Treasuremap - Dex, API server & LDAP integration

This patchset integrates the ControlPlane's API server, Dex and LDAP IdP.

The "oidc-apiserver-flags.json" JSON patch file is tailored to the
baremetal operator. It also uses a FQDN for "dex-aio" service that is
not resolvable by the DNS.

This patchset depends on https://review.opendev.org/c/airship/charts/+/785540
which is used to deploy Dex using the function dex-aio. See
treasuremap/manifest/function/dex-aio for implementation details.

Change-Id: I263a5370e6416a7ef7e2813ff362622f49ca4a3c

manifests/type/airship-core/ephemeral/controlplane/dex-apiserver/README.md

@@ -1,10 +1,67 @@
 # DEX-APIServer kustomizations
 
 The "dex-apiserver" folder provides the manifests and patches to configure the API server with
-"oidc" flags.
+"oidc" flags and CA certificate (Secret). Refer to the JSON patch file *oidc-apiserver-flags.json*.
+This patch file adds OIDC flags configuration to the API server in the KubeadmControlPlane CR,
+which is used to create the Target cluster's ControlPlane node and deploy the API server during
+the execution of ***airshipctl phase run controlplane-ephemeral*** command.
 
-In order to ensure synchronization with the "dex-aio" service, you MUST ensure that values
-assigned to the API server "oidc" flags are the same used for the "dex-aio" service.
+>IMPORTANT: The JSON patch is tailored for baremetal provider. If deploying target cluster on a
+>different provider (e.g., Azure, GCP, Openstack), you will need to update this patch, accordingly.
 
-TODO: a shared catalogue shall provide the values shared between "dex-aio" service and
-the cluster's API server "oidc" flags.
+In order to ensure synchronization with the "dex-aio" service, the CA certificate (Secret)
+in the Ephemeral cluster SHALL be copied to the Target cluster. This is achieved by adding the label
+**clusterctl.cluster.x-k8s.io/move: "true"** to the CA Secret. This label idenfies this Secret as
+candidate to the CAPI move command executed by ***airshipctl phase run clusterctl-move*** command.
+
+Once this CA Secret has been moved to the Target cluster, it will be used during **dex-aio** deployment
+to sign Certificates to be used by Dex.
+
+>NOTES on **oidc-apiserver-flags.json**:
+* The (Dex) FQDN for the attribute **oidc-issuer-url** will have to be added to the list under **certSANs**
+* The patches for **"/spec/kubeadmConfigSpec/preKubeadmCommands/-"** are needed if your (Dex) FQDN cannot be resolved by the DNS used by the controlplane node.
+* The **oidc-issuer-url** FQDN and port number MUST match **dex-aio** HelmRelease values for **values.params.endpoints.hostname** and **values.params.endpoints.port.https**. Example below:
+
+Snippet of **oidc-apiserver-flags.json**
+```json
+  {
+    "op": "add",
+    "path": "/spec/kubeadmConfigSpec/clusterConfiguration/apiServer",
+    "value": {
+      "extraArgs":
+      {
+        "oidc-issuer-url": "https://dex.function.local:32556/dex",
+      },
+```
+
+Snippet of **treasuremap/manifests/function/dex-aio/dex-helmrelease.yaml**
+```yaml
+  values:
+    params:
+      endpoints:
+        hostname: dex.function.local
+        port:
+          https: 32556
+```
+
+Also, in case your **dex-aio** FQDN (e.g., **dex.function.local**) cannot be resolved by the DNS configured
+in the control plane node, your JSON patch will also have to include this FQDN to the nodes **/etc/hosts**
+so that the API server can reach **dex-aio** microservice.
+
+Snippet of **oidc-apiserver-flags.json**
+```json
+  {
+    "op": "add",
+    "path": "/spec/kubeadmConfigSpec/preKubeadmCommands/-",
+    "value": "echo '10.23.25.102 dex.function.local' | tee -a /etc/hosts"
+  }
+```
+
+>NOTES on **dex-ca-cert-secret.yaml**:
+* This Secret contains a Certificate Authority (CA) certificate manually generated.
+* The CA certificate was not signed by a known authority
+
+>TODO(s):
+* CA certificate shall be auto generated
+* The CA certificate shall be signed by a known authority
+* The generated CA certificate shall be secured, e.g., encrypted using SOPS

manifests/type/airship-core/ephemeral/controlplane/dex-apiserver/apiserver-certs-secret.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dex-apiserver-secret
-data:
-  tls.crt: dGVtcG9yYWx5IGR1bW15IHRscy5jcnQgZGF0YSBmb3IgdGVzdCBwdXJwb3NlCg==

manifests/type/airship-core/ephemeral/controlplane/dex-apiserver/dex-ca-cert-secret.yaml

@@ -0,0 +1,12 @@
+# Certificate Authority to be used to generate certificates for Dex
+# By cert-manager in the Target-cluster. Also this CA will be used by API server
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dex-apiserver-secret
+  labels:
+    clusterctl.cluster.x-k8s.io/move: "true"
+type: kubernetes.io/tls
+data:
+  tls.crt: "target-cluster-ca certificate will be copied by replacement transformer"
+  tls.key: "target-cluster-ca certificate key will be copied by replacement transformer"

manifests/type/airship-core/ephemeral/controlplane/dex-apiserver/oidc-apiserver-flags.json

@@ -7,10 +7,9 @@
       {
         "oidc-ca-file": "/etc/kubernetes/certs/dex-cert",
         "oidc-client-id": "function-kubernetes",
-        "oidc-groups-claim": "groups",
-        "oidc-issuer-url": "https://dex.function.local:30556/dex",
-        "oidc-username-claim": "email",
-        "oidc-username-prefix": "oidc:"
+        "oidc-groups-claim": "group",
+        "oidc-issuer-url": "https://dex.function.local:32556/dex",
+        "oidc-username-claim": "email"
       },
       "extraVolumes":
       [
@@ -20,6 +19,11 @@
           "name": "dex-cert",
           "readOnly": true
         }
+      ],
+      "certSANs":
+      [
+        "dex.function.local",
+        "dex.baremetal.local"
       ]
     }
   },
@@ -37,5 +41,15 @@
       "path": "/etc/kubernetes/certs/dex-cert",
       "permissions": "0644"
     }
+  },
+  {
+    "op": "add",
+    "path": "/spec/kubeadmConfigSpec/preKubeadmCommands/-",
+    "value": "echo '10.23.25.102 dex.baremetal.local' | tee -a /etc/hosts"
+  },
+  {
+    "op": "add",
+    "path": "/spec/kubeadmConfigSpec/preKubeadmCommands/-",
+    "value": "echo '10.23.25.102 dex.function.local' | tee -a /etc/hosts"
   }
 ]

manifests/type/airship-core/ephemeral/controlplane/kustomization.yaml

@@ -2,12 +2,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../../../function/k8scontrol-ha
-#   - dex-apiserver/apiserver-certs-secret.yaml
+  - dex-apiserver/dex-ca-cert-secret.yaml
 
-# patchesJson6902:
-# - target:
-#     group: controlplane.cluster.x-k8s.io
-#     version: v1alpha3
-#     kind: KubeadmControlPlane
-#     name: cluster-controlplane
-#   path: dex-apiserver/oidc-apiserver-flags.json
+patchesJson6902:
+  - target:
+      group: controlplane.cluster.x-k8s.io
+      version: v1alpha3
+      kind: KubeadmControlPlane
+      name: "cluster-controlplane"
+    path: dex-apiserver/oidc-apiserver-flags.json

manifests/type/airship-core/ephemeral/controlplane/replacements/kustomization.yaml

@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - ../../../../../function/k8scontrol-ha/replacements
   - ../../../../../../../airshipctl/manifests/function/k8scontrol/replacements
+  - update-dex.yaml

manifests/type/airship-core/ephemeral/controlplane/replacements/update-dex.yaml

@@ -0,0 +1,19 @@
+apiVersion: airshipit.org/v1alpha1
+kind: ReplacementTransformer
+metadata:
+  name: k8scontrol-cluster-dex-replacements
+  annotations:
+    config.kubernetes.io/function: |-
+      container:
+        image: quay.io/airshipit/replacement-transformer:v2.0.2
+replacements:
+- source:
+    objref:
+      kind: VariableCatalogue
+      name: generated-secrets
+    fieldref: "{.targetClusterCa}"
+  target:
+    objref:
+      kind: Secret
+      name: dex-apiserver-secret
+    fieldrefs: ["{.data}"]