Spike: Dex OIDC Upgrade/Configuration Change in Existing Cluster (Brownfield)

[lb4368]

Problem description The Dex identity service running within an existing cluster may require upgrade or configuration change. We need to understand the implications of these updates on the running site.

Proposed change

• Provide a plan for applying a Dex upgrade or configuration change
• Identify impacts to cluster availability and performance during a Dex upgrade
• Identify impacts to existing cluster during a Dex configuration change (e.g. password update for LDAP back-end)

[sshiba]

Please, assign this to me. Thanks.

[sshiba]

@lb4368, Is the expectation that Dex upgrade is done through airshipctl phase run command or directly using helm upgrade command?

[lb4368]

@sshiba This would be an upgrade via airshipctl phase run. I think we would like to update the Dex manifests re-apply a phase, that delivers. If that works, we would like to then understand the implications of the upgrade or configuration change on the running cluster.

[sshiba]

[WIP] documenting finding in hackmd.io (https://hackmd.io/4K0ds3S1S0O8uV0eTaydwA)

[sshiba]

@lb4368, the hackmd.io document (https://hackmd.io/4K0ds3S1S0O8uV0eTaydwA) has been updated with the tests and recommendation for upgrading dex-aio and it is ready for review.

[lb4368]

@sshiba I looked through this and it looks good. Can we do a quick review on a design call?

[sshiba]

@lb4368 , yes, of course.

[lb4368]

Hackmd results reviewed during 9/29/21 design call. Closing this.