Add required apiserver serviceaccount flags

In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file

This change ensures that the flags are set, and that the required keys
are in the right places.

Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408

charts/apiserver-webhook/templates/deployment.yaml

@@ -171,6 +171,7 @@ spec:
             - --etcd-keyfile={{ tuple "etcd" "client" $envAll.Values.conf.paths.pki "key" $envAll | include "local.cert_bundle_path" }}
             - --allow-privileged=true
             - --service-account-key-file={{ $envAll.Values.conf.paths.sapubkey }}
+            - --service-account-signing-key-file={{ $envAll.Values.conf.paths.saprivkey }}
             - --authentication-token-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
             - --authorization-webhook-config-file={{ $envAll.Values.conf.paths.conf }}
             {{- range $key, $val := .Values.conf.apiserver }}
@@ -200,6 +201,10 @@ spec:
               mountPath: {{ $envAll.Values.conf.paths.sapubkey }}
               subPath: service-account.pub
               readOnly: true
+            - name: secrets-etc
+              mountPath: {{ $envAll.Values.conf.paths.saprivkey }}
+              subPath: service-account.key
+              readOnly: true
             - name: configmap-etc
               mountPath: {{ $envAll.Values.conf.paths.conf }}
               subPath: webhook.kubeconfig
@@ -273,6 +278,10 @@ spec:
           configMap:
             name: {{ .Release.Name }}-etc
             defaultMode: 0444
+        - name: secrets-etc
+          secret:
+            secretName: {{ .Release.Name }}-keys
+            defaultMode: 0444
         - name: configmap-bin
           configMap:
             name: {{ .Release.Name }}-bin

charts/apiserver-webhook/templates/secret-keys.yaml

@@ -0,0 +1,27 @@
+{{/*
+Copyright 2021 AT&T Intellectual Property.  All other rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_keys }}
+{{- $envAll := . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-keys
+type: Opaque
+data:
+  service-account.key: {{ .Values.secrets.service_account.private_key | b64enc }}
+{{- end }}

charts/apiserver-webhook/values.yaml

@@ -103,6 +103,7 @@ certificates:
 secrets:
   service_account:
     public_key: placeholder
+    private_key: placeholder
   identity:
     admin: apiserver-webhook-keystone-creds-admin
     webhook: apiserver-webhook-keystone-creds-webhook
@@ -302,6 +303,7 @@ conf:
     conf: '/etc/webhook_apiserver/webhook.kubeconfig'
     policy: '/etc/webhook_apiserver/conf/policy.json'
     sapubkey: '/etc/webhook_apiserver/pki/service-accounts.pub'
+    saprivkey: '/etc/webhook_apiserver/pki/service-accounts.key'
     encryption_provider: '/etc/webhook_apiserver/encryption_provider.json'
   # Every key below 'apiserver' yields a dynamic configuration file
   # and can mutate the apiserver command-line args.
@@ -354,6 +356,9 @@ conf:
 #         rules:
 #           - level: Metadata
 #
+    service_account_issuer:
+      command_options:
+      - --service-account-issuer=https://kubernetes.default.svc.cluster.local
   policy:
     - resource:
         verbs:
@@ -427,5 +432,6 @@ manifests:
   pod_test: false
   secret_keystone: true
   secret_tls: true
+  secret_keys: true
   service: true
   network_policy: false

charts/apiserver/templates/secret-apiserver.yaml

@@ -26,4 +26,5 @@ data:
   apiserver-key.pem: {{ .Values.secrets.tls.key | b64enc }}
   etcd-client-key.pem: {{ .Values.secrets.etcd.tls.key | b64enc }}
   kubelet-client-key.pem: {{ .Values.secrets.kubelet.tls.key | default .Values.secrets.tls.key | b64enc }}
+  service-account.key: {{ .Values.secrets.service_account.private_key | b64enc }}
 {{- end }}

charts/apiserver/values.yaml

@@ -36,6 +36,7 @@ const:
     - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
     - --secure-port=$(APISERVER_PORT)
     - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
+    - --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key
     - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
     - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
 
@@ -52,6 +53,7 @@ const:
     /etc/kubernetes/apiserver/pki/kubelet-client-key.pem: /keys/kubelet-client-key.pem
     /etc/kubernetes/apiserver/pki/kubelet-client.pem: /certs/kubelet-client.pem
     /etc/kubernetes/apiserver/pki/service-account.pub: /certs/service-account.pub
+    /etc/kubernetes/apiserver/pki/service-account.key: /keys/service-account.key
     /etc/kubernetes/manifests/kubernetes-apiserver.yaml: /tmp/etc/kubernetes-apiserver.yaml
 
 images:
@@ -163,6 +165,9 @@ conf:
                   - name: key1
                     secret: Xw2UcbjILTJM6QiFZ0WPSbUvjtoT8OJC/Nl8qqYWjGk=
             - identity: {}
+  service_account_issuer:
+    command_options:
+    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
 
 apiserver:
   arguments:
@@ -214,6 +219,7 @@ secrets:
     key: placeholder
   service_account:
     public_key: placeholder
+    private_key: placeholder
   etcd:
     tls:
       ca: placeholder

examples/basic/armada-resources.yaml

@@ -697,6 +697,13 @@ metadata:
         path: .
       dest:
         path: .values.secrets.service_account.public_key
+    -
+      src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
 
     - src:
         schema: promenade/EncryptionPolicy/v1

examples/complete/armada-resources.yaml

@@ -714,6 +714,13 @@ metadata:
         path: .
       dest:
         path: .values.secrets.service_account.public_key
+    -
+      src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
 
 data:
   chart_name: apiserver

examples/containerd/armada-resources.yaml

@@ -594,6 +594,13 @@ metadata:
         path: .
       dest:
         path: .values.secrets.service_account.public_key
+    -
+      src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
 
     -
       src:

examples/gate/armada-resources.yaml

@@ -600,6 +600,13 @@ metadata:
         path: .
       dest:
         path: .values.secrets.service_account.public_key
+    -
+      src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
 
     -
       src:

promenade/templates/include/genesis-apiserver.yaml

@@ -10,7 +10,9 @@
         - --kubelet-client-certificate=/etc/kubernetes/apiserver/pki/kubelet-client.pem
         - --kubelet-client-key=/etc/kubernetes/apiserver/pki/kubelet-client-key.pem
         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+        - --service-account-issuer=https://kubernetes.default.svc.cluster.local
         - --service-account-key-file=/etc/kubernetes/apiserver/pki/service-account.pub
+        - --service-account-signing-key-file=/etc/kubernetes/apiserver/pki/service-account.key
         - --tls-cert-file=/etc/kubernetes/apiserver/pki/apiserver.pem
         - --tls-private-key-file=/etc/kubernetes/apiserver/pki/apiserver-key.pem
         {%- for argument in config.get_path('Genesis:apiserver.arguments', []) %}

promenade/templates/roles/genesis/etc/genesis/apiserver/pki/service-account.key

@@ -0,0 +1 @@
+{{ config.get(schema='deckhand/PrivateKey/v1', name='service-account') }}

tests/unit/builder_data/simple/armada-resources.yaml

@@ -607,6 +607,13 @@ metadata:
         path: .
       dest:
         path: .values.secrets.service_account.public_key
+    -
+      src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
 
 data:
   chart_name: apiserver

tools/gate/config-templates/bootstrap-armada-config.yaml

@@ -627,6 +627,13 @@ metadata:
         path: .
       dest:
         path: .values.secrets.service_account.public_key
+    -
+      src:
+        schema: deckhand/PrivateKey/v1
+        name: service-account
+        path: .
+      dest:
+        path: .values.secrets.service_account.private_key
 
 data:
   chart_name: apiserver