-
Notifications
You must be signed in to change notification settings - Fork 45
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Salt: Add and Render
DEX
deployment configuration
This commit adds the following: Adds method to obtain OIDC service IP and binds this static IP as the ClusterIP address for DEX service Adds `metalk8-auth` namespace which holds OIDC/authentication cluster resources(PODS) Automatically generate dex deployment, service account, cluster role and cluster role bindings The DEX chart.sls is generated from the charts using: ``` $ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls Add states to deploy DEX and related server certificates Closes: #2007 Closes: #2011
- Loading branch information
Showing
18 changed files
with
574 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
image: '{% endraw %}{{ build_image_name(\"dex\", False) }}{% raw %}' | ||
|
||
nodeSelector: | ||
node-role.kubernetes.io/infra: '' | ||
|
||
tolerations: | ||
- key: "node-role.kubernetes.io/bootstrap" | ||
operator: "Exists" | ||
effect: "NoSchedule" | ||
- key: "node-role.kubernetes.io/infra" | ||
operator: "Exists" | ||
effect: "NoSchedule" | ||
|
||
replicas: 2 | ||
|
||
# grpc support | ||
grpc: false | ||
|
||
# https termination by dex itself | ||
https: true | ||
|
||
service: | ||
clusterIP: '{% endraw %}{{ salt.metalk8s_network.get_oidc_service_ip() }}{% raw %}' | ||
|
||
ingress: | ||
enabled: true | ||
annotations: | ||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" | ||
kubernetes.io/ingress.class: "nginx-control-plane" | ||
path: /oidc | ||
hosts: | ||
- null | ||
|
||
# extraVolumes: | ||
# - name: theme | ||
# configMap: | ||
# name: dex-branding | ||
|
||
# extraVolumeMounts: | ||
# - name: theme | ||
# mountPath: /web/themes/custom/ | ||
|
||
certs: | ||
web: | ||
create: false | ||
grpc: | ||
create: false | ||
|
||
config: | ||
issuer: '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc{% raw %}' | ||
web: | ||
tlsCert: /etc/dex/tls/https/server/tls.crt | ||
tlsKey: /etc/dex/tls/https/server/tls.key | ||
frontend: | ||
theme: "coreos" #metalk8s-ui | ||
# dir: /web/themes/custom/ | ||
|
||
connectors: {} | ||
|
||
oauth2: | ||
alwaysShowLoginScreen: true | ||
skipApprovalScreen: true | ||
responseTypes: ["code", "token", "id_token"] | ||
|
||
expiry: | ||
signingKeys: "6h" | ||
idTokens: "24h" | ||
|
||
staticClients: | ||
- id: oidc-auth-client | ||
redirectURIs: | ||
- 'urn:ietf:wg:oauth:2.0:oob' | ||
name: 'oidc-auth-client' | ||
secret: "lkfa9jaf3kfakqyeoikfjakf93k2l" | ||
trustedPeers: | ||
- metalk8s-ui | ||
- grafana-ui | ||
- id: metalk8s-ui | ||
redirectURIs: | ||
- '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback{% raw %}' | ||
name: 'MetalK8s UI' | ||
secret: "ybrMJpVMQxsiZw26MhJzCjA2ut" | ||
- id: grafana-ui | ||
name: 'Grafana UI' | ||
redirectURIs: | ||
- '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth{% raw %}' | ||
secret: "4lqK98NcsWG5qBRHJUqYM1" | ||
|
||
staticPasswords: | ||
- email: "[email protected]" | ||
# bcrypt hash of the string "password" | ||
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" | ||
username: "admin" | ||
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{%- set dex_ca_b64_server = salt['mine.get']( | ||
pillar.metalk8s.ca.minion, 'dex_ca_b64' | ||
) %} | ||
|
||
{%- if dex_ca_b64_server %} | ||
|
||
{%- set dex_cert_b64 = dex_ca_b64_server[pillar.metalk8s.ca.minion] %} | ||
{%- set dex_ca_cert = salt['hashutil.base64_b64decode'](dex_cert_b64) %} | ||
|
||
Ensure Dex CA cert is present: | ||
file.managed: | ||
- name: /etc/metalk8s/pki/dex/ca.crt | ||
- user: root | ||
- group : root | ||
- mode: 644 | ||
- makedirs: True | ||
- dir_mode: 755 | ||
- contents: {{ dex_ca_cert.splitlines() }} | ||
|
||
{%- else %} | ||
|
||
Unable to get Dex CA cert, no kubernetes_dex_ca_b64 in mine: | ||
test.fail_without_changes: [] | ||
|
||
{%- endif %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# | ||
# State to manage Dex Certificate Authority | ||
# | ||
# Available states | ||
# ================ | ||
# | ||
# * installed -> install and advertise as Dex CA | ||
# * advertised -> deploy the Dex CA certificate | ||
# | ||
include: | ||
- .installed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
{%- from "metalk8s/map.jinja" import dex with context %} | ||
include: | ||
- metalk8s.internal.m2crypto | ||
Create dex CA private key: | ||
x509.private_key_managed: | ||
- name: /etc/metalk8s/pki/dex/ca.key | ||
- bits: 4096 | ||
- verbose: False | ||
- user: root | ||
- group: root | ||
- mode: 600 | ||
- makedirs: True | ||
- dir_mode: 755 | ||
- require: | ||
- metalk8s_package_manager: Install m2crypto | ||
Generate dex CA certificate: | ||
x509.certificate_managed: | ||
- name: /etc/metalk8s/pki/dex/ca.crt | ||
- signing_private_key: /etc/metalk8s/pki/dex/ca.key | ||
- CN: dex-ca | ||
- keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign" | ||
- basicConstraints: "critical CA:true" | ||
- days_valid: {{ dex.ca.cert.days_valid }} | ||
- user: root | ||
- group: root | ||
- mode: 644 | ||
- makedirs: True | ||
- dir_mode: 755 | ||
- require: | ||
- x509: Create dex CA private key | ||
Advertise dex CA certificate in the mine: | ||
module.wait: | ||
- mine.send: | ||
- func: dex_ca_b64 | ||
- mine_function: hashutil.base64_encodefile | ||
- /etc/metalk8s/pki/dex/ca.crt | ||
- watch: | ||
- x509: Generate dex CA certificate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
include: | ||
- .server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
{%- from "metalk8s/map.jinja" import dex with context %} | ||
{%- set oidc_service_ip = salt.metalk8s_network.get_oidc_service_ip() %} | ||
include: | ||
- metalk8s.internal.m2crypto | ||
Create Dex server private key: | ||
x509.private_key_managed: | ||
- name: /etc/metalk8s/pki/dex/server.key | ||
- bits: 4096 | ||
- verbose: False | ||
- user: root | ||
- group: root | ||
- mode: 600 | ||
- makedirs: True | ||
- dir_mode: 755 | ||
- require: | ||
- metalk8s_package_manager: Install m2crypto | ||
{%- set certSANs = [ | ||
grains.fqdn, | ||
'localhost', | ||
'127.0.0.1', | ||
'dex', | ||
'dex.metalk8s-auth', | ||
'dex.metalk8s-auth.svc', | ||
'dex.metalk8s-auth.svc.cluster.local', | ||
oidc_service_ip, | ||
grains.metalk8s.control_plane_ip, | ||
] %} | ||
Generate Dex server certificate: | ||
x509.certificate_managed: | ||
- name: /etc/metalk8s/pki/dex/server.crt | ||
- public_key: /etc/metalk8s/pki/dex/server.key | ||
- ca_server: {{ pillar.metalk8s.ca.minion }} | ||
- signing_policy: {{ dex.cert.server_signing_policy }} | ||
- CN: dex-server | ||
- subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}" | ||
- user: root | ||
- group: root | ||
- mode: 644 | ||
- makedirs: True | ||
- dir_mode: 755 | ||
- require: | ||
- x509: Create Dex server private key |
Oops, something went wrong.