From 3e07cc0038ecc25deb36f81bf215e39b5fda465f Mon Sep 17 00:00:00 2001 From: Jack Francis Date: Thu, 5 Apr 2018 14:18:08 -0700 Subject: [PATCH] k8s apiserver --oidc properties are user-overridable (#2603) * enable more oidc user overrides * updated docs --- docs/clusterdefinition.md | 8 ++++---- pkg/acsengine/defaults-apiserver.go | 4 ++-- pkg/acsengine/defaults-apiserver_test.go | 20 ++++++++++++++++---- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/docs/clusterdefinition.md b/docs/clusterdefinition.md index f0b3663b7f..b94966faf7 100644 --- a/docs/clusterdefinition.md +++ b/docs/clusterdefinition.md @@ -312,6 +312,10 @@ Below is a list of apiserver options that acs-engine will configure by default: |"--audit-log-maxbackup"|"10"| |"--audit-log-maxsize"|"100"| |"--feature-gates"|No default (can be a comma-separated list)| +|"--oidc-username-claim"|"oid" (*if has AADProfile*)| +|"--oidc-groups-claim"|"groups" (*if has AADProfile*)| +|"--oidc-client-id"|*calculated value that represents OID client ID* (*if has AADProfile*)| +|"--oidc-issuer-url"|*calculated value that represents OID issuer URL* (*if has AADProfile*)| Below is a list of apiserver options that are *not* currently user-configurable, either because a higher order configuration vector is available that enforces apiserver configuration, or because a static configuration is required to build a functional cluster: @@ -352,10 +356,6 @@ Below is a list of apiserver options that are *not* currently user-configurable, |"--requestheader-username-headers"|"X-Remote-User" (*if enableAggregatedAPIs is true*)| |"--cloud-provider"|"azure" (*unless useCloudControllerManager is true*)| |"--cloud-config"|"/etc/kubernetes/azure.json" (*unless useCloudControllerManager is true*)| -|"--oidc-username-claim"|"oid" (*if has AADProfile*)| -|"--oidc-groups-claim"|"groups" (*if has AADProfile*)| -|"--oidc-client-id"|*calculated value that represents OID client ID* (*if has AADProfile*)| -|"--oidc-issuer-url"|*calculated value that represents OID issuer URL* (*if has AADProfile*)| #### schedulerConfig diff --git a/pkg/acsengine/defaults-apiserver.go b/pkg/acsengine/defaults-apiserver.go index 51ecac3581..9b9022d468 100644 --- a/pkg/acsengine/defaults-apiserver.go +++ b/pkg/acsengine/defaults-apiserver.go @@ -78,12 +78,12 @@ func setAPIServerConfig(cs *api.ContainerService) { if cs.Properties.HasAadProfile() { defaultAPIServerConfig["--oidc-username-claim"] = "oid" defaultAPIServerConfig["--oidc-groups-claim"] = "groups" - staticLinuxAPIServerConfig["--oidc-client-id"] = "spn:" + cs.Properties.AADProfile.ServerAppID + defaultAPIServerConfig["--oidc-client-id"] = "spn:" + cs.Properties.AADProfile.ServerAppID issuerHost := "sts.windows.net" if GetCloudTargetEnv(cs.Location) == "AzureChinaCloud" { issuerHost = "sts.chinacloudapi.cn" } - staticLinuxAPIServerConfig["--oidc-issuer-url"] = "https://" + issuerHost + "/" + cs.Properties.AADProfile.TenantID + "/" + defaultAPIServerConfig["--oidc-issuer-url"] = "https://" + issuerHost + "/" + cs.Properties.AADProfile.TenantID + "/" } // Audit Policy configuration diff --git a/pkg/acsengine/defaults-apiserver_test.go b/pkg/acsengine/defaults-apiserver_test.go index 8b39c510ae..fc5f1acffb 100644 --- a/pkg/acsengine/defaults-apiserver_test.go +++ b/pkg/acsengine/defaults-apiserver_test.go @@ -146,19 +146,31 @@ func TestAPIServerConfigHasAadProfile(t *testing.T) { } usernameClaimOverride := "custom-username-claim" groupsClaimOverride := "custom-groups-claim" + clientIDOverride := "custom-client-id" + issuerURLOverride := "custom-issuer-url" cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig = map[string]string{ "--oidc-username-claim": usernameClaimOverride, "--oidc-groups-claim": groupsClaimOverride, + "--oidc-client-id": clientIDOverride, + "--oidc-issuer-url": issuerURLOverride, } setAPIServerConfig(cs) a = cs.Properties.OrchestratorProfile.KubernetesConfig.APIServerConfig if a["--oidc-username-claim"] != usernameClaimOverride { - t.Fatalf("got unexpected '--oidc-username-claim' API server config value for HasAadProfile=true: %s", - a["--oidc-username-claim"]) + t.Fatalf("got unexpected '--oidc-username-claim' API server config value when user override provided: %s, expected: %s", + a["--oidc-username-claim"], usernameClaimOverride) } if a["--oidc-groups-claim"] != groupsClaimOverride { - t.Fatalf("got unexpected '--oidc-groups-claim' API server config value for HasAadProfile=true: %s", - a["--oidc-groups-claim"]) + t.Fatalf("got unexpected '--oidc-groups-claim' API server config value when user override provided: %s, expected: %s", + a["--oidc-groups-claim"], groupsClaimOverride) + } + if a["--oidc-client-id"] != clientIDOverride { + t.Fatalf("got unexpected '--oidc-client-id' API server config value when user override provided: %s, expected: %s", + a["--oidc-client-id"], clientIDOverride) + } + if a["--oidc-issuer-url"] != issuerURLOverride { + t.Fatalf("got unexpected '--oidc-issuer-url' API server config value when user override provided: %s, expected: %s", + a["--oidc-issuer-url"], issuerURLOverride) } // Test China Cloud settings