salt,dex: Allow to disable Dex deployment

To disable Dex deployment at installation, you must add the following to the boostrap config: ``` addons: dex: enabled: false ```
scality · Feb 8, 2022 · 5f55bcf · 5f55bcf
1 parent 6d6137c
commit 5f55bcf
Show file tree

Hide file tree

Showing 11 changed files with 50 additions and 15 deletions.
diff --git a/charts/render.py b/charts/render.py
@@ -472,7 +472,7 @@ def _doc_matches(doc, conditions):
     config = []
     for name, configmap, path, service_namespace in args.service_configs or []:
         import_csc_yaml.append(
-            "{{% set {0}_defaults = "
+            "{{%- set {0}_defaults = "
             "salt.slsutil.renderer('salt://{1}', saltenv=saltenv) %}}".format(
                 name,
                 path,

diff --git a/salt/_modules/metalk8s_service_configuration.py b/salt/_modules/metalk8s_service_configuration.py
@@ -59,9 +59,7 @@ def get_service_conf(
         ) from exc
 
     if manifest is None:
-        raise CommandExecutionError(
-            "Expected ConfigMap object but got {}".format(manifest)
-        )
+        return default_csc
 
     try:
         conf_section = manifest.get("data", {}).get("config.yaml", {})

diff --git a/salt/_pillar/metalk8s.py b/salt/_pillar/metalk8s.py
@@ -190,6 +190,14 @@ def _load_kubernetes(config_data):
     return kubernetes_data
 
 
+def _load_addons(config_data):
+    addons_data = config_data.get("addons", {})
+
+    addons_data.setdefault("dex", {}).setdefault("enabled", True)
+
+    return addons_data
+
+
 def ext_pillar(minion_id, pillar, bootstrap_config):  # pylint: disable=unused-argument
     config = _load_config(bootstrap_config)
     if config.get("_errors"):
@@ -215,6 +223,7 @@ def ext_pillar(minion_id, pillar, bootstrap_config):  # pylint: disable=unused-a
             "metalk8s": metal_data,
             "proxies": config.get("proxies", {}),
             "kubernetes": _load_kubernetes(config),
+            "addons": _load_addons(config),
         }
 
         if not isinstance(metal_data["archives"], list):

diff --git a/salt/metalk8s/addons/ui/config/metalk8s-shell-ui-config.yaml.j2 b/salt/metalk8s/addons/ui/config/metalk8s-shell-ui-config.yaml.j2
@@ -1,7 +1,9 @@
 #!jinja|yaml
 
-{%- set dex_defaults = salt.slsutil.renderer('salt://metalk8s/addons/dex/config/dex.yaml.j2', saltenv=saltenv) %}
-{%- set dex = salt.metalk8s_service_configuration.get_service_conf('metalk8s-auth', 'metalk8s-dex-config', dex_defaults) %}
+{%- if pillar.addons.dex.enabled %}
+  {%- set dex_defaults = salt.slsutil.renderer('salt://metalk8s/addons/dex/config/dex.yaml.j2', saltenv=saltenv) %}
+  {%- set dex = salt.metalk8s_service_configuration.get_service_conf('metalk8s-auth', 'metalk8s-dex-config', dex_defaults) %}
+{%- endif %}
 {%- set metalk8s_ui_defaults = salt.slsutil.renderer(
         'salt://metalk8s/addons/ui/config/metalk8s-ui-config.yaml.j2', saltenv=saltenv
     )
@@ -12,21 +14,22 @@
     )
 %}
 
-
 # Defaults for shell UI configuration
 apiVersion: addons.metalk8s.scality.com/v1alpha2
 kind: ShellUIConfig
 spec:
+{%- if pillar.addons.dex.enabled %}
   oidc:
     providerUrl: "/oidc"
     redirectUrl: "{{ salt.metalk8s_network.get_control_plane_ingress_endpoint() }}/{{ metalk8s_ui_config.spec.basePath.lstrip('/') }}"
     clientId: "metalk8s-ui"
     responseType: "id_token"
     scopes: "openid profile email groups offline_access audience:server:client_id:oidc-auth-client"
   userGroupsMapping:
-{%- for user in dex.spec.config.staticPasswords | map(attribute='email') %}
+  {%- for user in dex.spec.config.staticPasswords | map(attribute='email') %}
     "{{ user }}": [metalk8s:admin]
-{%- endfor %}
+  {%- endfor %}
+{%- endif %}
   discoveryUrl: "/shell/deployed-ui-apps.json"
   logo:
     light: /brand/assets/logo-light.svg

diff --git a/salt/metalk8s/deployed.sls b/salt/metalk8s/deployed.sls
@@ -12,7 +12,9 @@ include:
   - metalk8s.addons.volumes.deployed
   - metalk8s.addons.solutions.deployed
   - metalk8s.addons.ui.deployed
+{%- if pillar.addons.dex.enabled %}
   - metalk8s.addons.dex.deployed
+{%- endif %}
   - metalk8s.addons.prometheus-adapter.deployed
   - metalk8s.addons.logging.deployed
   - metalk8s.addons.alert-tree.deployed
diff --git a/salt/metalk8s/kubernetes/apiserver/installed.sls b/salt/metalk8s/kubernetes/apiserver/installed.sls
@@ -96,13 +96,15 @@ Create kube-apiserver Pod manifest:
           - --bind-address={{ host }}
           - --encryption-provider-config={{ encryption_k8s_path }}
           - --cors-allowed-origins=.*
+{%- if pillar.addons.dex.enabled %}
           - --oidc-issuer-url={{ salt.metalk8s_network.get_control_plane_ingress_endpoint() }}/oidc
           - --oidc-client-id=oidc-auth-client
           - --oidc-ca-file=/etc/metalk8s/pki/nginx-ingress/ca.crt
           - --oidc-username-claim=email
           - '"--oidc-username-prefix=oidc:"'
           - --oidc-groups-claim=groups
           - '"--oidc-groups-prefix=oidc:"'
+{%- endif %}
           - --v={{ 2 if metalk8s.debug else 0 }}
           {% if feature_gates %}
           - --feature-gates={{ feature_gates | join(",") }}

diff --git a/salt/metalk8s/orchestrate/update-control-plane-ingress-ip.sls b/salt/metalk8s/orchestrate/update-control-plane-ingress-ip.sls
@@ -32,7 +32,9 @@ Reconfigure Control Plane components:
   salt.runner:
   - name: state.orchestrate
   - mods:
+{%- if pillar.addons.dex.enabled %}
     - metalk8s.addons.dex.deployed
+{%- endif %}
     - metalk8s.addons.prometheus-operator.deployed
     - metalk8s.addons.ui.deployed
   - saltenv: {{ saltenv }}

diff --git a/salt/metalk8s/roles/ca/init.sls b/salt/metalk8s/roles/ca/init.sls
@@ -2,5 +2,7 @@ include:
   - metalk8s.kubernetes.ca
   - metalk8s.kubernetes.sa
   - metalk8s.addons.nginx-ingress.ca
+{%- if pillar.addons.dex.enabled %}
   - metalk8s.addons.dex.ca
+{%- endif %}
   - metalk8s.backup.certs.ca
diff --git a/salt/metalk8s/service-configuration/deployed/init.sls b/salt/metalk8s/service-configuration/deployed/init.sls
@@ -7,6 +7,8 @@
 # default configurations to startup
 include:
   - metalk8s.addons.prometheus-operator.deployed.service-configuration
+{%- if pillar.addons.dex.enabled %}
   - metalk8s.addons.dex.deployed.service-configuration
+{%- endif %}
   - metalk8s.addons.logging.loki.deployed.service-configuration
   - metalk8s.addons.ui.deployed.ui-configuration
diff --git a/salt/tests/unit/formulas/data/base_pillar.yaml b/salt/tests/unit/formulas/data/base_pillar.yaml
@@ -184,3 +184,6 @@ kubernetes:
       podAntiAffinity:
         soft:
           - topologyKey: kubernetes.io/hostname
+addons:
+  dex:
+    enabled: True
diff --git a/salt/tests/unit/modules/files/test_metalk8s_service_configuration.yaml b/salt/tests/unit/modules/files/test_metalk8s_service_configuration.yaml
@@ -64,6 +64,24 @@ get_service_config:
           containers:
             - name: my_new_container
 
+  #. Success: retrieved ConfigMap manifest is empty
+  - configmap_name: 'my_configmap'
+    configmap_obj: null
+    default_csc:
+      apiVersion: my_apiVersion1
+      kind: my_kind1
+      spec:
+        deployment:
+          replicas: my_replicas
+          containers: my_containers
+    result:
+      apiVersion: my_apiVersion1
+      kind: my_kind1
+      spec:
+        deployment:
+          replicas: my_replicas
+          containers: my_containers
+
   #. Error: missing configmap_name
   - configmap_name: null
     result: "Expected a ConfigMap name but got None"
@@ -81,12 +99,6 @@ get_service_config:
     result: "Failed to read ConfigMap object my_configmap"
     raises: True
 
-  #. Error: retrieved ConfigMap manifest is empty
-  - configmap_name: 'my_configmap'
-    configmap_obj: null
-    result: "Expected ConfigMap object but got None"
-    raises: True
-
   #. Error: yaml error raised when reading config.yaml
   - configmap_name: 'my_configmap'
     configmap_obj: