drewwalters96
commented
3 years ago It looks like this may be a start on this: https://review.opendev.org/c/airship/treasuremap/+/792067
Open mattmceuen opened 3 years ago
drewwalters96
commented
3 years ago It looks like this may be a start on this: https://review.opendev.org/c/airship/treasuremap/+/792067
drewwalters96
commented
3 years ago I took a slightly different approach than the patch above that seems to be what we need for now: https://review.opendev.org/c/airship/treasuremap/+/792828
As mentioned in the original issue, this should probably be a URL in the future
mattmceuen
commented
3 years ago This will be a temporary fix. Long term we want to use a coredns pod running on the base VM, which can replace this one.
The oidc-apiserver-flags.json patch, which configures the apiserver to delegate auth to Dex, currently lives in the airship-core controlplane definition as of this writing, and is moving to the k8scontrol-ha function as part of this patch.
The API server needs to be configured with a "public" URL for dex, so that it can be reachable as part of the OIDC authentication process. In the real world, this will be a public DNS-resolvable name. For our gates, however, we currently rely on adding
dex.function.localanddex.baremetal.localto the/etc/hostsfile, mocking a DNS name.Today that patching is done at the type level -- this isn't ideal, since it will result in those host entries being added to real deployments as well. This issue is to move those particular patches to the virtual test site definitions.
This is a simple change and it would be good to get into the 2.1 release.
TODO: see if we could instead use a dex url of e.g.
https://10.23.25.102:32556/dex, in which case we would never need to touch the hosts file.