Deploy Dex in MetalK8s from the Helm charts #2007

Ebaneck · 2019-11-05T14:57:45Z

Component:

'salt', 'kubernetes', 'containers'

Why this is needed:

To integrate a flexible identity and access management(IAM) in Metalk8s based on the authentication user requirements, we need to deploy an OIDC provider.

Dex is our choice of OIDC and needs to be deployed in a MetalK8s cluster.

What should be done:

Using the official Dex charts, deploy 2 replicas of the latest release of Dex(v2.19) in a Metalk8s cluster.

Implementation proposal (strongly recommended):

Test plan:

Have a Dex pod running in Metalk8s under the metalk8s-auth namespace

Epic iteration: #1988

The text was updated successfully, but these errors were encountered:

NicolasT · 2019-11-05T15:00:13Z

Please make sure to follow the exact mechanism used to install the other chart-based addons we embed.

NicolasT · 2019-11-05T15:38:04Z

Why would we want/need to run this in kube-system?

Ebaneck · 2019-11-05T15:54:45Z

Why would we want/need to run this in kube-system?

@NicolasT since the Dex storage backend we will most likely be using is the Kubernetes backend, i can't think of any reason to not leave it in the kube-system namespace.

Generally what is considered best practice for such??

gdemonet · 2019-11-06T10:11:26Z

Why would we want/need to run this in kube-system?

@NicolasT since the Dex storage backend we will most likely be using is the Kubernetes backend, i can't think of any reason to not leave it in the kube-system namespace.

Dex is using K8s API for interfacing with its storage, so it can run as any other workload (e.g. all Operators use K8s API as well). Having a dedicated namespace, as we do for the nginx-ingress-controllers (which use K8s API too), is recommended: go for metalk8s-dex.

Generally what is considered best practice for such??

kube-system is meant to group applications critical for the cluster functioning, such as etcd or kube-apiserver. One could argue salt-master shouldn't be part of it (it is today), but that's not the scope of this discussion. Dex isn't strictly necessary for the cluster to function (it's only necessary for end-users to authenticate against the API through OIDC, which they could circumvent using certificate-based auth if the need arises).

NicolasT · 2019-11-06T10:24:24Z

go for metalk8s-dex

metalk8s-auth or something along those lines. If ever we change IdP, we can keep things in the same namespace and such.

Generated using ``` $ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls ``` Closes: #2007

Add k8s secrets used for dex deployment Add sls files required for dex certificate generation Generate dex deployment chart using: ``` $ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls ``` Note: The generated dex `charts.sls` can not render the `Secret` template properly because of how we render the charts. The render injects `\\..` which makes the sls invalid and cannot be applied by K8s. To resolve this, after chart generation we delete the secret section and make use of `dex-conf.sls` Closes: #2007

Automatically generate dex deployment, service account, cluster role and cluster role bindings The above is generated from the charts using: ``` $ ./charts/render.py dex metalk8s-auth charts/dex.yaml charts/dex/ > salt/metalk8s/addons/dex/deployed/chart.sls ``` Note: The generated dex `charts.sls` can not render the `Secret` template properly. The render injects `\\..` which makes the sls invalid and cannot be applied by K8s. To resolve this, after chart generation we delete the secret section and make use of `dex-conf.sls` Closes: #2007