Enhance Dex Deployment to Pull Configuration from Catalogues for Target Cluster - Githubissues

airshipit / treasuremap

Reference Airship manifests, CICD, and reference architecture.

http://openstack.org

Apache License 2.0

52 stars 39 forks source link

Enhance Dex Deployment to Pull Configuration from Catalogues for Target Cluster #135

Closed lb4368 closed 3 years ago

lb4368 commented 3 years ago

Problem description Currently, the configuration for Dex (#19) in a target cluster has values hard-coded in function/type manifests.

Proposed change Enhance Dex deployment such that configuration for Dex is set/overridden in site-specific catalogues and that sensitive information (CA certs/keys, passwords) are properly encrypted when saved.

Configuration includes:

The NodePort on the target cluster where the auth service will be exposed for HTTPS access
The LDAP back-end info (URL, credentials, search attributes, etc.)
Sub-cluster information needed to enable authentication (CA cert/key, API server port, VIP address(es), FQDN(s), etc.)

sshiba commented 3 years ago

You can assign this issue to me.

jezogwza commented 3 years ago

Similar comment as #136

sshiba commented 3 years ago

This feature can only be partially implemented. The replacement transformer can be applied to the dex-aio HelmRelease resource but cannot be applied to the API server OIDC configuration as the "kustomization" is done through JSON format patch.

The kustomize supported by the airshipctl command does not support the ability to add new elements to a list when using patchesStrategicMerge. Instead, it replaces the existing elements. which is needed, with the new elements specified in the yaml patch.

There is a new kustomize feature (in kustomize v4.1.2), OpenAPI Schema that supports this capability. The example provided works exactly as described but unfortunately, when I applied to the KubeadmControlPlane CR, it didn't work. This issues has already been reported in URLs listed below:

lb4368 commented 3 years ago

@sshiba I removed "Replica counts for the Dex pods" as a configuration item in the catalogue. Rather than including replica counts as a catalogue item, if the default replica count need to be overridden, it can be done at the site level via a kustomize patch.

sshiba commented 3 years ago

Feature being implemented in https://review.opendev.org/c/airship/treasuremap/+/791835. Currently in testing & validation stage

sshiba commented 3 years ago

Addressed comments in PS but still need to decide where to put strategic merge for dex/LDAP connector.

sshiba commented 3 years ago

PS https://review.opendev.org/c/airship/treasuremap/+/791835 includes Dex/LDAP patch (patchesStrategicMerge) in treasuremap/manifests/type/subcluster/provide-infra, which will be invoked by lma and wordpress under /type/multi-tenant/subclusters

sshiba commented 3 years ago

https://review.opendev.org/c/airship/treasuremap/+/791835 is ready for review. Just waiting for zuul to pass first.

sshiba commented 3 years ago

https://review.opendev.org/c/airship/treasuremap/+/791835 is ready for review

sshiba commented 3 years ago

PS https://review.opendev.org/c/airship/treasuremap/+/791835 has been merged completing this issue.