From 0f647b97b8ea57972d2393da9dea826b310149ad Mon Sep 17 00:00:00 2001 From: Claude Ebaneck Date: Wed, 20 Nov 2019 06:55:40 +0100 Subject: [PATCH] Salt: Add and Render `DEX` deployment configuration This commit adds the following: Adds method to obtain OIDC service IP and binds this static IP as the ClusterIP address for DEX service Adds `metalk8-auth` namespace which holds OIDC/authentication cluster resources(PODS) Automatically generate dex deployment, service account, cluster role and cluster role bindings The DEX chart.sls is generated from the charts using: ``` $ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls Add states to deploy DEX and related server certificates Closes: #2007 Closes: #2011 --- buildchain/buildchain/salt_tree.py | 10 + charts/dex.yaml | 94 +++++++ pillar/metalk8s/roles/ca.sls | 11 + salt/_modules/metalk8s_network.py | 11 + salt/metalk8s/addons/dex/ca/advertised.sls | 25 ++ salt/metalk8s/addons/dex/ca/init.sls | 11 + salt/metalk8s/addons/dex/ca/installed.sls | 42 +++ salt/metalk8s/addons/dex/certs/init.sls | 2 + salt/metalk8s/addons/dex/certs/server.sls | 47 ++++ salt/metalk8s/addons/dex/deployed/chart.sls | 264 ++++++++++++++++++ salt/metalk8s/addons/dex/deployed/init.sls | 14 + .../addons/dex/deployed/namespace.sls | 10 + .../addons/dex/deployed/tls-secret.sls | 17 ++ salt/metalk8s/defaults.yaml | 9 + salt/metalk8s/deployed.sls | 1 + salt/metalk8s/map.jinja | 4 + salt/metalk8s/roles/ca/init.sls | 1 + salt/metalk8s/salt/master/certs/init.sls | 1 + 18 files changed, 574 insertions(+) create mode 100644 charts/dex.yaml create mode 100644 salt/metalk8s/addons/dex/ca/advertised.sls create mode 100644 salt/metalk8s/addons/dex/ca/init.sls create mode 100644 salt/metalk8s/addons/dex/ca/installed.sls create mode 100644 salt/metalk8s/addons/dex/certs/init.sls create mode 100644 salt/metalk8s/addons/dex/certs/server.sls create mode 100644 salt/metalk8s/addons/dex/deployed/chart.sls create mode 100644 salt/metalk8s/addons/dex/deployed/init.sls create mode 100644 salt/metalk8s/addons/dex/deployed/namespace.sls create mode 100644 salt/metalk8s/addons/dex/deployed/tls-secret.sls diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py index fce9d147d6..9038739797 100644 --- a/buildchain/buildchain/salt_tree.py +++ b/buildchain/buildchain/salt_tree.py @@ -216,6 +216,16 @@ def _get_parts(self) -> Iterator[str]: renderer=targets.Renderer.JSON, ), + Path('salt/metalk8s/addons/dex/ca/init.sls'), + Path('salt/metalk8s/addons/dex/ca/installed.sls'), + Path('salt/metalk8s/addons/dex/ca/advertised.sls'), + Path('salt/metalk8s/addons/dex/certs/init.sls'), + Path('salt/metalk8s/addons/dex/certs/server.sls'), + Path('salt/metalk8s/addons/dex/deployed/chart.sls'), + Path('salt/metalk8s/addons/dex/deployed/init.sls'), + Path('salt/metalk8s/addons/dex/deployed/namespace.sls'), + Path('salt/metalk8s/addons/dex/deployed/tls-secret.sls'), + Path('salt/metalk8s/addons/prometheus-operator/deployed/chart.sls'), Path('salt/metalk8s/addons/prometheus-operator/deployed/cleanup.sls'), Path('salt/metalk8s/addons/prometheus-operator/deployed/dashboards.sls'), diff --git a/charts/dex.yaml b/charts/dex.yaml new file mode 100644 index 0000000000..2376a171ae --- /dev/null +++ b/charts/dex.yaml @@ -0,0 +1,94 @@ +image: '{% endraw %}{{ build_image_name(\"dex\", False) }}{% raw %}' + +nodeSelector: + node-role.kubernetes.io/infra: '' + +tolerations: + - key: "node-role.kubernetes.io/bootstrap" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/infra" + operator: "Exists" + effect: "NoSchedule" + +replicas: 2 + +# grpc support +grpc: false + +# https termination by dex itself +https: true + +service: + clusterIP: '{% endraw %}{{ salt.metalk8s_network.get_oidc_service_ip() }}{% raw %}' + +ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + kubernetes.io/ingress.class: "nginx-control-plane" + path: /oidc + hosts: + - null + +# extraVolumes: +# - name: theme +# configMap: +# name: dex-branding + +# extraVolumeMounts: +# - name: theme +# mountPath: /web/themes/custom/ + +certs: + web: + create: false + grpc: + create: false + +config: + issuer: '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc{% raw %}' + web: + tlsCert: /etc/dex/tls/https/server/tls.crt + tlsKey: /etc/dex/tls/https/server/tls.key + frontend: + theme: "coreos" #metalk8s-ui + # dir: /web/themes/custom/ + + connectors: {} + + oauth2: + alwaysShowLoginScreen: true + skipApprovalScreen: true + responseTypes: ["code", "token", "id_token"] + + expiry: + signingKeys: "6h" + idTokens: "24h" + + staticClients: + - id: oidc-auth-client + redirectURIs: + - 'urn:ietf:wg:oauth:2.0:oob' + name: 'oidc-auth-client' + secret: "lkfa9jaf3kfakqyeoikfjakf93k2l" + trustedPeers: + - metalk8s-ui + - grafana-ui + - id: metalk8s-ui + redirectURIs: + - '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback{% raw %}' + name: 'MetalK8s UI' + secret: "ybrMJpVMQxsiZw26MhJzCjA2ut" + - id: grafana-ui + name: 'Grafana UI' + redirectURIs: + - '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth{% raw %}' + secret: "4lqK98NcsWG5qBRHJUqYM1" + + staticPasswords: + - email: "admin@metalk8s.invalid" + # bcrypt hash of the string "password" + hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" + username: "admin" + userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" \ No newline at end of file diff --git a/pillar/metalk8s/roles/ca.sls b/pillar/metalk8s/roles/ca.sls index 77b65dcd78..2ebf2bd0cc 100644 --- a/pillar/metalk8s/roles/ca.sls +++ b/pillar/metalk8s/roles/ca.sls @@ -15,6 +15,10 @@ mine_functions: mine_function: hashutil.base64_encodefile fname: /etc/kubernetes/pki/sa.pub + dex_ca_b64: + mine_function: hashutil.base64_encodefile + fname: /etc/metalk8s/pki/dex/ca.crt + ingress_ca_b64: mine_function: hashutil.base64_encodefile fname: /etc/metalk8s/pki/nginx-ingress/ca.crt @@ -62,3 +66,10 @@ x509_signing_policies: - keyUsage: critical digitalSignature, keyEncipherment - extendedKeyUsage: serverAuth - days_valid: 365 + dex_server_policy: + - minions: '*' + - signing_private_key: /etc/metalk8s/pki/dex/ca.key + - signing_cert: /etc/metalk8s/pki/dex/ca.crt + - keyUsage: critical digitalSignature, keyEncipherment + - extendedKeyUsage: serverAuth + - days_valid: 365 diff --git a/salt/_modules/metalk8s_network.py b/salt/_modules/metalk8s_network.py index 3bf664fa00..d8dc89e835 100644 --- a/salt/_modules/metalk8s_network.py +++ b/salt/_modules/metalk8s_network.py @@ -7,6 +7,7 @@ from salt.exceptions import CommandExecutionError K8S_CLUSTER_ADDRESS_NUMBER = 0 +OIDC_ADDRESS_NUMBER = 6 COREDNS_ADDRESS_NUMBER = 9 @@ -68,3 +69,13 @@ def get_cluster_dns_ip(): range. ''' return _pick_nth_service_ip(COREDNS_ADDRESS_NUMBER) + + +def get_oidc_service_ip(): + ''' + Return the OIDC service cluster IP. + + This IP is arbitrarily selected as the seventh IP from the usable hosts + range. + ''' + return _pick_nth_service_ip(OIDC_ADDRESS_NUMBER) diff --git a/salt/metalk8s/addons/dex/ca/advertised.sls b/salt/metalk8s/addons/dex/ca/advertised.sls new file mode 100644 index 0000000000..28a3d6c5fc --- /dev/null +++ b/salt/metalk8s/addons/dex/ca/advertised.sls @@ -0,0 +1,25 @@ +{%- set dex_ca_b64_server = salt['mine.get']( + pillar.metalk8s.ca.minion, 'dex_ca_b64' +) %} + +{%- if dex_ca_b64_server %} + +{%- set dex_cert_b64 = dex_ca_b64_server[pillar.metalk8s.ca.minion] %} +{%- set dex_ca_cert = salt['hashutil.base64_b64decode'](dex_cert_b64) %} + +Ensure Dex CA cert is present: + file.managed: + - name: /etc/metalk8s/pki/dex/ca.crt + - user: root + - group : root + - mode: 644 + - makedirs: True + - dir_mode: 755 + - contents: {{ dex_ca_cert.splitlines() }} + +{%- else %} + +Unable to get Dex CA cert, no kubernetes_dex_ca_b64 in mine: + test.fail_without_changes: [] + +{%- endif %} diff --git a/salt/metalk8s/addons/dex/ca/init.sls b/salt/metalk8s/addons/dex/ca/init.sls new file mode 100644 index 0000000000..69330956e0 --- /dev/null +++ b/salt/metalk8s/addons/dex/ca/init.sls @@ -0,0 +1,11 @@ +# +# State to manage Dex Certificate Authority +# +# Available states +# ================ +# +# * installed -> install and advertise as Dex CA +# * advertised -> deploy the Dex CA certificate +# +include: + - .installed diff --git a/salt/metalk8s/addons/dex/ca/installed.sls b/salt/metalk8s/addons/dex/ca/installed.sls new file mode 100644 index 0000000000..a8d3718a5c --- /dev/null +++ b/salt/metalk8s/addons/dex/ca/installed.sls @@ -0,0 +1,42 @@ +{%- from "metalk8s/map.jinja" import dex with context %} + +include: + - metalk8s.internal.m2crypto + +Create dex CA private key: + x509.private_key_managed: + - name: /etc/metalk8s/pki/dex/ca.key + - bits: 4096 + - verbose: False + - user: root + - group: root + - mode: 600 + - makedirs: True + - dir_mode: 755 + - require: + - metalk8s_package_manager: Install m2crypto + +Generate dex CA certificate: + x509.certificate_managed: + - name: /etc/metalk8s/pki/dex/ca.crt + - signing_private_key: /etc/metalk8s/pki/dex/ca.key + - CN: dex-ca + - keyUsage: "critical digitalSignature, keyEncipherment, keyCertSign" + - basicConstraints: "critical CA:true" + - days_valid: {{ dex.ca.cert.days_valid }} + - user: root + - group: root + - mode: 644 + - makedirs: True + - dir_mode: 755 + - require: + - x509: Create dex CA private key + +Advertise dex CA certificate in the mine: + module.wait: + - mine.send: + - func: dex_ca_b64 + - mine_function: hashutil.base64_encodefile + - /etc/metalk8s/pki/dex/ca.crt + - watch: + - x509: Generate dex CA certificate diff --git a/salt/metalk8s/addons/dex/certs/init.sls b/salt/metalk8s/addons/dex/certs/init.sls new file mode 100644 index 0000000000..19a61bff6f --- /dev/null +++ b/salt/metalk8s/addons/dex/certs/init.sls @@ -0,0 +1,2 @@ +include: + - .server diff --git a/salt/metalk8s/addons/dex/certs/server.sls b/salt/metalk8s/addons/dex/certs/server.sls new file mode 100644 index 0000000000..ba27511c48 --- /dev/null +++ b/salt/metalk8s/addons/dex/certs/server.sls @@ -0,0 +1,47 @@ +{%- from "metalk8s/map.jinja" import dex with context %} + +{%- set oidc_service_ip = salt.metalk8s_network.get_oidc_service_ip() %} + +include: + - metalk8s.internal.m2crypto + +Create Dex server private key: + x509.private_key_managed: + - name: /etc/metalk8s/pki/dex/server.key + - bits: 4096 + - verbose: False + - user: root + - group: root + - mode: 600 + - makedirs: True + - dir_mode: 755 + - require: + - metalk8s_package_manager: Install m2crypto + +{%- set certSANs = [ + grains.fqdn, + 'localhost', + '127.0.0.1', + 'dex', + 'dex.metalk8s-auth', + 'dex.metalk8s-auth.svc', + 'dex.metalk8s-auth.svc.cluster.local', + oidc_service_ip, + grains.metalk8s.control_plane_ip, +] %} + +Generate Dex server certificate: + x509.certificate_managed: + - name: /etc/metalk8s/pki/dex/server.crt + - public_key: /etc/metalk8s/pki/dex/server.key + - ca_server: {{ pillar.metalk8s.ca.minion }} + - signing_policy: {{ dex.cert.server_signing_policy }} + - CN: dex-server + - subjectAltName: "{{ salt['metalk8s.format_san'](certSANs | unique) }}" + - user: root + - group: root + - mode: 644 + - makedirs: True + - dir_mode: 755 + - require: + - x509: Create Dex server private key diff --git a/salt/metalk8s/addons/dex/deployed/chart.sls b/salt/metalk8s/addons/dex/deployed/chart.sls new file mode 100644 index 0000000000..93daa34654 --- /dev/null +++ b/salt/metalk8s/addons/dex/deployed/chart.sls @@ -0,0 +1,264 @@ +#!jinja | metalk8s_kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes +{%- from "metalk8s/repo/macro.sls" import build_image_name with context %} + +{% raw %} + +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +stringData: + config.yaml: |- + issuer: {% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc{% raw %} + storage: + config: + inCluster: true + type: kubernetes + logger: + level: debug + web: + https: 0.0.0.0:5556 + tlsCert: /etc/dex/tls/https/server/tls.crt + tlsKey: /etc/dex/tls/https/server/tls.key + oauth2: + alwaysShowLoginScreen: true + responseTypes: + - code + - token + - id_token + skipApprovalScreen: true + staticClients: + - id: oidc-auth-client + name: oidc-auth-client + redirectURIs: + - urn:ietf:wg:oauth:2.0:oob + secret: lkfa9jaf3kfakqyeoikfjakf93k2l + trustedPeers: + - metalk8s-ui + - grafana-ui + - id: metalk8s-ui + name: MetalK8s UI + redirectURIs: + - '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback{% + raw %}' + secret: ybrMJpVMQxsiZw26MhJzCjA2ut + - id: grafana-ui + name: Grafana UI + redirectURIs: + - '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth{% + raw %}' + secret: 4lqK98NcsWG5qBRHJUqYM1 + enablePasswordDB: true + staticPasswords: + - email: admin@metalk8s.invalid + hash: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W + userID: 08a8684b-db88-4b73-90a9-3cd1661f5466 + username: admin + expiry: + idTokens: 24h + signingKeys: 6h + frontend: + theme: coreos +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +rules: +- apiGroups: + - dex.coreos.com + resources: + - '*' + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dex +subjects: +- kind: ServiceAccount + name: dex + namespace: metalk8s-auth +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +spec: + clusterIP: '{% endraw %}{{ salt.metalk8s_network.get_oidc_service_ip() }}{% raw + %}' + ports: + - name: https + port: 32000 + targetPort: https + selector: + app.kubernetes.io/instance: dex + app.kubernetes.io/name: dex + sessionAffinity: None + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: dex + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/component: dex + app.kubernetes.io/instance: dex + app.kubernetes.io/name: dex + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + checksum/config: 4fbe3973776c030cad8db8e2535206ba87b870089216d34b6a049f87d00697f5 + labels: + app.kubernetes.io/component: dex + app.kubernetes.io/instance: dex + app.kubernetes.io/name: dex + spec: + containers: + - command: + - /usr/local/bin/dex + - serve + - /etc/dex/cfg/config.yaml + env: [] + image: '{% endraw %}{{ build_image_name("dex", False) }}{% raw %}:v2.19.0' + imagePullPolicy: IfNotPresent + name: main + ports: + - containerPort: 5556 + name: https + protocol: TCP + resources: null + volumeMounts: + - mountPath: /etc/dex/cfg + name: config + - mountPath: /etc/dex/tls/https/server + name: https-tls + nodeSelector: + node-role.kubernetes.io/infra: '' + serviceAccountName: dex + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/bootstrap + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/infra + operator: Exists + volumes: + - name: config + secret: + defaultMode: 420 + items: + - key: config.yaml + path: config.yaml + secretName: dex + - name: https-tls + secret: + defaultMode: 420 + secretName: dex-web-server-tls +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx-control-plane + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + labels: + app.kubernetes.io/instance: dex + app.kubernetes.io/managed-by: salt + app.kubernetes.io/name: dex + app.kubernetes.io/part-of: metalk8s + app.kubernetes.io/version: 2.19.0 + helm.sh/chart: dex-2.4.0 + heritage: metalk8s + name: dex + namespace: metalk8s-auth +spec: + rules: + - host: null + http: + paths: + - backend: + serviceName: dex + servicePort: 32000 + path: /oidc + +{% endraw %} diff --git a/salt/metalk8s/addons/dex/deployed/init.sls b/salt/metalk8s/addons/dex/deployed/init.sls new file mode 100644 index 0000000000..dd0ab723c8 --- /dev/null +++ b/salt/metalk8s/addons/dex/deployed/init.sls @@ -0,0 +1,14 @@ +# +# States to deploy Dex +# +# Available states +# ================ +# +# * namespace -> creates a namespace metalk8s-auth +# * tls-secret -> store Dex server cert and key in a Secret +# * chart -> charts used to deploy Dex + +include: +- .namespace +- .tls-secret +- .chart diff --git a/salt/metalk8s/addons/dex/deployed/namespace.sls b/salt/metalk8s/addons/dex/deployed/namespace.sls new file mode 100644 index 0000000000..af144a246f --- /dev/null +++ b/salt/metalk8s/addons/dex/deployed/namespace.sls @@ -0,0 +1,10 @@ +#!jinja | metalk8s_kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes + +apiVersion: v1 +kind: Namespace +metadata: + name: metalk8s-auth + labels: + app.kubernetes.io/managed-by: salt + app.kubernetes.io/part-of: metalk8s + heritage: metalk8s diff --git a/salt/metalk8s/addons/dex/deployed/tls-secret.sls b/salt/metalk8s/addons/dex/deployed/tls-secret.sls new file mode 100644 index 0000000000..7212c79a36 --- /dev/null +++ b/salt/metalk8s/addons/dex/deployed/tls-secret.sls @@ -0,0 +1,17 @@ +#!jinja | metalk8s_kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes + +apiVersion: v1 +kind: Secret +metadata: + name: dex-web-server-tls + namespace: metalk8s-auth +type: Opaque +data: + tls.crt: "{{ + salt['hashutil.base64_encodefile']('/etc/metalk8s/pki/dex/server.crt') + | replace('\n', '') + }}" + tls.key: "{{ + salt['hashutil.base64_encodefile']('/etc/metalk8s/pki/dex/server.key') + | replace('\n', '') + }}" diff --git a/salt/metalk8s/defaults.yaml b/salt/metalk8s/defaults.yaml index 36e9d67c97..19e678857f 100644 --- a/salt/metalk8s/defaults.yaml +++ b/salt/metalk8s/defaults.yaml @@ -80,6 +80,15 @@ front_proxy: cert: client_signing_policy: front_proxy_client_policy +dex: + ca: + cert: + days_valid: 3650 + signing_policy: + days_valid: 365 + cert: + server_signing_policy: dex_server_policy + nginx-ingress: ca: cert: diff --git a/salt/metalk8s/deployed.sls b/salt/metalk8s/deployed.sls index a06d4086f1..085092627c 100644 --- a/salt/metalk8s/deployed.sls +++ b/salt/metalk8s/deployed.sls @@ -10,3 +10,4 @@ include: - metalk8s.addons.volumes.deployed - metalk8s.addons.solutions.deployed - metalk8s.addons.ui.deployed + - metalk8s.addons.dex.deployed diff --git a/salt/metalk8s/map.jinja b/salt/metalk8s/map.jinja index 134a8b4a99..5c7de3b039 100644 --- a/salt/metalk8s/map.jinja +++ b/salt/metalk8s/map.jinja @@ -214,6 +214,10 @@ 'default': {} }, merge=defaults.get('kubeadm_kubeconfig')) %} +{% set dex = salt['grains.filter_by']({ + 'default': {} +}, merge=defaults.get('dex')) %} + {% set nginx_ingress = salt['grains.filter_by']({ 'default': {} }, merge=defaults.get('nginx-ingress')) %} diff --git a/salt/metalk8s/roles/ca/init.sls b/salt/metalk8s/roles/ca/init.sls index 14ded67ec3..2d77a7bfa2 100644 --- a/salt/metalk8s/roles/ca/init.sls +++ b/salt/metalk8s/roles/ca/init.sls @@ -2,3 +2,4 @@ include: - metalk8s.kubernetes.ca - metalk8s.kubernetes.sa - metalk8s.addons.nginx-ingress.ca + - metalk8s.addons.dex.ca diff --git a/salt/metalk8s/salt/master/certs/init.sls b/salt/metalk8s/salt/master/certs/init.sls index b389417bfe..297a037d34 100644 --- a/salt/metalk8s/salt/master/certs/init.sls +++ b/salt/metalk8s/salt/master/certs/init.sls @@ -11,5 +11,6 @@ include: # Some server certs are required to be published in K8s API by Salt master - metalk8s.addons.nginx-ingress-control-plane.certs - metalk8s.addons.nginx-ingress.certs + - metalk8s.addons.dex.certs - .etcd-client - .salt-api