airship/charts
Code Issues Proposed changes

Dex integration with LDAP Instance - Charts

Browse Source 
This patchset adds the LDAP connector in the dex chart value where it
can be customized to connect to the lab's ITTESTSERVICES LDAP instance.

The certificates needed by Dex is generated by Cert-Manager in the Ephemeral cluster (Secret named
dex-apiserver-secret) and this Secret is then moved to the Target cluster through the command
"airshipctl phase run clusterctl-move".

This Secret (i.e., tls.crt) is used by API server for the OIDC plugin configuration, which MUST
be done on the KubeadmControlPlane resource in the Ephemeral cluster.

This patchset implements the Approach 1 described in https://hackmd.io/bdPFHBBSQy-IrpPe1U9itg.

Change-Id: I58419cad6b8d770285ceb84a3a3a0e8b3380ef15
This commit is contained in:
Shiba, Sidney (sx3394) 2021-04-08 19:17:58 -05:00 committed by Shiba, Sidney
parent d37bae3277
commit 510ead0632
2 changed files with 67 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
charts/dex-aio/templates/Deployment-dex.yaml
View File

@ -105,7 +105,8 @@ spec:
- serve
- /etc/dex/dex.yaml
env:
- name: LDAP_BINDPW
# - name: LDAP_BINDPW
- name: {{ .Values.params.ldap.config.bind_pw_env }}
valueFrom:
secretKeyRef:
name: {{ template "helpers.labels.fullname" . }}

67
charts/dex-aio/values.yaml
View File

@ -5,7 +5,7 @@
images:
applications:
dex:
tag: v2.20.0
tag: v2.28.1
name: dexidp/dex
repo: quay.io
nginx:
@ -47,7 +47,28 @@ params:
client_id: my-cluster
client_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
ldap:
bind_password: super-secure
bind_password: "super-secure"
name: ITTESTSERVICES
config:
host: ldap.test.com
port: 636
bind_dn: uid@ldap.services.test.com
bind_pw_env: LDAP_BINDPW
username_prompt: SSO Username
user_search:
base_dn: dc=ldap,dc=services,dc=test,dc=com
filter: "(objectClass=person)"
username: cn
idAttr: cn
emailAttr: name
nameAttr: name
group_search:
base_dn: ou=groups,dc=ldap,dc=services,dc=test,dc=com
filter: "(objectClass=group)"
userMatchers:
userAttr: name
groupAttr: member
nameAttr: name
over_rides:
deployment:
@ -84,6 +105,48 @@ config:
- token
- id_token
skipApprovalScreen: true
connectors:
- type: ldap
name: "{{ .Values.params.ldap.name }}"
id: ldap
config:
# LDAPS without certificate validation:
host: "{{ .Values.params.ldap.config.host }}:{{ .Values.params.ldap.config.port }}"
insecureNoSSL: false
insecureSkipVerify: true
bindDN: "{{ .Values.params.ldap.config.bind_dn }}"
bindPW: "${{ .Values.params.ldap.config.bind_pw_env }}"
# usernamePrompt: Email Address
usernamePrompt: "{{ .Values.params.ldap.config.username_prompt }}"
userSearch:
# The directory directly above the user entry.
baseDN: "{{ .Values.params.ldap.config.user_search.base_dn }}"
filter: "{{ .Values.params.ldap.config.user_search.filter }}"
# Expect user to enter "attuid" when logging in.
username: "{{ .Values.params.ldap.config.user_search.username }}"
idAttr: "{{ .Values.params.ldap.config.user_search.idAttr }}"
# When an email address is not available, use another value unique to the user, like name.
emailAttr: "{{ .Values.params.ldap.config.user_search.emailAttr }}"
nameAttr: "{{ .Values.params.ldap.config.user_search.nameAttr }}"
groupSearch:
# The directory directly above the group entry.
# baseDN: cn=groups,cn=compat,dc=example,dc=org
baseDN: "{{ .Values.params.ldap.config.group_search.base_dn }}"
filter: "{{ .Values.params.ldap.config.group_search.filter }}"
# The group search needs to match the "cn" attribute on
# the user with the "member" attribute on the group.
userMatchers:
- userAttr: "{{ .Values.params.ldap.config.group_search.userMatchers.userAttr }}"
groupAttr: "{{ .Values.params.ldap.config.group_search.userMatchers.groupAttr }}"
# Unique name of the group.
nameAttr: "{{ .Values.params.ldap.config.group_search.nameAttr }}"
staticClients:
- id: "{{ .Values.params.oidc.client_id }}"
name: "{{ .Values.params.site.name }}"