Enhance Sub-Cluster Dex Deployment to Pull Configuration from Catalogues

[lb4368]

Proposed change Building on #134, enhance the Dex deployment for sub-clusters such that configuration is set/overridden in sub-cluster-specific configuration in site catalogues and that sensitive information (CA certs/keys, passwords) are properly encrypted when saved.

Configuration includes:

• The NodePort on the target cluster where the sub-cluster auth service will be exposed for HTTPS access
• The LDAP back-end info used for authentication (URL, credentials, search attributes, etc.)
• Sub-cluster information needed to enable authentication (CA cert/key, API server port, VIP address(es), FQDN(s), etc.).
• Replica count for Dex pods

[sanjib-35]

please assign it me

[sanjib-35]

Patchset for Dex Nodeport replacement in Sub-Cluster: https://review.opendev.org/c/airship/treasuremap/+/790974

[jezogwza]

Discussed in Flightplan the issue with replacing into the manifests/type/airship-core/ephemeral/controlplane/dex-apiserver/oidc-apiserver-flags.json might require using a kustomize feature (openApi) , that would possible imply we need to upgrade the libraries of kustmize that airshipctl uses.

[lb4368]

@sanjib-35 I removed "Replica counts for the Dex pods" as a configuration item in the catalogue. Rather than including replica counts as a catalogue item, if the default replica count need to be overridden, it can be done at the sub-cluster level via a kustomize patch.

[sanjib-35]

Above PS: /790974 changes have been merged to https://review.opendev.org/c/airship/treasuremap/+/790420

[sanjib-35]

Tried to make target-cluster ready to test our PSs. Got stuck with script “35_deploy_worker_node.sh", not able to provision node03.

Error:

Waiting 3600 seconds for bmh to be in ready state.

Get bmh status NAME STATUS PROVISIONING STATUS CONSUMER BMC HARDWARE PROFILE ONLINE ERROR node01 cluster-controlplane-5scm5 redfish+http://10.23.25.1:8000/redfish/v1/Systems/air-target-1 true node03 OK ready redfish+http://10.23.25.1:8000/redfish/v1/Systems/air-worker-1 unknown false Waiting 3600 seconds for node to be provisioned. Error from server (NotFound): nodes "node03" not found .Error from server (NotFound): nodes "node03" not found .Error from server (NotFound): nodes "node03" not found .Error from server (NotFound): nodes "node03" not found .Error from server (NotFound): nodes "node03" not found . . node is not ready before TIMEOUT.

[sanjib-35]

successfully deployed target cluster in Local VM. Adding Dex specific catalogue changes for subcluster, depends on this PS: https://review.opendev.org/c/airship/treasuremap/+/791835. This patchset is still WIP, once this patchset is ready for review, I can base my patchset on top of it to start work quicker

[sshiba]

PS https://review.opendev.org/c/airship/treasuremap/+/791835 will include Dex/LDAP patch (patchesStrategicMerge) in treasuremap/manifests/type/subcluster/provide-infra, which will be invoked by lmaand wordpressunder <path to>/type/multi-tenant/subclusters

[sanjib-35]

CA feature implemented in https://review.opendev.org/c/airship/treasuremap/+/793592/. Currently in discussion and testing phase, i will update accordingly.

[sanjib-35]

Dex and catalogue changes in progress in https://review.opendev.org/c/airship/treasuremap/+/795527

[sanjib-35]

Both the PSs are ready for review: https://review.opendev.org/c/airship/treasuremap/+/793592/ https://review.opendev.org/c/airship/treasuremap/+/795527

[sanjib-35]

we can get core review with (WF -1) for all PSs as we are waiting for sub-cluster deployment need to be ready with issues#130.

[sanjib-35]

Still We are waiting for reviews on above mentioned PSs.

[sanjib-35]

PS : https://review.opendev.org/c/airship/treasuremap/+/793592/ is merged and waiting for final core reviews on other PS: https://review.opendev.org/c/airship/treasuremap/+/795527/

[eak13]

All patchsets have merged, closing this issue.