Dex/API server and Catalogue Support for Subcluster

This patchset includes the Catalogue and respective
Replacement transformers for the Dex/API server and
kustomization of values through patches.

It also includes:
 - Support for dex LDAP authentication
 - Moved Dex from provide-infra to controlplane

Note:
1. This patchset also fixes the current issue with wordpress where it
was not in sync with lma for catalogue (catalogues)
2. This patchset also doesn't call function k8scontrol-oidc replacements
rather subcluster-dex.yaml is created in
manifests/type/sub-cluster/controlplane/replacements/subcluster-dex.yaml
due to current localized yamls available at same path. This is a known
issue for which another patchset has to be created.

Relates-To: #136

Co-authored-by: sa069q <296.saurabh@gmail.com>

Change-Id: I6d14f6cc976d3f8a174e2d083425a970f59dcd92

manifests/function/dex-aio/replacements/update-dex.yaml

@@ -1,7 +1,7 @@
 apiVersion: airshipit.org/v1alpha1
 kind: ReplacementTransformer
 metadata:
-  name: k8scontrol-cluster-dex-replacements
+  name: k8scontrol-dex-replacements
   annotations:
     config.kubernetes.io/function: |-
       container:

manifests/site/reference-multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   # This pulls in general site catalog information which is valid across clusters
   # It also pulls in undercloud-specific values, which will be replaced below
   - ../../../target/catalogues/
+  - ../../../../../type/multi-tenant/sub-clusters/lma/catalogues/
 
 patchesStrategicMerge:
   - patches/versions-treasuremap.yaml
@@ -12,3 +13,4 @@ transformers:
   # This replaces lma-specific network data from the lma stanza
   # of the subcluster-networking catalogue into the standard networking catalogue
   - ../../../../../type/multi-tenant/sub-clusters/lma/catalogue-replacements
+

manifests/site/virtual-network-cloud/sub-clusters/lma/catalogues/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   # This pulls in general site catalog information which is valid across clusters
   # It also pulls in undercloud-specific values, which will be replaced below
   - ../../../target/catalogues/
+  - ../../../../../type/multi-tenant/sub-clusters/lma/catalogues/
 
 patchesStrategicMerge:
   - patches/versions-treasuremap.yaml
@@ -12,3 +13,4 @@ transformers:
   # This replaces lma-specific network data from the lma stanza
   # of the subcluster-networking catalogue into the standard networking catalogue
   - ../../../../../type/multi-tenant/sub-clusters/lma/catalogue-replacements
+

manifests/site/virtual-network-cloud/sub-clusters/wordpress/catalogues/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   # This pulls in general site catalog information which is valid across clusters
   # It also pulls in undercloud-specific values, which will be replaced below
   - ../../../target/catalogues/
+  - ../../../../../type/multi-tenant/sub-clusters/wordpress/catalogues/
 
 patchesStrategicMerge:
   - patches/versions-treasuremap.yaml
@@ -12,3 +13,4 @@ transformers:
   # This replaces wordpress-specific network data from the wordpress stanza
   # of the subcluster-networking catalogue into the standard networking catalogue
   - ../../../../../type/multi-tenant/sub-clusters/wordpress/catalogue-replacements
+

manifests/site/virtual-network-cloud/sub-clusters/wordpress/controlplane/kustomization.yaml

@@ -1,6 +1,6 @@
 resources:
   - ../../../../../type/multi-tenant/sub-clusters/wordpress/controlplane
-  - ../../../target/catalogues
+  - ../catalogues
 
 transformers:
   - ../../../../../type/multi-tenant/sub-clusters/wordpress/controlplane/replacements

manifests/type/multi-tenant/shared/catalogues/subcluster-networking.yaml

@@ -27,7 +27,7 @@ spec:
 
     exposed_services:
       - name: auth
-        nodePort: 30556
+        nodePort: 30566
       - name: jumpHost
         nodePort: 30001
       - name: loadBalancerControlPlane
@@ -59,11 +59,11 @@ spec:
       controlPlaneEndpoint:
         host: "10.23.25.102"
         port: 6443
-      apiserverCertSANs: [10.23.25.201, 10.23.24.201]
+      apiserverCertSANs: "[10.23.25.201, 10.23.24.201]"
 
     exposed_services:
       - name: auth
-        nodePort: 30556
+        nodePort: 30576
       - name: jumpHost
         nodePort: 30001
       - name: loadBalancerControlPlane

manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - subcluster-networking.yaml
+  - subcluster-networking.yaml
+  - subcluster-dex.yaml

manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/subcluster-dex.yaml

@@ -0,0 +1,29 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: dex-subcluster-networking
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: subcluster-networking
+    fieldref: "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}"
+  target:
+    objref:
+      kind: VariableCatalogue
+      name: utility-subcluster-lma
+    fieldrefs: [".spec.dex.oidc_issuer%PORT%"]
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: utility-subcluster-lma
+    fieldref: "{.spec.dex.oidc_issuer}"
+  target:
+    objref:
+      kind: VariableCatalogue
+      name: utility-treasuremap
+    fieldrefs: ["{.spec.dex.oidc_issuer}"]

manifests/type/multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - oidc-utility-subcluster.yaml

manifests/type/multi-tenant/sub-clusters/lma/catalogues/oidc-utility-subcluster.yaml

@@ -0,0 +1,7 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: utility-subcluster-lma
+spec:
+  dex:
+    oidc_issuer: https://dex.utility.local:PORT/dex

manifests/type/multi-tenant/sub-clusters/lma/controlplane/dex-aio-helm-patch.yaml

@@ -2,13 +2,11 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: dex-aio
-  namespace: default
 spec:
   values:
     params:
       ldap:
-        bind_password: "your LDAP bind password"
-        name: "LDAP TEST SERVICES"
+        name: "LDAP TEST IT SERVICES"
         config:
           host: "your LDAP FQDN"
           bind_dn: "your LDAP bind username"

manifests/type/multi-tenant/sub-clusters/lma/controlplane/kustomization.yaml

@@ -7,3 +7,14 @@ patchesStrategicMerge:
   - patches/metal3machinetemplate.yaml
   - patches/controlplane.yaml
   - patches/cluster.yaml
+  - dex-aio-helm-patch.yaml
+  - subcluster-issuer-patch.yaml
+
+patches:
+  - target:
+      group: controlplane.cluster.x-k8s.io
+      version: v1alpha3
+      kind: KubeadmControlPlane
+    path: oidc-apiserver-ca-cert.json
+
+namespace: lma-infra

manifests/type/multi-tenant/sub-clusters/lma/controlplane/oidc-apiserver-ca-cert.json

@@ -0,0 +1,14 @@
+[
+  {
+    "op": "replace",
+    "path": "/spec/kubeadmConfigSpec/files/1/contentFrom",
+    "value": {
+        "secret": {
+          "key": "tls.crt",
+          "name": "target-cluster-ca-lma"
+        }
+      },
+      "owner": "root:root",
+      "permissions": "0644"
+  }
+]

manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/dex-update.yaml

@@ -0,0 +1,19 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: subcluster-dex-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: Issuer
+      name: workload-cluster-ca-issuer-lma
+    fieldref: "{.metadata.name}"
+  target:
+    objref:
+      kind: HelmRelease
+      name: dex-aio-lma
+    fieldrefs: ["{.spec.values.params.endpoints.tls.issuer.name}"]

manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/kustomization.yaml

@@ -1,6 +1,8 @@
 resources:
   - ../../../../../sub-cluster/controlplane/replacements
   - networking.yaml
+  - dex-update.yaml
+
 patchesJson6902:
   - target:
       group: airshipit.org
@@ -8,3 +10,9 @@ patchesJson6902:
       kind: ReplacementTransformer
       name: k8scontrol-cluster-replacements
     path: patches/cluster.json
+  - target:
+      group: airshipit.org
+      version: v1alpha1
+      kind: ReplacementTransformer
+      name: k8scontrol-dex-replacements
+    path: patches/subcluster-dex.json

manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/patches/subcluster-dex.json

@@ -0,0 +1,92 @@
+[
+    {
+      "op": "replace",
+      "path": "/replacements/0/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/1/source/fieldref",
+      "value": "{.dex.ldap.subcluster-lma.bind_password}"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/1/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/2/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/3/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/4/source/objref/name",
+      "value": "subcluster-networking"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/4/source/fieldref",
+      "value": "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/4/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/5/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/6/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/7/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/8/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/9/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/10/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/11/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/12/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/13/target/objref/name",
+      "value": "dex-aio-lma"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/14/target/objref/name",
+      "value": "dex-aio-lma"
+    }
+]

manifests/type/multi-tenant/sub-clusters/lma/controlplane/subcluster-issuer-patch.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: workload-cluster-ca-issuer
+spec:
+  ca:
+    secretName: target-cluster-ca-lma

manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/kustomization.yaml

@@ -1,4 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - subcluster-networking.yaml
+  - subcluster-networking.yaml
+  - subcluster-dex.yaml

manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/subcluster-dex.yaml

@@ -0,0 +1,30 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: dex-subcluster-networking
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: subcluster-networking
+    fieldref: "{.spec.wordpress.exposed_services[?(.name == 'auth')].nodePort}"
+  target:
+    objref:
+      kind: VariableCatalogue
+      name: utility-subcluster-wordpress
+    fieldrefs: [".spec.dex.oidc_issuer%PORT%"]
+# Dex OIDC Issuer URL
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: utility-subcluster-wordpress
+    fieldref: "{.spec.dex.oidc_issuer}"
+  target:
+    objref:
+      kind: VariableCatalogue
+      name: utility-treasuremap
+    fieldrefs: ["{.spec.dex.oidc_issuer}"]

manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - oidc-utility-subcluster.yaml

manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/oidc-utility-subcluster.yaml

@@ -0,0 +1,7 @@
+apiVersion: airshipit.org/v1alpha1
+kind: VariableCatalogue
+metadata:
+  name: utility-subcluster-wordpress
+spec:
+  dex:
+    oidc_issuer: https://dex.utility.local:PORT/dex

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/dex-aio-helm-patch.yaml

@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: dex-aio
+spec:
+  values:
+    params:
+      ldap:
+        name: "LDAP TEST IT SERVICES"
+        config:
+          host: "your LDAP FQDN"
+          bind_dn: "your LDAP bind username"
+          username_prompt: SSO Username
+          user_search:
+            base_dn: dc=testservices,dc=test,dc=com
+          group_search:
+            base_dn: ou=groups,dc=testservices,dc=test,dc=com

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/kustomization.yaml

@@ -4,4 +4,15 @@ resources:
 nameSuffix: -wordpress
 
 patchesStrategicMerge:
-  - patches/metal3machinetemplate.yaml
+- patches/metal3machinetemplate.yaml
+- dex-aio-helm-patch.yaml
+- subcluster-issuer-patch.yaml
+
+patches:
+  - target:
+      group: controlplane.cluster.x-k8s.io
+      version: v1alpha3
+      kind: KubeadmControlPlane
+    path: oidc-apiserver-ca-cert.json
+
+namespace: wordpress-infra

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/oidc-apiserver-ca-cert.json

@@ -0,0 +1,14 @@
+[
+  {
+    "op": "replace",
+    "path": "/spec/kubeadmConfigSpec/files/1/contentFrom",
+    "value": {
+        "secret": {
+          "key": "tls.crt",
+          "name": "target-cluster-ca-wordpress"
+        }
+      },
+      "owner": "root:root",
+      "permissions": "0644"
+  }
+]

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/dex-update.yaml

@@ -0,0 +1,19 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: subcluster-dex-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+- source:
+    objref:
+      kind: Issuer
+      name: workload-cluster-ca-issuer-wordpress
+    fieldref: "{.metadata.name}"
+  target:
+    objref:
+      kind: HelmRelease
+      name: dex-aio-wordpress
+    fieldrefs: ["{.spec.values.params.endpoints.tls.issuer.name}"]

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/kustomization.yaml

@@ -1,6 +1,8 @@
 resources:
   - ../../../../../sub-cluster/controlplane/replacements
   - networking.yaml
+  - dex-update.yaml
+
 patchesJson6902:
   - target:
       group: airshipit.org
@@ -8,3 +10,9 @@ patchesJson6902:
       kind: ReplacementTransformer
       name: k8scontrol-cluster-replacements
     path: patches/cluster.json
+  - target:
+      group: airshipit.org
+      version: v1alpha1
+      kind: ReplacementTransformer
+      name: k8scontrol-dex-replacements
+    path: patches/subcluster-dex.json

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/patches/subcluster-dex.json

@@ -0,0 +1,92 @@
+[
+    {
+      "op": "replace",
+      "path": "/replacements/0/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/1/source/fieldref",
+      "value": "{.dex.ldap.subcluster-wordpress.bind_password}"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/1/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/2/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/3/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/4/source/objref/name",
+      "value": "subcluster-networking"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/4/source/fieldref",
+      "value": "{.spec.wordpress.exposed_services[?(.name == 'auth')].nodePort}"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/4/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/5/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/6/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/7/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/8/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/9/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/10/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/11/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/12/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/13/target/objref/name",
+      "value": "dex-aio-wordpress"
+    },
+    {
+      "op": "replace",
+      "path": "/replacements/14/target/objref/name",
+      "value": "dex-aio-wordpress"
+    }
+]

manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/subcluster-issuer-patch.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: workload-cluster-ca-issuer
+spec:
+  ca:
+    secretName: target-cluster-ca-wordpress

manifests/type/sub-cluster/controlplane/kustomization.yaml

@@ -1,9 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../../../../airshipctl/manifests/function/k8scontrol
-  # Switch to this once we want to add Dex back in
-  #- ../../../function/k8scontrol-oidc
+  - ../../../function/k8scontrol-oidc
+  - ../../../function/dex-aio
 
 patchesJson6902:
 - target:

manifests/type/sub-cluster/controlplane/replacements/kustomization.yaml

@@ -2,8 +2,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ../../../../function/dex-aio/replacements
   - versions.yaml
   - k8s-control-env-vars.yaml
   - generated-secrets.yaml
   - networking.yaml
   - cluster.yaml
+  - subcluster-dex.yaml

manifests/type/sub-cluster/controlplane/replacements/subcluster-dex.yaml

@@ -0,0 +1,39 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-subcluster-dex-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: localhost/replacement-transformer
+replacements:
+# Dex OIDC Issuer URL
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: utility-treasuremap
+    fieldref: "{.spec.dex.oidc_issuer}"
+  target:
+    objref:
+      kind: KubeadmControlPlane
+    fieldrefs: ["{.spec.kubeadmConfigSpec.clusterConfiguration.apiServer.extraArgs.oidc-issuer-url}"]
+# Dex client id
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: utility-treasuremap
+    fieldref: "{.spec.dex.client-id}"
+  target:
+    objref:
+      kind: KubeadmControlPlane
+    fieldrefs: ["{.spec.kubeadmConfigSpec.clusterConfiguration.apiServer.extraArgs.oidc-client-id}"]
+# Dex hostname
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: utility-treasuremap
+    fieldref: "{.spec.dex.hostname}"
+  target:
+    objref:
+      kind: KubeadmControlPlane
+    fieldrefs: [".spec.kubeadmConfigSpec.clusterConfiguration.apiServer.certSANs[0]"]

manifests/type/sub-cluster/provide-infra/kustomization.yaml

@@ -1,9 +1,2 @@
 # NOTE: This directory should not be inherited; it should be redefined within the
 # type that defines the actual sub-cluster.
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - .../../../function/dex-aio
-
-patchesStrategicMerge:
-- patches/dex-aio-helm-patch.yaml