From 72b12470613e55bf1eeca9bb20af414cc6847615 Mon Sep 17 00:00:00 2001 From: Christoph Mewes Date: Wed, 8 Jan 2025 14:39:52 +0100 Subject: [PATCH 1/2] rename readme On-behalf-of: @SAP christoph.mewes@sap.com --- charts/kcp/{readme.md => README.md} | 1 + 1 file changed, 1 insertion(+) rename charts/kcp/{readme.md => README.md} (98%) diff --git a/charts/kcp/readme.md b/charts/kcp/README.md similarity index 98% rename from charts/kcp/readme.md rename to charts/kcp/README.md index 746d431..de08d3c 100644 --- a/charts/kcp/readme.md +++ b/charts/kcp/README.md @@ -29,6 +29,7 @@ Currently configurable options: * OIDC * Github user access to project * External hostname +* Authorization Webhook ### Monitoring From f3391046164ff2bad1e3c5e0b33f11c153a2394b Mon Sep 17 00:00:00 2001 From: Christoph Mewes Date: Wed, 8 Jan 2025 16:56:09 +0100 Subject: [PATCH 2/2] add options to the kcp chart to enable webhook authorization On-behalf-of: @SAP christoph.mewes@sap.com --- charts/kcp/templates/server-deployment.yaml | 12 ++++++++++++ charts/kcp/values.yaml | 7 +++++++ 2 files changed, 19 insertions(+) diff --git a/charts/kcp/templates/server-deployment.yaml b/charts/kcp/templates/server-deployment.yaml index b48d46e..4ee0250 100644 --- a/charts/kcp/templates/server-deployment.yaml +++ b/charts/kcp/templates/server-deployment.yaml @@ -171,6 +171,9 @@ spec: - --profiler-address=0.0.0.0:{{- .Values.kcp.profiling.port -}} {{- end }} - --batteries-included={{- include "kcp.batteries" . }} + {{- if .Values.kcp.authorization.webhook.secretName }} + - --authorization-webhook-config-file=/etc/kcp/authorization/webhook/kubeconfig + {{- end }} {{- range .Values.kcp.extraFlags }} - {{ . }} {{- end }} @@ -254,6 +257,10 @@ spec: - name: audit-policy mountPath: {{ .Values.audit.policy.dir }} {{- end }} + {{- if .Values.kcp.authorization.webhook.secretName }} + - name: kcp-webhook-authorization + mountPath: /etc/kcp/authorization/webhook + {{- end }} - name: logical-cluster-admin-kubeconfig mountPath: /etc/kcp/logical-cluster-admin/kubeconfig - name: logical-cluster-admin-kubeconfig-cert @@ -312,6 +319,11 @@ spec: persistentVolumeClaim: claimName: {{ include "kcp.fullname" . }}-audit-logs {{- end }} + {{- with .Values.kcp.authorization.webhook.secretName }} + - name: kcp-webhook-authorization + secret: + secretName: {{ . }} + {{- end }} - name: logical-cluster-admin-kubeconfig secret: secretName: {{ include "kcp.fullname" . }}-internal-admin-kubeconfig diff --git a/charts/kcp/values.yaml b/charts/kcp/values.yaml index 21c7089..7ece91c 100644 --- a/charts/kcp/values.yaml +++ b/charts/kcp/values.yaml @@ -76,6 +76,13 @@ kcp: user-1-token,user-1,1111-1111-1111-1111,"team-1" admin-token,admin,5555-5555-5555-5555,"system:kcp:admin" system-token,system,6666-6666-6666-6666,"system:masters" + authorization: + webhook: + # When configured, this Secret must contain a single key, "kubeconfig", containing + # a kubeconfig-style YAML file that configures kcp's authorization webhook. + # See https://docs.kcp.io/kcp/main/concepts/authorization/authorizers/#webhook-authorizer + # for more information. + secretName: "" hostAliases: enabled: false homeWorkspaces: