salt: add dex deployment configuration

Add k8s secrets used for dex deployment
Add sls files required for dex certificate generation
Generate dex deployment chart using:

```
$ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls
```
Note: The generated dex `charts.sls` can not render the `Secret` template properly because of how we render the charts.
The render injects `\\..` which makes the sls invalid and cannot be applied by K8s.

To resolve this, after chart generation we delete the secret section and make use of `dex-conf.sls`

Closes: #2007

buildchain/buildchain/salt_tree.py

@@ -217,8 +217,10 @@ def _get_parts(self) -> Iterator[str]:
     ),
 
     Path('salt/metalk8s/addons/dex/deployed/init.sls'),
-    Path('salt/metalk8s/addons/dex/deployed/chart.sls'),
     Path('salt/metalk8s/addons/dex/deployed/namespace.sls'),
+    Path('salt/metalk8s/addons/dex/deployed/dex-conf.sls'),
+    Path('salt/metalk8s/addons/dex/deployed/chart.sls'),
+    Path('salt/metalk8s/addons/dex/deployed/dex-tls-secret.sls'),
 
     Path('salt/metalk8s/addons/prometheus-operator/deployed/chart.sls'),
     Path('salt/metalk8s/addons/prometheus-operator/deployed/cleanup.sls'),
@@ -324,6 +326,10 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/kubernetes/ca/kubernetes/exported.sls'),
     Path('salt/metalk8s/kubernetes/ca/kubernetes/init.sls'),
     Path('salt/metalk8s/kubernetes/ca/kubernetes/installed.sls'),
+    Path('salt/metalk8s/kubernetes/ca/dex/init.sls'),
+    Path('salt/metalk8s/kubernetes/ca/dex/advertised.sls'),
+    Path('salt/metalk8s/kubernetes/ca/dex/dex-rootca.sls'),
+    Path('salt/metalk8s/kubernetes/ca/dex/dex-server.sls'),
 
     Path('salt/metalk8s/kubernetes/cni/calico/configured.sls'),
     Path('salt/metalk8s/kubernetes/cni/calico/deployed.sls'),

charts/dex.yaml

@@ -0,0 +1,73 @@
+image: '{%- endraw -%}{{ build_image_name(\"dex\", False) }}{%- raw -%}'
+
+nodeSelector:
+  node-role.kubernetes.io/infra: ''
+
+tolerations:
+  - key: "node-role.kubernetes.io/bootstrap"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/infra"
+    operator: "Exists"
+    effect: "NoSchedule"
+
+replicas: 2
+
+# grpc support
+grpc: false
+
+# https termination by dex itself
+https: true
+
+ingress:
+  enabled: true
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: '/$2'
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    kubernetes.io/ingress.class: "nginx-control-plane"
+  path: /oidc(/|$)(.*)
+  hosts:
+    - null
+  tls:
+   - secretName: dex-tls-ingress
+
+certs:
+  web:
+    create: false
+  grpc:
+    create: false
+
+config:
+  issuer: '{%- endraw -%}https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc{%- raw -%}'
+  web:
+    tlsCert: /etc/dex/tls/https/server/tls.crt
+    tlsKey: /etc/dex/tls/https/server/tls.key
+  connectors: {}
+
+  oauth2:
+    alwaysShowLoginScreen: false
+    skipApprovalScreen: true
+
+  expiry:
+    signingKeys: "6h"
+    idTokens: "24h"
+
+  staticClients:
+  - id: metalk8s-ui
+    redirectURIs:
+    - '{%- endraw -%}https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback{%- raw -%}'
+    name: 'MetalK8s UI'
+    secret: ybrMJpVMQxsiZw26MhJzCjA2ut
+  - id: grafana-ui
+    name: 'Grafana UI'
+    redirectURIs:
+    - '{%- endraw -%}https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth{%- raw -%}'
+    secret: 4lqK98NcsWG5qBRHJUqYM1
+
+  staticPasswords:
+    - email: "[email protected]"
+      # bcrypt hash of the string "password"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

pillar/metalk8s/roles/ca.sls

@@ -15,6 +15,14 @@ mine_functions:
     mine_function: hashutil.base64_encodefile
     fname: /etc/kubernetes/pki/sa.pub
 
+  kubernetes_dex_ca_b64:
+    mine_function: hashutil.base64_encodefile
+    fname: /etc/kubernetes/pki/dex-ca.crt
+
+  kubernetes_dex_ca_key_b64:
+    mine_function: hashutil.base64_encodefile
+    fname: /etc/kubernetes/pki/dex-ca.key
+
 x509_signing_policies:
   kube_apiserver_client_policy:
     - minions: '*'
@@ -51,3 +59,10 @@ x509_signing_policies:
     - keyUsage: critical digitalSignature, keyEncipherment
     - extendedKeyUsage: clientAuth
     - days_valid: 365
+  dex_server_policy:
+    - minions: '*'
+    - signing_private_key: /etc/kubernetes/pki/dex-ca.key
+    - signing_cert: /etc/kubernetes/pki/dex-ca.crt
+    - keyUsage: critical digitalSignature, keyEncipherment
+    - extendedKeyUsage: serverAuth, clientAuth
+    - days_valid: 365

salt/metalk8s/addons/dex/deployed/chart.sls

@@ -0,0 +1,201 @@
+#!jinja | kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+
+{% raw %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+rules:
+- apiGroups:
+  - dex.coreos.com
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dex
+subjects:
+- kind: ServiceAccount
+  name: dex
+  namespace: metalk8s-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  ports:
+  - name: https
+    port: 32000
+    targetPort: https
+  selector:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/name: dex
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: dex
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: dex
+      app.kubernetes.io/instance: dex
+      app.kubernetes.io/name: dex
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/config: 1db7d252453ee48ad75b3be69be7a486d877f5c8c616fe43f981c69caf2336e5
+      labels:
+        app.kubernetes.io/component: dex
+        app.kubernetes.io/instance: dex
+        app.kubernetes.io/name: dex
+    spec:
+      containers:
+      - command:
+        - /usr/local/bin/dex
+        - serve
+        - /etc/dex/cfg/config.yaml
+        env: []
+        image: '{%- endraw -%}{{ build_image_name("dex", False) }}{%- raw -%}:v2.19.0'
+        imagePullPolicy: IfNotPresent
+        name: main
+        ports:
+        - containerPort: 5556
+          name: https
+          protocol: TCP
+        resources: null
+        volumeMounts:
+        - mountPath: /etc/dex/cfg
+          name: config
+        - mountPath: /etc/dex/tls/https/server
+          name: https-tls
+      nodeSelector:
+        node-role.kubernetes.io/infra: ''
+      serviceAccountName: dex
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/bootstrap
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/infra
+        operator: Exists
+      volumes:
+      - name: config
+        secret:
+          defaultMode: 420
+          items:
+          - key: config.yaml
+            path: config.yaml
+          secretName: dex
+      - name: https-tls
+        secret:
+          defaultMode: 420
+          secretName: dex-web-server-tls
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx-control-plane
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: 'true'
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  rules:
+  - host: null
+    http:
+      paths:
+      - backend:
+          serviceName: dex
+          servicePort: 32000
+        path: /oidc(/|$)(.*)
+  tls:
+  - hosts: null
+    secretName: dex-tls-ingress
+
+{% endraw %}

salt/metalk8s/addons/dex/deployed/dex-conf.sls

@@ -0,0 +1,52 @@
+#!jinja | kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: "2.19.0"
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+stringData:
+  config.yaml: |-
+      issuer: 'https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc'
+      storage:
+        config:
+          inCluster: true
+        type: kubernetes
+      logger:
+        level: debug
+      web:
+        https: 0.0.0.0:5556
+        tlsCert: /etc/dex/tls/https/server/tls.crt
+        tlsKey: /etc/dex/tls/https/server/tls.key
+      oauth2:
+        alwaysShowLoginScreen: false
+        skipApprovalScreen: true
+      expiry:
+        signingKeys: "6h"
+        idTokens: "24h"
+      staticClients:
+      - id: metalk8s-ui
+        redirectURIs:
+        - 'https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback'
+        name: 'MetalK8s UI'
+        secret: ybrMJpVMQxsiZw26MhJzCjA2ut
+      - id: grafana-ui
+        name: 'Grafana UI'
+        redirectURIs:
+        - 'https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth'
+        secret: 4lqK98NcsWG5qBRHJUqYM1
+      enablePasswordDB: true
+      staticPasswords:
+      - email: [email protected]
+        hash: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W
+        userID: 08a8684b-db88-4b73-90a9-3cd1661f5466
+        username: admin