Configuring a Koris cluster to use Dex

noris-network · Mar 4, 2019 · e36e826 · e36e826
1 parent f78b30f
commit e36e826
Show file tree

Hide file tree

Showing 23 changed files with 1,842 additions and 158 deletions.
diff --git a/.gitignore b/.gitignore
@@ -107,3 +107,6 @@ ENV/
 # mypy
 .mypy_cache/
 .idea
+
+# VSCode project settings
+.vscode/
diff --git a/.pylintrc b/.pylintrc
@@ -1,4 +1,5 @@
 [pre-commit-hook]
+params=--rcfile=.pylintrc
 limit=10.0
 
 [MASTER]
@@ -14,7 +15,7 @@ ignore=CVS
 
 # Add files or directories matching the regex patterns to the blacklist. The
 # regex matches against base names, not paths.
-ignore-patterns=
+ignore-patterns=test_
 
 # Python code to execute, usually for sys.path manipulation such as
 # pygtk.require().

diff --git a/Makefile b/Makefile
@@ -1,7 +1,6 @@
 SHELL := /bin/bash
 .PHONY: clean clean-test clean-pyc clean-build docs help integration-patch-wait \
-	clean-lb-after-integration-test \
-	clean-lb
+	clean-lb-after-integration-test clean-lb
 
 .DEFAULT_GOAL := help
 
@@ -357,7 +356,6 @@ install-git-hooks:
 build-exec: ## build a single file executable of koris
 	pyinstaller koris.spec
 
-
 build-exec-in-docker:
 	docker run --rm -v $(PWD):/usr/src/ $(ORG)/koris-builder:$(TAG)
 # vim: tabstop=4 shiftwidth=4
diff --git a/addons/dex/00-dex.yaml b/addons/dex/00-dex.yaml
@@ -0,0 +1,144 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: dex
+  name: dex
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: dex
+    spec:
+      serviceAccountName: dex # This is created below
+      containers:
+      - image: quay.io/dexidp/dex:v2.10.0
+        name: dex
+        command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
+
+        ports:
+        - name: https
+          containerPort: 5556
+
+        volumeMounts:
+        - name: config
+          mountPath: /etc/dex/cfg
+        - name: tls
+          mountPath: /etc/dex/tls
+
+        # Your app-id and app-secret need to be provided as env variables
+        # env:
+        # - name: GITLAB_CLIENT_ID
+        #   valueFrom:
+        #     secretKeyRef:
+        #       name: gitlab-client
+        #       key: client-id
+        # - name: GITLAB_CLIENT_SECRET
+        #   valueFrom:
+        #     secretKeyRef:
+        #       name: gitlab-client
+        #       key: client-secret
+
+      volumes:
+      - name: config
+        configMap:
+          name: dex
+          items:
+          - key: config.yaml
+            path: config.yaml
+      - name: tls
+        secret:
+          secretName: dex.tls
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: dex
+data:
+  config.yaml: |
+    issuer: https://127.0.0.1:32000
+    storage:
+      type: kubernetes
+      config:
+        inCluster: true
+    web:
+      https: 0.0.0.0:5556
+      tlsCert: /etc/dex/tls/tls.crt
+      tlsKey: /etc/dex/tls/tls.key
+    # Add your connectors
+    # connectors:
+    #   - type: gitlab
+    #     id: gitlab
+    #     name: Gitlab
+    #     config:
+    #       baseURL: https://gitlab.com
+    #       clientID: $GITLAB_CLIENT_ID
+    #       clientSecret: $GITLAB_CLIENT_SECRET
+    #       redirectURI: https://127.0.0.1:32000/callback
+    oauth2:
+      skipApprovalScreen: true
+    
+    # If desired, add your static clients
+    # staticClients:
+    # - id: example-app
+    #   redirectURIs:
+    #   - 'http://127.0.0.1:5555/callback'
+    #   name: 'Example App'
+    #   secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+    enablePasswordDB: true
+    # If desired, add static passwords
+    # staticPasswords:
+    # - email: "[email protected]"
+    #   # bcrypt hash of the string "password"
+    #   hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+    #   username: "admin"
+    #   userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+spec:
+  type: NodePort
+  ports:
+  - name: dex
+    port: 5556
+    protocol: TCP
+    targetPort: 5556
+    nodePort: 32000
+  selector:
+    app: dex
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: dex
+  name: dex
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: dex
+rules:
+- apiGroups: ["dex.coreos.com"] # API group created by dex
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: dex
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dex
+subjects:
+- kind: ServiceAccount
+  name: dex           # Service account assigned to the dex pod, created above
+  namespace: default  # The namespace dex is running in
diff --git a/addons/dex/01-example-app.yml b/addons/dex/01-example-app.yml
@@ -0,0 +1,48 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name:  dex-example-app
+  labels:
+    app: dex-example-app
+spec:
+  selector:
+    app:  dex-example-app
+  type:  NodePort
+  ports:
+  # Change your ports accordingly
+  - name: callback
+    port:  5555
+    nodePort: 32555
+    targetPort:  http
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: dex-example-app
+  name: dex-example-app
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: dex-example-app
+    spec:
+      containers:
+      - name: dex-example-app
+        image: obitech/dex-example-app
+        # Configure your issuer and redirect accordingly
+        args: ["--issuer", "https://127.0.0.1:32000",
+          "--issuer-root-ca", "/etc/dex/tls/dex-ca.pem",
+          "--listen", "http://0.0.0.0:5555",
+          "--redirect-uri", "http://127.0.0.1:5555/callback"]
+        ports:
+        - name: http
+          containerPort: 5555
+        volumeMounts:
+        - name: root-ca
+          mountPath: /etc/dex/tls
+      volumes:
+      - name: root-ca
+        secret:
+          secretName: dex.root-ca
diff --git a/addons/dex/02-clusterrolebinding.yml b/addons/dex/02-clusterrolebinding.yml
@@ -0,0 +1,11 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: your-user-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: User
+  name: your-user-here
diff --git a/configs/example-config.yml b/configs/example-config.yml
@@ -5,19 +5,17 @@
 # https://www.noris.cloud/services/compute/openstack-nova/?lang=en#details
 master_flavor: 'ECS.GP1.2-8'
 node_flavor: 'ECS.C1.4-8'
-# If your project has multiple networks you MUST specify the subnetwork
-# don't change this unless you know what you are doing.
-# per default koris will create a network for your cluster and route
-# this network to ext02 network in openstack if this is undesired change this
-#private_net:
-# name: 'korispipeline-office-net'
-# subnet:
-#  name: 'sub-korispipeline-office-net'
-#  cidr: '10.36.18.0/27'
-#  This is optional - if no router name is given a new one will be created
-#  router:
-#   name: 'router-name'
-#   network: 'ext02'
+
+# Specify the name of the network and subnet with CIDR range. If it doesn't
+# exist, koris will create it for you.
+private_net: 
+  name: 'k8s-nude'
+  subnet: 
+    name: 'NORIS-NUDE-OS-K8S-DEV-SUBNET'
+    cidr: '10.32.192.0/24'
+    #  This is optional - if no router name is given a new one will be created
+    router:
+      name: 'NORIS-K8S-NUDE-OS-MGMT-ROUTER'
 cluster-name: 'change-me'
 availibility-zones:
  - de-nbg6-1b
@@ -69,3 +67,29 @@ pod_subnet: "10.233.0.0/16"
 # Certificate expiry
 certificates:
   expriry: 8760h
+
+# Specify addons that should be deployed with koris
+# addons:
+#   # Dex is an OAuth2 / OpenID Connect application used to
+#   # authenticate a user against a Kubernetes cluster.
+#   # To use Dex, a Floating IP or DNS name is required, which will be
+#   # used as the Issuer for the Dex CA.
+#   # When the below block is set, the LoadBalancer will be configured properly,
+#   # a CA infrastrastructure is created and the apiserver will be launched with the
+#   # necessary flags. To deploy the rest, please consult the documentation.
+#   # For more information about Dex see: https://github.com/dexidp/dex
+#   dex:
+#     username_claim: email     # optional
+#     groups_claim: groups      # optional
+#     # LB-Listener and K8s-Service ports for Dex
+#     ports:
+#       listener: 32000
+#       service: 32000
+#     # Configuration parameters for an OAuth2 application that is deployed into
+#     # the cluster
+#     client:
+#       id: example-app
+#       # LB-Listener and K8s-Service ports for the OAuth2 application
+#       ports:
+#         listener: 5555
+#         service: 32555