Merge "Dex function - API server under multitenant type" into v2

2021-03-17 00:03:53 +00:00
parent 5b05aa77ab 132799b5ad
commit 4c85120dd0
9 changed files with 168 additions and 0 deletions
--- a/manifests/type/multi-tenant/ephemeral/controlplane/dex-apiserver/README.md
+++ b/manifests/type/multi-tenant/ephemeral/controlplane/dex-apiserver/README.md
@@ -0,0 +1,10 @@
+# DEX-APIServer kustomizations
+
+The "dex-apiserver" folder provides the manifests and patches to configure the API server with
+"oidc" flags.
+
+In order to ensure synchronization with the "dex-aio" service, you MUST ensure that values
+assigned to the API server "oidc" flags are the same used for the "dex-aio" service.
+
+TODO: a shared catalogue shall provide the values shared between "dex-aio" service and
+the cluster's API server "oidc" flags.
--- a/manifests/type/multi-tenant/ephemeral/controlplane/dex-apiserver/apiserver-certs-secret.yaml
+++ b/manifests/type/multi-tenant/ephemeral/controlplane/dex-apiserver/apiserver-certs-secret.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dex-apiserver-secret
+data:
+  tls.crt: "<must be same as dex tls certificate-b64>"
--- a/manifests/type/multi-tenant/ephemeral/controlplane/dex-apiserver/oidc-apiserver-flags.json
+++ b/manifests/type/multi-tenant/ephemeral/controlplane/dex-apiserver/oidc-apiserver-flags.json
@@ -0,0 +1,41 @@
+[
+  {
+    "op": "add",
+    "path": "/spec/kubeadmConfigSpec/clusterConfiguration/apiServer",
+    "value": {
+      "extraArgs":
+      {
+        "oidc-ca-file": "/etc/kubernetes/certs/dex-cert",
+        "oidc-client-id": "function-kubernetes",
+        "oidc-groups-claim": "groups",
+        "oidc-issuer-url": "https://dex.function.local:30556/dex",
+        "oidc-username-claim": "email",
+        "oidc-username-prefix": "oidc:"
+      },
+      "extraVolumes":
+      [
+        {
+          "hostPath": "/etc/kubernetes/certs/dex-cert",
+          "mountPath": "/etc/kubernetes/certs/dex-cert",
+          "name": "dex-cert",
+          "readOnly": true
+        }
+      ]
+    }
+  },
+  {
+    "op": "add",
+    "path": "/spec/kubeadmConfigSpec/files/-",
+    "value": {
+      "contentFrom": {
+        "secret": {
+          "key": "tls.crt",
+          "name": "dex-apiserver-secret"
+        }
+      },
+      "owner": "root:root",
+      "path": "/etc/kubernetes/certs/dex-cert",
+      "permissions": "0644"
+    }
+  }
+]
--- a/manifests/type/multi-tenant/ephemeral/controlplane/kustomization.yaml
+++ b/manifests/type/multi-tenant/ephemeral/controlplane/kustomization.yaml
@@ -2,3 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - ../../../airship-core/ephemeral/controlplane
+  - dex-apiserver/apiserver-certs-secret.yaml
+
+patchesJson6902:
+- target:
+    group: controlplane.cluster.x-k8s.io
+    version: v1alpha3
+    kind: KubeadmControlPlane
+    name: cluster-controlplane
+  path: dex-apiserver/oidc-apiserver-flags.json