diff --git a/config.yaml b/config.yaml
index 92ce16bce1300b45d05b9d1216a226466101c5ee..e1e624cb9fb3904858b52300c03530892b278a5e 100644
--- a/config.yaml
+++ b/config.yaml
@@ -185,3 +185,13 @@
"default": !!bool "true"
"description": |
If true the metrics server for Kubernetes will be deployed onto the cluster.
+ "k8s_keystone_auth_image":
+ "type": "string"
+ "default": ""
+ "description": |
+ Address Docker image for the k8s-keystone-auth component.
+ "keystone_url":
+ "type": "string"
+ "default": ""
+ "description": |
+ Url of the Keystone endpoint.
diff --git a/reactive/kubernetes_master.py b/reactive/kubernetes_master.py
index af005d0f5124e9331f4a3a5d6b5524b689d3a1c7..70590c2bdcd5180511b80b51736ecf132a6a2e52 100644
--- a/reactive/kubernetes_master.py
+++ b/reactive/kubernetes_master.py
@@ -290,6 +290,11 @@ def configure_cni(cni):
# Webhook configuration file
webhook_config_path = '/root/cdk/webhook.kubeconfig'
+k8s_keystone_auth_path = '/root/cdk/k8s-keystone-auth-deployment.yaml'
+
+k8s_keystone_syncconfig_file_path = '/root/cdk/syncconfig.yaml'
+
+
@when('leadership.is_leader')
@when_not('authentication.setup')
def setup_leader_authentication():
@@ -334,10 +339,15 @@ def setup_leader_authentication():
auth_mode = hookenv.config('authorization-mode')
if 'Webhook' in re.split('[,\s]+', auth_mode):
# Render the webhook configuration from the webhook.kubeconfig template
- webhook_context = {} # template parameters
+ webhook_context = {'k8s_keystone_auth_image': hookenv.config('k8s_keystone_auth_image'),
+ 'keystone_url': hookenv.config('keystone_url')} # template parameters
render('webhook.kubeconfig', webhook_config_path, webhook_context)
+ render('syncconfig.yaml', k8s_keystone_syncconfig_file_path, webhook_context)
+ render('k8s_auth_deployment.yaml', k8s_auth_deployment_path, webhook_context)
else:
remove_if_exists(webhook_config_path)
+ remove_if_exists(k8s_keystone_syncconfig_file_path)
+ remove_if_exists(k8s_auth_deployment_path)
remove_state('kubernetes-master.components.started')
set_state('authentication.setup')
diff --git a/templates/k8s-keystone-auth-deployment.yaml b/templates/k8s-keystone-auth-deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..492eb1930d970701be27a7d5041c3373a08320ca
--- /dev/null
+++ b/templates/k8s-keystone-auth-deployment.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: k8s-keystone-auth
+ namespace: kube-system
+ labels:
+ app: k8s-keystone-auth
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: k8s-keystone-auth
+ template:
+ metadata:
+ labels:
+ app: k8s-keystone-auth
+ spec:
+ nodeSelector:
+ dedicated: k8s-master
+ hostNetwork: true
+ serviceAccount: admin-user
+ serviceAccountName: admin-user
+ containers:
+ - name: k8s-keystone-auth
+ image: {{ k8s_keystone_auth_image }}
+ imagePullPolicy: Always
+ args:
+ - ./bin/k8s-keystone-auth
+ - --tls-cert-file
+ - /root/cdk/apiserver.crt
+ - --tls-private-key-file
+ - /root/cdk/apiserver.key
+ - --keystone-url
+ - {{ keystone_url }}
+# - --policy-configmap-name
+ - k8s-auth-policy
+ - --sync-config-file
+ - /root/cdk/syncconfig.yaml
+ volumeMounts:
+ - mountPath: /root/cdk
+ name: k8s-certs
+ readOnly: true
+ - mountPath: /etc/ssl/certs
+ name: ca-certs
+ readOnly: true
+ ports:
+ - containerPort: 8443
+ volumes:
+ - name: k8s-certs
+ hostPath:
+ path: /root/cdk
+ type: DirectoryOrCreate
+ - name: ca-certs
+ hostPath:
+ path: /etc/ssl/certs
+ type: DirectoryOrCreate
+
diff --git a/templates/syncconfig.yaml b/templates/syncconfig.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4a5c93bc000b63ddd650e59e2a0a5bdd220f2530
--- /dev/null
+++ b/templates/syncconfig.yaml
@@ -0,0 +1,8 @@
+# In format %n and %i repesent keystone project name and id respectively
+namespace_format: "namespace-%n"
+
+# List of Keystone project ids to omit from syncing
+projects_black_list: ["id1", "id2"]
+
+# List of data types to synchronize
+"data_types_to_sync": ["projects", "role_assignments"]