airship/treasuremap
Code Issues Proposed changes
treasuremap/manifests/function/dex-aio
History
Shiba, Sidney (sx3394) 7e89d65a8c Treasuremap - Dex/API server w/ Catalogue Support 
This patchset introduces the VariableCatalogue and respective
Replacement transformers for the Dex/API server. It also implements the
kustomization of LDAP values through patches.

The VariableCatalogue for Dex/API server is located under
manifests/function/treasuremap-base-catalogues/utility-catalogue.yaml.

The replacement transformers for Dex HelmRelease and API server are
located at:
- Dex HelmRelease: manifests/function/dex-aio/replacements
- API Server: manifests/function/k8scontrol-ha/replacements

The API server replacement transformer is invoked when executing the
command "airshipctl phase run controlplane-ephemeral".

The dex-aio service replacement transformer is invoked when executing
the command "airshipctl phase run workload-target". During this phase
the LDAP values are also "kustomized" through patchesStrategicMerge.
Similar patch was add for the subclusters/provide-infra.
Also updated dex-aio nodeSelector to deploy pod on the worker node.

This patchset also supports the LDAP Group authentication.

It also updated
treasuremap/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml
with the encrypted LDAP Binding password.

Relates-To: #135, #137, #128
Change-Id: Ie7eef44a8f0e9d02860a94a4140841d8662f8c85
2021-06-15 21:39:16 +00:00
..
replacements
Treasuremap - Dex/API server w/ Catalogue Support
2021-06-15 21:39:16 +00:00
dex-cert-issuer.yaml
Treasuremap - Dex/API server w/ Catalogue Support
2021-06-15 21:39:16 +00:00
dex-helmrelease.yaml
Treasuremap - Dex/API server w/ Catalogue Support
2021-06-15 21:39:16 +00:00
kustomization.yaml
Changes in dex function to work for both target cluster as well as sub-clusters along with few enhancements
2021-05-20 22:38:15 +05:30
README.md
Treasuremap - Dex, API server & LDAP integration
2021-05-12 14:48:48 +00:00

README.md

DEX-AIO function

The DEX-AIO function implements the Dex Authentication service. It contains the HelmRelease manifest for dex-aio, which contains the LDAP connector customization as well as certificates to be used.

The certificate (Secret) used by dex-aio will be generated by the cert-manager, which will be signed by CA that is generated in the Ephemeral cluster and copied to the Target cluster during the airshipctl phase run clusterctl-move operation.

Before you can deploy this helm release, you will need to update the following:

      ldap:
        bind_password: "your LDAP bind password"
        config:
          host: "your LDAP FQDN"
          bind_dn: "your LDAP bind username"

Also, in the same helm release you will need to update the search criteria for the user and group based on your LDAP schema. See the attributes under spec.values.ldap to update below:

      user_search:
        base_dn: dc=testservices,dc=test,dc=com
        filter: "(objectClass=person)"
        username: cn
        idAttr: cn
        emailAttr: name
        nameAttr: name
      group_search:
        base_dn: ou=groups,dc=testservices,dc=test,dc=com
        filter: "(objectClass=group)"
        userMatchers:
          userAttr: name
          groupAttr: member
        nameAttr: name