Merge "Dex function - API server under multitenant type" into v2
This commit is contained in:
Zuul
Gerrit Code Review
commit
4c85120dd0
10
manifests/function/dex-aio/README.md
Normal file
10
manifests/function/dex-aio/README.md
Normal file
@ -0,0 +1,10 @@
|
||||
# DEX-AIO function
|
||||
|
||||
The DEX-AIO function implements the Dex Authentication service.
|
||||
It contains the HelmRelease manifest for dex-aio, the dex-aio secrets
|
||||
for the key and certificates, and the cluster issuer for dex-aio.
|
||||
|
||||
TODO: The values are "hard-coded" for this version that can be made more
|
||||
flexible later with Kustomization transformers. A shared catalogue
|
||||
between "dex-aio" function and "type/multi-tenant/ephemeral/controlplane/dex-apiserver"
|
||||
shall be provided to ensure synchronization between them.
|
||||
8
manifests/function/dex-aio/dex-certs-issuer.yaml
Normal file
8
manifests/function/dex-aio/dex-certs-issuer.yaml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha3
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: dex-ca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: dex-ca-key-pair
|
||||
9
manifests/function/dex-aio/dex-certs-secrets.yaml
Normal file
9
manifests/function/dex-aio/dex-certs-secrets.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: dex-ca-key-pair
|
||||
namespace: cert-manager
|
||||
data:
|
||||
tls.crt: "<include here dex tls certificate-b64>"
|
||||
tls.key: "<include here dex tls certificate key-b64>"
|
||||
67
manifests/function/dex-aio/dex-helmrelease.yaml
Normal file
67
manifests/function/dex-aio/dex-helmrelease.yaml
Normal file
@ -0,0 +1,67 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: dex
|
||||
---
|
||||
# Dex Helm Charts from Helm Repository (Helm Collator)
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: dex-helm-repo
|
||||
namespace: collator
|
||||
spec:
|
||||
interval: 5m
|
||||
url: http://helm-chart-collator.collator.svc:8080
|
||||
---
|
||||
# Dex Helm Charts from Git Repository
|
||||
# apiVersion: source.toolkit.fluxcd.io/v1beta1
|
||||
# kind: GitRepository
|
||||
# metadata:
|
||||
# name: dex-git-repo
|
||||
# namespace: collator
|
||||
# spec:
|
||||
# interval: 5m
|
||||
# url: https://github.com/airshipit/charts.git
|
||||
# ref:
|
||||
# branch: master
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: dex-aio
|
||||
namespace: dex
|
||||
spec:
|
||||
releaseName: dex-aio
|
||||
targetNamespace: dex
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: dex-aio
|
||||
# Referencing Dex Helm charts from Helm Collator repo
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: dex-helm-repo
|
||||
namespace: collator
|
||||
# Referencing Dex Helm charts from Git repo
|
||||
# sourceRef:
|
||||
# kind: GitRepository
|
||||
# name: dex-git-repo
|
||||
# namespace: collator
|
||||
values:
|
||||
params:
|
||||
site:
|
||||
name: Dex-Function
|
||||
endpoints:
|
||||
hostname: dex.fuction.local
|
||||
port:
|
||||
https: 30556
|
||||
http: 30554
|
||||
k8s: 8443
|
||||
nodePort:
|
||||
https: 30556
|
||||
http: 30554
|
||||
oidc:
|
||||
client_id: function-kubernetes
|
||||
client_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok
|
||||
service:
|
||||
type: NodePort
|
||||
7
manifests/function/dex-aio/kustomization.yaml
Normal file
7
manifests/function/dex-aio/kustomization.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- dex-certs-secrets.yaml
|
||||
- dex-certs-issuer.yaml
|
||||
- dex-helmrelease.yaml
|
||||
@ -0,0 +1,10 @@
|
||||
# DEX-APIServer kustomizations
|
||||
|
||||
The "dex-apiserver" folder provides the manifests and patches to configure the API server with
|
||||
"oidc" flags.
|
||||
|
||||
In order to ensure synchronization with the "dex-aio" service, you MUST ensure that values
|
||||
assigned to the API server "oidc" flags are the same used for the "dex-aio" service.
|
||||
|
||||
TODO: a shared catalogue shall provide the values shared between "dex-aio" service and
|
||||
the cluster's API server "oidc" flags.
|
||||
@ -0,0 +1,7 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: dex-apiserver-secret
|
||||
data:
|
||||
tls.crt: "<must be same as dex tls certificate-b64>"
|
||||
@ -0,0 +1,41 @@
|
||||
[
|
||||
{
|
||||
"op": "add",
|
||||
"path": "/spec/kubeadmConfigSpec/clusterConfiguration/apiServer",
|
||||
"value": {
|
||||
"extraArgs":
|
||||
{
|
||||
"oidc-ca-file": "/etc/kubernetes/certs/dex-cert",
|
||||
"oidc-client-id": "function-kubernetes",
|
||||
"oidc-groups-claim": "groups",
|
||||
"oidc-issuer-url": "https://dex.function.local:30556/dex",
|
||||
"oidc-username-claim": "email",
|
||||
"oidc-username-prefix": "oidc:"
|
||||
},
|
||||
"extraVolumes":
|
||||
[
|
||||
{
|
||||
"hostPath": "/etc/kubernetes/certs/dex-cert",
|
||||
"mountPath": "/etc/kubernetes/certs/dex-cert",
|
||||
"name": "dex-cert",
|
||||
"readOnly": true
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"op": "add",
|
||||
"path": "/spec/kubeadmConfigSpec/files/-",
|
||||
"value": {
|
||||
"contentFrom": {
|
||||
"secret": {
|
||||
"key": "tls.crt",
|
||||
"name": "dex-apiserver-secret"
|
||||
}
|
||||
},
|
||||
"owner": "root:root",
|
||||
"path": "/etc/kubernetes/certs/dex-cert",
|
||||
"permissions": "0644"
|
||||
}
|
||||
}
|
||||
]
|
||||
@ -2,3 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ../../../airship-core/ephemeral/controlplane
|
||||
- dex-apiserver/apiserver-certs-secret.yaml
|
||||
|
||||
patchesJson6902:
|
||||
- target:
|
||||
group: controlplane.cluster.x-k8s.io
|
||||
version: v1alpha3
|
||||
kind: KubeadmControlPlane
|
||||
name: cluster-controlplane
|
||||
path: dex-apiserver/oidc-apiserver-flags.json
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user