search

ReSearchITEng / kubeadm-playbook

Fully fledged (HA) Kubernetes Cluster using official kubeadm, ansible and helm. Tested on RHEL/CentOS/Ubuntu with support of http_proxy, dashboard installed, ingress controller, heapster - using official helm charts
https://researchiteng.github.io/kubeadm-playbook/
The Unlicense
592 stars 102 forks source link

logging, externaldns,oauth2 #75

Open ReSearchITEng opened 5 years ago

ReSearchITEng commented 5 years ago

see https://kubeprod.io/ for cli -> to evaluate: https://github.com/vmware-tanzu/pinniped/blob/main/doc/architecture.md

ReSearchITEng commented 5 years ago

oauth2->keycloack->OpenLdap https://daenney.github.io/2018/10/27/beyondcorp-at-home https://en.wikipedia.org/wiki/List_of_OAuth_providers

coolamiy commented 3 years ago

Please assign this iissue to me

ReSearchITEng commented 3 years ago

Thanks @coolamiy for looking into it.

coolamiy commented 3 years ago

for oauth:

  1. we can use keycloak with freeipa or ldap server as the backend. this will also allow to add additional authentication and authorization mechanism to the cluster.
  2. dex with gangway (heptio)
  3. webhook authentication and authentication mechanism ..

I am done wiith the keycloak setup with ldap, github, twitter and google authentication mechanism. working currently with dex with the custom auth endpoint which can also be used in the webhook auth/authz mechanism.

ReSearchITEng commented 3 years ago

While not mandatory to use operators for now, it would be nice to have: 1.a. keycloak, the operator seems to be nice: https://github.com/keycloak/keycloak-operator (I did not try it, but it look cleaner setup) 1.b. pg db for keycloak/ldap ? -> there is a pg opr as well: https://postgres-operator.readthedocs.io/en/latest/ In general, it looks cleaner and more flexible with OPRs

It would also be nice to see if we can have a demo freeipa/LDAP deployment at least for tests

coolamiy commented 3 years ago

With both operator or using helm both will apply keycloak with pg-sql as the backend which holds common settings if using federated ldap login. if using operator for pg then can use coakroach db operator with cockroach db which is another pg implementation.

i will set up a cluster with LDAP and freeIPA so we can setup a meeting next week to go through the same.

ReSearchITEng commented 3 years ago

if using operator for pg then can use coakroach db operator with cockroach db which is another pg implementation.

Yes, cockroachdb or yugadb. From what I read yuga promises 100% PG compatibility, while cockroachdb has small diffs apparently (https://www.cockroachlabs.com/docs/stable/postgresql-compatibility.html)