Enhance Dex Deployment to Pull Configuration from Catalogues for Target Cluster #135
Comments
|
You can assign this issue to me. |
jezogwza
added
2-Manifests
|
Similar comment as #136 |
|
This feature can only be partially implemented. The replacement transformer can be applied to the dex-aio HelmRelease resource but cannot be applied to the API server OIDC configuration as the "kustomization" is done through JSON format patch. The There is a new kustomize feature (in kustomize v4.1.2), OpenAPI Schema that supports this capability. The example provided works exactly as described but unfortunately, when I applied to the |
|
@sshiba I removed "Replica counts for the Dex pods" as a configuration item in the catalogue. Rather than including replica counts as a catalogue item, if the default replica count need to be overridden, it can be done at the site level via a kustomize patch. |
eak13
added
the
size m
|
Feature being implemented in https://review.opendev.org/c/airship/treasuremap/+/791835. |
|
Addressed comments in PS but still need to decide where to put strategic merge for dex/LDAP connector. |
|
PS https://review.opendev.org/c/airship/treasuremap/+/791835 includes Dex/LDAP patch (patchesStrategicMerge) in treasuremap/manifests/type/subcluster/provide-infra, which will be invoked by lma and wordpress under /type/multi-tenant/subclusters |
|
https://review.opendev.org/c/airship/treasuremap/+/791835 is ready for review. Just waiting for zuul to pass first. |
|
https://review.opendev.org/c/airship/treasuremap/+/791835 is ready for review |
As HelmRepository resource used by dex-aio was renamed and moved airshipctl/manifest/function/helm-chart-repository, airship-core (workload) and multi-tenant (workload) types were updated accordingly. Relates-To: #135 Change-Id: Ia4bd9af2d388b921c18e62e770a2a6d0744cbee8
This patchset introduces the VariableCatalogue and respective Replacement transformers for the Dex/API server. It also implements the kustomization of LDAP values through patches. The VariableCatalogue for Dex/API server is located under manifests/function/treasuremap-base-catalogues/utility-catalogue.yaml. The replacement transformers for Dex HelmRelease and API server are located at: - Dex HelmRelease: manifests/function/dex-aio/replacements - API Server: manifests/function/k8scontrol-ha/replacements The API server replacement transformer is invoked when executing the command "airshipctl phase run controlplane-ephemeral". The dex-aio service replacement transformer is invoked when executing the command "airshipctl phase run workload-target". During this phase the LDAP values are also "kustomized" through patchesStrategicMerge. Similar patch was add for the subclusters/provide-infra. Also updated dex-aio nodeSelector to deploy pod on the worker node. This patchset also supports the LDAP Group authentication. It also updated treasuremap/manifests/site/test-site/target/encrypted/results/imported/secrets.yaml with the encrypted LDAP Binding password. Relates-To: #135, #137, #128 Change-Id: Ie7eef44a8f0e9d02860a94a4140841d8662f8c85
|
PS https://review.opendev.org/c/airship/treasuremap/+/791835 has been merged completing this issue. |
Problem description
Currently, the configuration for Dex (#19) in a target cluster has values hard-coded in function/type manifests.
Proposed change
Enhance Dex deployment such that configuration for Dex is set/overridden in site-specific catalogues and that sensitive information (CA certs/keys, passwords) are properly encrypted when saved.
Configuration includes:
The text was updated successfully, but these errors were encountered: