salt: add dex deployment configuration

Automatically generate dex deployment, service account,
cluster role and cluster role bindings

The above is generated from the charts using:

```
$ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ >
salt/metalk8s/addons/dex/deployed/chart.sls
```
Note: The generated dex `charts.sls` can not render the `Secret` template properly.
The render injects `\\..` which makes the sls invalid and cannot be applied by K8s.
To resolve this, after chart generation we delete the secret section and make use of `dex-conf.sls`

Closes: #2007

charts/dex.yaml

@@ -0,0 +1,98 @@
+image: '{%- endraw -%}{{ build_image_name(\"dex\", False) }}{%- raw -%}'
+
+nodeSelector:
+  node-role.kubernetes.io/infra: ''
+
+tolerations:
+  - key: "node-role.kubernetes.io/bootstrap"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/infra"
+    operator: "Exists"
+    effect: "NoSchedule"
+
+replicas: 2
+
+# grpc support
+grpc: false
+
+# https termination by dex itself
+https: true
+
+service:
+  clusterIP: '{% endraw %}{{ salt.metalk8s_network.get_oidc_service_ip() }}{% raw %}'
+
+ingress:
+  enabled: true
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
+    nginx.ingress.kubernetes.io/proxy-ssl-secret: "dex-ca-cert"
+    kubernetes.io/ingress.class: "nginx-control-plane"
+  path: /oidc
+  hosts:
+    - null
+  tls:
+   - secretName: dex-tls-ingress
+
+# extraVolumes:
+#   - name: theme
+#     configMap:
+#        name: dex-branding
+
+# extraVolumeMounts:
+#   - name: theme
+#     mountPath: /web/themes/custom/
+
+certs:
+  web:
+    create: false
+  grpc:
+    create: false
+
+config:
+  issuer: '{% endraw %}https://{{ grains.metalk8s.control_plane_ip }}:8443/oidc{% raw %}'
+  web:
+    tlsCert: /etc/dex/tls/https/server/tls.crt
+    tlsKey: /etc/dex/tls/https/server/tls.key
+  frontend:
+    theme: "coreos" #metalk8s-ui
+    # dir: /web/themes/custom/
+
+  connectors: {}
+
+  oauth2:
+    alwaysShowLoginScreen: true
+    skipApprovalScreen: true
+    responseTypes: ["code", "token", "id_token"]
+
+  expiry:
+    signingKeys: "6h"
+    idTokens: "24h"
+
+  staticClients:
+  - id: oidc-auth-client
+    redirectURIs:
+    - 'urn:ietf:wg:oauth:2.0:oob'
+    name: 'oidc-auth-client'
+    secret: "lkfa9jaf3kfakqyeoikfjakf93k2l"
+    trustedPeers:
+    - metalk8s-ui
+    - grafana-ui
+  - id: metalk8s-ui
+    redirectURIs:
+    - '{%- endraw -%}https://{{ grains.metalk8s.control_plane_ip }}:8443/oauth2/callback{%- raw -%}'
+    name: 'MetalK8s UI'
+    secret: "ybrMJpVMQxsiZw26MhJzCjA2ut"
+  - id: grafana-ui
+    name: 'Grafana UI'
+    redirectURIs:
+    - '{%- endraw -%}https://{{ grains.metalk8s.control_plane_ip }}:8443/grafana/login/generic_oauth{%- raw -%}'
+    secret: "4lqK98NcsWG5qBRHJUqYM1"
+
+  staticPasswords:
+    - email: "[email protected]"
+      # bcrypt hash of the string "password"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

salt/metalk8s/addons/dex/deployed/chart.sls

@@ -0,0 +1,177 @@
+#!jinja | kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+
+{% raw %}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+rules:
+- apiGroups:
+  - dex.coreos.com
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dex
+subjects:
+- kind: ServiceAccount
+  name: dex
+  namespace: metalk8s-auth
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: dex
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: dex
+      app.kubernetes.io/instance: dex
+      app.kubernetes.io/name: dex
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/config: a894c0b2665829c0a0fa94e535679d10e82ea0338ccce0d3c5fe62d965bbe790
+      labels:
+        app.kubernetes.io/component: dex
+        app.kubernetes.io/instance: dex
+        app.kubernetes.io/name: dex
+    spec:
+      containers:
+      - command:
+        - /usr/local/bin/dex
+        - serve
+        - /etc/dex/cfg/config.yaml
+        env: []
+        image: '{%- endraw -%}{{ build_image_name("dex", False) }}{%- raw -%}:v2.19.0'
+        imagePullPolicy: IfNotPresent
+        name: main
+        ports:
+        - containerPort: 5556
+          name: https
+          protocol: TCP
+        resources: null
+        volumeMounts:
+        - mountPath: /etc/dex/cfg
+          name: config
+        - mountPath: /etc/dex/tls/https/server
+          name: https-tls
+      nodeSelector:
+        node-role.kubernetes.io/infra: ''
+      serviceAccountName: dex
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/bootstrap
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/infra
+        operator: Exists
+      volumes:
+      - name: config
+        secret:
+          defaultMode: 420
+          items:
+          - key: config.yaml
+            path: config.yaml
+          secretName: dex
+      - name: https-tls
+        secret:
+          defaultMode: 420
+          secretName: dex-web-server-tls
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    kubernetes.io/ingress.class: nginx-control-plane
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/use-regex: 'true'
+  labels:
+    app.kubernetes.io/instance: dex
+    app.kubernetes.io/managed-by: salt
+    app.kubernetes.io/name: dex
+    app.kubernetes.io/part-of: metalk8s
+    app.kubernetes.io/version: 2.19.0
+    helm.sh/chart: dex-2.4.0
+    heritage: metalk8s
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  rules:
+  - host: null
+    http:
+      paths:
+      - backend:
+          serviceName: dex
+          servicePort: 32000
+        path: /oidc(/|$)(.*)
+  tls:
+  - hosts: null
+    secretName: dex-tls-ingress
+
+{% endraw %}