Kind: Passing extra config to apiserver to enable basic auth

I'm not sure if kubeadm allows this at this point.

You can patch kubeadm config with patches like https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster (needs better docs, PR in the works...)

but I would not recommend this anyhow, you won't find clusters supporting this generally.

the KUBECONFIG produced by kind has standard kubernetes authorization I would highly recommend using a client that can consume this format properly.

cc @neolit123

I am looking to enable basic auth on the kind cluster which gets created when I

basic auth was deprecated in core k8s in 1.16:
https://github.com/kubernetes/kubernetes/blob/60e72753f3283c52ca3fcadf57a7d8c1edb56833/CHANGELOG/CHANGELOG-1.16.md

given it's a GA feature it will get removed in 1.19 or 1.20.
for older version of k8s / kind you can read these docs:

https://v1-16.docs.kubernetes.io/docs/reference/access-authn-authz/authentication/#static-password-file

and --basic-auth-file can be passed to kubeadm using ClusterConfiguration -> apiServer -> extraArgs:
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/
https://kind.sigs.k8s.io/docs/user/quick-start/#enable-feature-gates-in-your-cluster

but yes, using this feature is not recommended.

Thanks Lubomir :-)

Thanks for the help folks, I got this working by passing the following, just putting it out here in case someone else also wants to try this out.

$ cat config.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
kubeadmConfigPatches:
  - |
    kind: ClusterConfiguration
    metadata:
      name: config
    apiServer:
      extraArgs:
        "basic-auth-file": "/etc/kubernetes/api-server-basic-auth-files/users.csv"
      extraVolumes:
      - name: api-server-basic-auth-files
        hostPath: "/etc/kubernetes/api-server-basic-auth-files"
        mountPath: "/etc/kubernetes/api-server-basic-auth-files"
        readOnly: true
nodes:
- role: control-plane
  image: kindest/node:v1.14.10@sha256:81ae5a3237c779efc4dda43cc81c696f88a194abcc4f8fa34f86cf674aa14977
  extraMounts:
  - containerPath: /etc/kubernetes/api-server-basic-auth-files
    hostPath: /tmp/api-server-basic-auth-files
    readOnly: true

the basic auth file present in the api-server pod

$ kubectl exec -it kube-apiserver-kind-control-plane -n kube-system /bin/sh
# cd /etc/kubernetes/api-server-basic-auth-files
# cat users.csv
somepassword,johndoe,johndoe123,developers
#

Being passed as an argument to the apiserver binary when it starts

$ k describe pods kube-apiserver-kind-control-plane -n kube-system
Name:                 kube-apiserver-kind-control-plane
Namespace:            kube-system
Priority:             2000000000
Priority Class Name:  system-cluster-critical
Node:                 kind-control-plane/172.17.0.4
Start Time:           Fri, 24 Apr 2020 22:45:24 +0530
Labels:               component=kube-apiserver
                      tier=control-plane
Annotations:          kubernetes.io/config.hash: d062ea78249b6b8fc690545baa6ba62d
                      kubernetes.io/config.mirror: d062ea78249b6b8fc690545baa6ba62d
                      kubernetes.io/config.seen: 2020-04-24T17:15:18.9986624Z
                      kubernetes.io/config.source: file
Status:               Running
IP:                   172.17.0.4
IPs:                  <none>
Containers:
  kube-apiserver:
    Container ID:  containerd://7c5842a213a419cde18bf4a07b6a49c98e34e8ec5001baabb07501e85f57158a
    Image:         k8s.gcr.io/kube-apiserver:v1.14.10
    Image ID:      sha256:753b038620e6ffd32c32313cfe4b42d78b52f27f40ee9a0134bc47cf60a04556
    Port:          <none>
    Host Port:     <none>
    Command:
      kube-apiserver
      --advertise-address=172.17.0.4
      --allow-privileged=true
      --authorization-mode=Node,RBAC
      --basic-auth-file=/etc/kubernetes/api-server-basic-auth-files/users.csv
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --enable-admission-plugins=NodeRestriction
....