To_v1alpha3_AuthenticationSpec(in *kops
 	} else {
 		out.AWS = nil
 	}
+	if in.OIDC != nil {
+		in, out := &in.OIDC, &out.OIDC
+		*out = new(OIDCAuthenticationSpec)
+		if err := Convert_kops_OIDCAuthenticationSpec_To_v1alpha3_OIDCAuthenticationSpec(*in, *out, s); err != nil {
+			return err
+		}
+	} else {
+		out.OIDC = nil
+	}
 	return nil
 }
 
@@ -6597,6 +6625,38 @@ func Convert_kops_NvidiaGPUConfig_To_v1alpha3_NvidiaGPUConfig(in *kops.NvidiaGPU
 	return autoConvert_kops_NvidiaGPUConfig_To_v1alpha3_NvidiaGPUConfig(in, out, s)
 }
 
+func autoConvert_v1alpha3_OIDCAuthenticationSpec_To_kops_OIDCAuthenticationSpec(in *OIDCAuthenticationSpec, out *kops.OIDCAuthenticationSpec, s conversion.Scope) error {
+	out.UsernameClaim = in.UsernameClaim
+	out.UsernamePrefix = in.UsernamePrefix
+	out.GroupsClaims = in.GroupsClaims
+	out.GroupsPrefix = in.GroupsPrefix
+	out.IssuerURL = in.IssuerURL
+	out.ClientID = in.ClientID
+	out.RequiredClaims = in.RequiredClaims
+	return nil
+}
+
+// Convert_v1alpha3_OIDCAuthenticationSpec_To_kops_OIDCAuthenticationSpec is an autogenerated conversion function.
+func Convert_v1alpha3_OIDCAuthenticationSpec_To_kops_OIDCAuthenticationSpec(in *OIDCAuthenticationSpec, out *kops.OIDCAuthenticationSpec, s conversion.Scope) error {
+	return autoConvert_v1alpha3_OIDCAuthenticationSpec_To_kops_OIDCAuthenticationSpec(in, out, s)
+}
+
+func autoConvert_kops_OIDCAuthenticationSpec_To_v1alpha3_OIDCAuthenticationSpec(in *kops.OIDCAuthenticationSpec, out *OIDCAuthenticationSpec, s conversion.Scope) error {
+	out.UsernameClaim = in.UsernameClaim
+	out.UsernamePrefix = in.UsernamePrefix
+	out.GroupsClaims = in.GroupsClaims
+	out.GroupsPrefix = in.GroupsPrefix
+	out.IssuerURL = in.IssuerURL
+	out.ClientID = in.ClientID
+	out.RequiredClaims = in.RequiredClaims
+	return nil
+}
+
+// Convert_kops_OIDCAuthenticationSpec_To_v1alpha3_OIDCAuthenticationSpec is an autogenerated conversion function.
+func Convert_kops_OIDCAuthenticationSpec_To_v1alpha3_OIDCAuthenticationSpec(in *kops.OIDCAuthenticationSpec, out *OIDCAuthenticationSpec, s conversion.Scope) error {
+	return autoConvert_kops_OIDCAuthenticationSpec_To_v1alpha3_OIDCAuthenticationSpec(in, out, s)
+}
+
 func autoConvert_v1alpha3_OpenstackBlockStorageConfig_To_kops_OpenstackBlockStorageConfig(in *OpenstackBlockStorageConfig, out *kops.OpenstackBlockStorageConfig, s conversion.Scope) error {
 	out.Version = in.Version
 	out.IgnoreAZ = in.IgnoreAZ

pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

@@ -355,6 +355,11 @@ func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec) {
 		*out = new(AWSAuthenticationSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.OIDC != nil {
+		in, out := &in.OIDC, &out.OIDC
+		*out = new(OIDCAuthenticationSpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -4530,6 +4535,59 @@ func (in *NvidiaGPUConfig) DeepCopy() *NvidiaGPUConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCAuthenticationSpec) DeepCopyInto(out *OIDCAuthenticationSpec) {
+	*out = *in
+	if in.UsernameClaim != nil {
+		in, out := &in.UsernameClaim, &out.UsernameClaim
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernamePrefix != nil {
+		in, out := &in.UsernamePrefix, &out.UsernamePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupsClaims != nil {
+		in, out := &in.GroupsClaims, &out.GroupsClaims
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.GroupsPrefix != nil {
+		in, out := &in.GroupsPrefix, &out.GroupsPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.IssuerURL != nil {
+		in, out := &in.IssuerURL, &out.IssuerURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequiredClaims != nil {
+		in, out := &in.RequiredClaims, &out.RequiredClaims
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationSpec.
+func (in *OIDCAuthenticationSpec) DeepCopy() *OIDCAuthenticationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCAuthenticationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OpenstackBlockStorageConfig) DeepCopyInto(out *OpenstackBlockStorageConfig) {
 	*out = *in

pkg/apis/kops/zz_generated.deepcopy.go

@@ -354,6 +354,11 @@ func (in *AuthenticationSpec) DeepCopyInto(out *AuthenticationSpec) {
 		*out = new(AWSAuthenticationSpec)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.OIDC != nil {
+		in, out := &in.OIDC, &out.OIDC
+		*out = new(OIDCAuthenticationSpec)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -4805,6 +4810,59 @@ func (in *NvidiaGPUConfig) DeepCopy() *NvidiaGPUConfig {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OIDCAuthenticationSpec) DeepCopyInto(out *OIDCAuthenticationSpec) {
+	*out = *in
+	if in.UsernameClaim != nil {
+		in, out := &in.UsernameClaim, &out.UsernameClaim
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernamePrefix != nil {
+		in, out := &in.UsernamePrefix, &out.UsernamePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupsClaims != nil {
+		in, out := &in.GroupsClaims, &out.GroupsClaims
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.GroupsPrefix != nil {
+		in, out := &in.GroupsPrefix, &out.GroupsPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.IssuerURL != nil {
+		in, out := &in.IssuerURL, &out.IssuerURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequiredClaims != nil {
+		in, out := &in.RequiredClaims, &out.RequiredClaims
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthenticationSpec.
+func (in *OIDCAuthenticationSpec) DeepCopy() *OIDCAuthenticationSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(OIDCAuthenticationSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OpenstackBlockStorageConfig) DeepCopyInto(out *OpenstackBlockStorageConfig) {
 	*out = *in

pkg/apis/nodeup/config.go

@@ -157,6 +157,8 @@ type StaticManifest struct {
 type APIServerConfig struct {
 	// KubeAPIServer is a copy of the KubeAPIServerConfig from the cluster spec.
 	KubeAPIServer *kops.KubeAPIServerConfig
+	// Authentication is a copy of the AuthenticationSpec from the cluster spec.
+	Authentication *kops.AuthenticationSpec `json:",omitempty"`
 	// EncryptionConfigSecretHash is a hash of the encryptionconfig secret.
 	// It is empty if EncryptionConfig is not enabled.
 	// TODO: give secrets IDs and look them up like we do keypairs.
@@ -249,6 +251,13 @@ func NewConfig(cluster *kops.Cluster, instanceGroup *kops.InstanceGroup) (*Confi
 		config.APIServerConfig = &APIServerConfig{
 			KubeAPIServer: cluster.Spec.KubeAPIServer,
 		}
+		if cluster.Spec.Authentication != nil {
+			config.APIServerConfig.Authentication = cluster.Spec.Authentication
+			if cluster.Spec.Authentication.AWS != nil {
+				// The values go into the manifest and aren't needed by nodeup.
+				config.APIServerConfig.Authentication.AWS = &kops.AWSAuthenticationSpec{}
+			}
+		}
 	}
 
 	return &config, &bootConfig

tests/integration/conversion/azure/v1alpha2.yaml

@@ -9,6 +9,7 @@ spec:
   - proxy.api.minimal.example.com
   api:
     dns: {}
+  authentication: {}
   authorization:
     alwaysAllow: {}
   channel: stable
@@ -36,6 +37,16 @@ spec:
     name: events
   iam:
     legacy: false
+  kubeAPIServer:
+    oidcClientID: oidc-client
+    oidcGroupsClaim: groupclaim1,groupclaim2
+    oidcGroupsPrefix: 'oidcgroup:'
+    oidcIssuerURL: https://oidc-issuer.nonexistent
+    oidcRequiredClaim:
+    - claim1=value1
+    - claim2=value2
+    oidcUsernameClaim: user
+    oidcUsernamePrefix: 'oidc:'
   kubernetesApiAccess:
   - 0.0.0.0/0
   kubernetesVersion: v1.21.0

tests/integration/conversion/azure/v1alpha3.yaml

@@ -11,6 +11,19 @@ spec:
     - proxy.api.minimal.example.com
     dns: {}
     publicName: api.minimal.example.com
+  authentication:
+    oidc:
+      clientID: oidc-client
+      groupsClaims:
+      - groupclaim1
+      - groupclaim2
+      groupsPrefix: 'oidcgroup:'
+      issuerURL: https://oidc-issuer.nonexistent
+      requiredClaims:
+        claim1: value1
+        claim2: value2
+      usernameClaim: user
+      usernamePrefix: 'oidc:'
   authorization:
     alwaysAllow: {}
   channel: stable
@@ -37,6 +50,7 @@ spec:
     memoryRequest: 100Mi
     name: events
   iam: {}
+  kubeAPIServer: {}
   kubernetesVersion: v1.21.0
   networking:
     kubeRouter: {}