Automated GCP Credentials Addon Prototype (#8682)

* metadata addon works

* Add code for metadata server image and makefile rules

* remove log message

* update to work with v1.13.11

* update readme

* fix metadata addon stuff for newer codebase

* buncha changes

* just so many changes

* ch-ch-ch-ch-changes

* addon works

* update readme

* boilerplate

* revert unrelated change

* move server code to another repo

* switch addon name to gcp-auth

* metadata -> gcp-auth

* missed one

* automate finding of credentials

* remove unnecessary comment

* address comments

* Update README.md

* Update README.md

* use mustload everywhere

* swap selector condition

* upgrade kube-webhook-certgen to 1.3

* move paths to constants

* add notice to user on addon enable

* adding addon documentation

* move addons documentation inside handbook

* remove old addons docs location

Co-authored-by: Priya Wadhwa <[email protected]>

deploy/addons/gcp-auth/gcp-auth-ns.yaml

@@ -0,0 +1,20 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gcp-auth
+  labels:
+    kubernetes.io/minikube-addons: gcp-auth

deploy/addons/gcp-auth/gcp-auth-service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gcp-auth
+  namespace: gcp-auth
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+      protocol: TCP
+  selector:
+    app: gcp-auth

deploy/addons/gcp-auth/gcp-auth-webhook.yaml

@@ -0,0 +1,150 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: minikube-gcp-auth-certs
+  namespace: gcp-auth
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: minikube-gcp-auth-certs
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - list
+      - get
+      - create
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: minikube-gcp-auth-certs
+  namespace: metadata
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: minikube-gcp-auth-certs
+subjects:
+  - kind: ServiceAccount
+    name: minikube-gcp-auth-certs
+    namespace: gcp-auth
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gcp-auth-certs-create
+  namespace: gcp-auth
+spec:
+  template:
+    metadata:
+      name: gcp-auth-certs-create
+    spec:
+      serviceAccountName: minikube-gcp-auth-certs
+      containers:
+        - name: create
+          image: jettech/kube-webhook-certgen:v1.3.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - create
+            - --host=gcp-auth,gcp-auth.gcp-auth,gcp-auth.gcp-auth.svc
+            - --namespace=gcp-auth
+            - --secret-name=gcp-auth-certs
+      restartPolicy: OnFailure
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gcp-auth
+  namespace: gcp-auth
+spec:
+  selector:
+    matchLabels:
+      app: gcp-auth
+  template:
+    metadata:
+      labels:
+        app: gcp-auth
+        kubernetes.io/minikube-addons: gcp-auth
+    spec:
+      containers:
+        - name: gcp-auth
+          image: gcr.io/k8s-minikube/gcp-auth-webhook:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 8443
+          volumeMounts:
+          - name: webhook-certs
+            mountPath: /etc/webhook/certs
+            readOnly: true
+          - name: gcp-project
+            mountPath: /var/lib/minikube/google_cloud_project
+            readOnly: true
+      volumes:
+      - name: webhook-certs
+        secret:
+          secretName: gcp-auth-certs
+      - name: gcp-project
+        hostPath:
+          path: /var/lib/minikube/google_cloud_project
+          type: File
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: gcp-auth-certs-patch
+  namespace: gcp-auth
+spec:
+  template:
+    metadata:
+      name: gcp-auth-certs-patch
+    spec:
+      serviceAccountName: minikube-gcp-auth-certs
+      containers:
+        - name: patch
+          image: jettech/kube-webhook-certgen:v1.3.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - patch
+            - --secret-name=gcp-auth-certs
+            - --namespace=gcp-auth
+            - --patch-validating=false
+            - --webhook-name=gcp-auth-webhook-cfg
+      restartPolicy: OnFailure
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gcp-auth-webhook-cfg
+  labels:
+    app: gcp-auth
+webhooks:
+- name: gcp-auth-mutate.k8s.io
+  objectSelector:
+    matchExpressions:
+      - key: gcp-auth-skip-secret
+        operator: DoesNotExist
+  sideEffects: None
+  admissionReviewVersions: ["v1","v1beta1"]
+  clientConfig:
+    service:
+      name: gcp-auth
+      namespace: gcp-auth
+      path: "/mutate"
+  rules:
+  - operations: ["CREATE", "UPDATE"]
+    apiGroups: ["*"]
+    apiVersions: ["*"]
+    resources: ["pods"]
+    scope: "*"

go.mod

@@ -72,6 +72,7 @@ require (
 	github.com/zchee/go-vmnet v0.0.0-20161021174912-97ebf9174097
 	golang.org/x/build v0.0.0-20190927031335-2835ba2e683f
 	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
 	golang.org/x/sys v0.0.0-20200523222454-059865788121
 	golang.org/x/text v0.3.2