Merge pull request #18 from bailantaotao/support-aws-iam-authenticato…

…r-for-elastickube

Support aws iam authenticator for elastickube

aws/elastikube/master.tf

@@ -62,4 +62,6 @@ module "master" {
   kubelet_flag_extra_flags = "${var.kubelet_flag_extra_flags}"
 
   extra_tags = "${var.extra_tags}"
+
+  auth_webhook_path = "${var.auth_webhook_path}"
 }

aws/elastikube/variables.tf

@@ -168,3 +168,9 @@ variable "extra_tags" {
   type        = "map"
   default     = {}
 }
+
+variable "auth_webhook_path" {
+  type        = "string"
+  default     = ""
+  description = "(Optional) A path for using customize machine to authenticate to a Kubernetes cluster."
+}

aws/kube-master/ign-control-plane.tf

@@ -30,6 +30,7 @@ module "ignition_kube_control_plane" {
   apiserver_config = {
     anonymous_auth    = false
     advertise_address = "0.0.0.0"
+    auth_webhook_path = "${var.auth_webhook_path}"
   }
 
   cloud_provider = {

aws/kube-master/variables.tf

@@ -169,3 +169,9 @@ variable "extra_tags" {
   default     = {}
   description = "Extra AWS tags to be applied to created resources."
 }
+
+variable "auth_webhook_path" {
+  type        = "string"
+  default     = ""
+  description = "(Optional) A path for using customized machine to authenticate to a Kubernetes cluster."
+}

examples/aws-iam-authenticator/ign-aws-iam-authenticator.tf

@@ -0,0 +1,6 @@
+module "ignition_aws_iam_authenticator" {
+  source = "../../ignitions/aws-iam-authenticator"
+
+  webhook_kubeconfig_ca   = "${module.kubernetes.certificate_authority}"
+  webhook_kubeconfig_path = "${var.auth_webhook_path}"
+}

examples/aws-iam-authenticator/main.tf

@@ -0,0 +1,146 @@
+locals {
+  project      = "elastikube"
+  phase        = "auth"
+  cluster_name = "${local.phase}-${local.project}"
+
+  kubernetes_version = "v1.10.5"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SSH
+# ---------------------------------------------------------------------------------------------------------------------
+
+provider "aws" {
+  version = "1.23.0"
+  region  = "${var.aws_region}"
+}
+
+resource "aws_key_pair" "ssh_key" {
+  public_key = "${file(pathexpand("~/.ssh/id_rsa.pub"))}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Network
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "network" {
+  source           = "../../aws/network"
+  aws_region       = "${var.aws_region}"
+  bastion_key_name = "${aws_key_pair.ssh_key.key_name}"
+  project          = "${local.project}"
+  phase            = "${local.phase}"
+  extra_tags       = "${var.extra_tags}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ElastiKube
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "kubernetes" {
+  source = "../../aws/elastikube"
+
+  name         = "${local.cluster_name}"
+  aws_region   = "${var.aws_region}"
+  version      = "${local.kubernetes_version}"
+  service_cidr = "${var.service_cidr}"
+  cluster_cidr = "${var.cluster_cidr}"
+
+  etcd_config = {
+    instance_count   = "3"
+    ec2_type         = "t2.medium"
+    root_volume_iops = "0"
+    root_volume_size = "256"
+    root_volume_type = "gp2"
+  }
+
+  master_config = {
+    instance_count   = "2"
+    ec2_type         = "t2.medium"
+    root_volume_iops = "0"
+    root_volume_size = "256"
+    root_volume_type = "gp2"
+  }
+
+  extra_ignition_file_ids         = "${module.ignition_aws_iam_authenticator.files}"
+  extra_ignition_systemd_unit_ids = "${module.ignition_aws_iam_authenticator.systemd_units}"
+
+  hostzone        = "${local.project}.cluster"
+  subnet_ids      = ["${module.network.private_subnet_ids}"]
+  ssh_key         = "${aws_key_pair.ssh_key.key_name}"
+  reboot_strategy = "off"
+
+  auth_webhook_path = "${var.auth_webhook_path}"
+
+  extra_tags = "${merge(map(
+      "Phase", "${local.phase}",
+      "Project", "${local.project}",
+    ), var.extra_tags)}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Worker Node (On Demand Instance)
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "worker_general" {
+  source = "../../aws/kube-worker-general"
+
+  name              = "${local.cluster_name}"
+  aws_region        = "${var.aws_region}"
+  version           = "${local.kubernetes_version}"
+  kube_service_cidr = "${var.service_cidr}"
+
+  security_group_ids = ["${module.kubernetes.worker_sg_ids}"]
+  subnet_ids         = ["${module.network.private_subnet_ids}"]
+
+  worker_config = {
+    name             = "general"
+    instance_count   = "2"
+    ec2_type         = "t2.medium"
+    root_volume_iops = "0"
+    root_volume_size = "64"
+    root_volume_type = "gp2"
+  }
+
+  s3_bucket = "${module.kubernetes.s3_bucket}"
+  ssh_key   = "${aws_key_pair.ssh_key.key_name}"
+
+  extra_tags = "${merge(map(
+      "Phase", "${local.phase}",
+      "Project", "${local.project}",
+    ), var.extra_tags)}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# Worker Node (On Spot Instance)
+# ---------------------------------------------------------------------------------------------------------------------
+
+module "worker_spot" {
+  source = "../../aws/kube-worker-spot"
+
+  name              = "${local.cluster_name}"
+  aws_region        = "${var.aws_region}"
+  version           = "${local.kubernetes_version}"
+  kube_service_cidr = "${var.service_cidr}"
+
+  security_group_ids = ["${module.kubernetes.worker_sg_ids}"]
+  subnet_ids         = ["${module.network.private_subnet_ids}"]
+
+  worker_config = {
+    name               = "spot"
+    min_instance_count = "2"
+    max_instance_count = "2"
+    ec2_type           = "m4.large"
+    price              = "0.04"
+    root_volume_iops   = "0"
+    root_volume_size   = "64"
+    root_volume_type   = "gp2"
+  }
+
+  s3_bucket = "${module.kubernetes.s3_bucket}"
+  ssh_key   = "${aws_key_pair.ssh_key.key_name}"
+
+  extra_tags = "${merge(map(
+      "Phase", "${local.phase}",
+      "Project", "${local.project}",
+    ), var.extra_tags)}"
+}

examples/aws-iam-authenticator/variables.tf

@@ -0,0 +1,29 @@
+variable "aws_region" {
+  type        = "string"
+  default     = "ap-southeast-1"
+  description = "(Optional) The AWS region"
+}
+
+variable "service_cidr" {
+  type        = "string"
+  default     = "172.16.0.0/13"
+  description = "(Optional) The Kubernetes service CIDR."
+}
+
+variable "cluster_cidr" {
+  type        = "string"
+  default     = "172.24.0.0/13"
+  description = "(Optional) The Kubernetes cluster CIDR."
+}
+
+variable "extra_tags" {
+  type        = "map"
+  default     = {}
+  description = "Extra AWS tags to be applied to created resources."
+}
+
+variable "auth_webhook_path" {
+  type        = "string"
+  default     = "/etc/kubernetes/aws-iam-authenticator"
+  description = "(Optional) A path for using customize machine to authenticate to a Kubernetes cluster."
+}

ignitions/aws-iam-authenticator/manifests.tf

@@ -0,0 +1,4 @@
+locals {
+  filesystem = "root"
+  mode       = 0644
+}

ignitions/aws-iam-authenticator/outputs.tf

@@ -0,0 +1,15 @@
+output "systemd_units" {
+  value = [
+    "${data.ignition_systemd_unit.provision.id}",
+  ]
+}
+
+output "files" {
+  value = [
+    "${data.ignition_file.kubeconfig.id}",
+  ]
+}
+
+output "kubeconfig_path" {
+  value = "${var.webhook_kubeconfig_path}"
+}

ignitions/aws-iam-authenticator/provision.tf

@@ -0,0 +1,23 @@
+data "template_file" "provision" {
+  template = "${file("${path.module}/resources/services/provision.service")}"
+
+  vars {
+    api_server_secret_path = "${local.api_server_secret_path}"
+    api_server_secret_key_path = "${local.api_server_secret_path}/apiserver.key"
+    api_server_secret_crt_path = "${local.api_server_secret_path}/apiserver.crt"
+
+    state_path = "${var.state_path}"
+    state_key_path = "${var.state_path}/key.pem"
+    state_crt_path = "${var.state_path}/cert.pem"
+  }
+}
+
+data "ignition_systemd_unit" "provision" {
+  name    = "vault-provision.service"
+  enabled = true
+  content = "${data.template_file.provision.rendered}"
+}
+
+locals {
+  api_server_secret_path = "/etc/kubernetes/secrets"
+}

ignitions/aws-iam-authenticator/resources/kubernetes/webhook/kubeconfig

@@ -0,0 +1,17 @@
+# clusters refers to the remote service.
+clusters:
+  - name: aws-iam-authenticator
+    cluster:
+      certificate-authority-data: ${webhook_ca}
+      server: https://127.0.0.1:${webhook_server_port}/authenticate
+# users refers to the API Server's webhook configuration
+# (we don't need to authenticate the API server).
+users:
+  - name: apiserver
+# kubeconfig files require a context. Provide one for the API Server.
+current-context: webhook
+contexts:
+- name: webhook
+  context:
+    cluster: aws-iam-authenticator
+    user: apiserver

ignitions/aws-iam-authenticator/resources/services/provision.service

@@ -0,0 +1,20 @@
+[Unit]
+Description         = Systemd unit for provision iam-aws-authentication
+Before              = kubelet
+After               = network.target
+
+[Service]
+Type            = oneshot
+RemainAfterExit = true
+
+User  = root
+Group = root
+
+ExecStartPre = /usr/bin/mkdir -p ${state_path}
+
+ExecStart = /usr/bin/cp ${api_server_secret_key_path} ${state_key_path}
+ExecStart = /usr/bin/cp ${api_server_secret_crt_path} ${state_crt_path}
+
+[Install]
+WantedBy   = multi-user.target
+RequiredBy = kubelet

ignitions/aws-iam-authenticator/variables.tf

@@ -0,0 +1,22 @@
+variable "state_path" {
+  type        = "string"
+  default     = "/var/aws-iam-authenticator"
+  description = "Persisted TLS certificate and keys."
+}
+
+variable "server_port" {
+  default     = 21362
+  description = "Localhost port where the server will serve the /authenticate endpoint"
+}
+
+variable "webhook_kubeconfig_path" {
+  type        = "string"
+  default     = "/etc/kubernetes/aws-iam-authenticator"
+  description = "A path for using iam aws authenticator to authenticate to a Kubernetes cluster."
+}
+
+variable "webhook_kubeconfig_ca" {
+  type        = "string"
+  default     = ""
+  description = "A certificate for verifying the remote service."
+}

ignitions/aws-iam-authenticator/webhook-kubeconfig.tf

@@ -0,0 +1,19 @@
+data "template_file" "kubeconfig" {
+  template = "${file("${path.module}/resources/kubernetes/webhook/kubeconfig")}"
+
+  vars {
+    webhook_ca = "${var.webhook_kubeconfig_ca}"
+    webhook_server_port = "${var.server_port}"
+  }
+}
+
+data "ignition_file" "kubeconfig" {
+  filesystem = "${local.filesystem}"
+  mode       = "${local.mode}"
+
+  path = "${pathexpand(var.webhook_kubeconfig_path)}/kubeconfig"
+
+  content {
+    content = "${data.template_file.kubeconfig.rendered}"
+  }
+}

ignitions/kube-control-plane/kube-apiserver-yaml.tf

@@ -14,6 +14,11 @@ data "template_file" "kube_apiserver_yaml" {
     advertise_address = "${var.apiserver_config["advertise_address"]}"
     service_cidr      = "${var.cluster_config["service_cidr"]}"
 
+    auth_webhook_flag       = "${var.apiserver_config["auth_webhook_path"] != "" ? "- --authentication-token-webhook-config-file=${var.apiserver_config["auth_webhook_path"]}/kubeconfig" : "# no authentication token webhook provider"}"
+    auth_mount_volume_block = "${var.apiserver_config["auth_webhook_path"] != "" ? "${join("\n      ", list("${local.auth_volume_mount_name}", "${local.auth_volume_mount_path}", "${local.auth_volume_read_only}"))}" : "# no authentication token webhook provider"}"
+    auth_volume_block       = "${var.apiserver_config["auth_webhook_path"] != "" ? "${join("\n    ", list("${local.auth_volume_name}", "${local.auth_volume_host_path}", "${local.auth_volume_path}"))}" : "# no authentication token webhook provider"}"
+
+
     cloud_provider             = "${var.cloud_provider["name"]}"
     cloud_provider_config_flag = "${var.cloud_provider["config"] != "" ? "- --cloud-config=/etc/kubernetes/cloud/config" : "# no cloud provider config given"}"
   }
@@ -29,3 +34,13 @@ data "ignition_file" "kube_apiserver_yaml" {
     content = "${data.template_file.kube_apiserver_yaml.rendered}"
   }
 }
+
+locals {
+  auth_volume_mount_name = "- name: auth-webhook-path"
+  auth_volume_mount_path = "mountPath: ${var.apiserver_config["auth_webhook_path"]}"
+  auth_volume_read_only  = "readOnly: true"
+
+  auth_volume_name      = "${local.auth_volume_mount_name}"
+  auth_volume_host_path = "hostPath:"
+  auth_volume_path      = "  path: ${var.apiserver_config["auth_webhook_path"]}"
+}

ignitions/kube-control-plane/resources/kubernetes/manifests/kube-apiserver.yaml

@@ -41,6 +41,7 @@ spec:
     - --audit-log-maxage=30
     - --audit-log-maxbackup=3
     - --audit-log-maxsize=100
+    ${auth_webhook_flag}
     volumeMounts:
     - mountPath: /etc/ssl/certs
       name: ssl-certs-host
@@ -54,6 +55,7 @@ spec:
     - mountPath: /var/log/kubernetes
       name: var-log-kubernetes
       readOnly: false
+    ${auth_mount_volume_block}
     ports:
     - containerPort: 443
       hostPort: 443
@@ -75,3 +77,4 @@ spec:
   - name: var-log-kubernetes
     hostPath:
       path: /var/log/kubernetes
+  ${auth_volume_block}