diff --git a/manifests/function/dex-aio/replacements/update-dex.yaml b/manifests/function/dex-aio/replacements/update-dex.yaml index d1d941dd6..efe8001e4 100644 --- a/manifests/function/dex-aio/replacements/update-dex.yaml +++ b/manifests/function/dex-aio/replacements/update-dex.yaml @@ -1,7 +1,7 @@ apiVersion: airshipit.org/v1alpha1 kind: ReplacementTransformer metadata: - name: k8scontrol-cluster-dex-replacements + name: k8scontrol-dex-replacements annotations: config.kubernetes.io/function: |- container: diff --git a/manifests/site/reference-multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml b/manifests/site/reference-multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml index b8357db07..8a4daace5 100644 --- a/manifests/site/reference-multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml +++ b/manifests/site/reference-multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml @@ -4,6 +4,7 @@ resources: # This pulls in general site catalog information which is valid across clusters # It also pulls in undercloud-specific values, which will be replaced below - ../../../target/catalogues/ + - ../../../../../type/multi-tenant/sub-clusters/lma/catalogues/ patchesStrategicMerge: - patches/versions-treasuremap.yaml @@ -12,3 +13,4 @@ transformers: # This replaces lma-specific network data from the lma stanza # of the subcluster-networking catalogue into the standard networking catalogue - ../../../../../type/multi-tenant/sub-clusters/lma/catalogue-replacements + diff --git a/manifests/site/virtual-network-cloud/sub-clusters/lma/catalogues/kustomization.yaml b/manifests/site/virtual-network-cloud/sub-clusters/lma/catalogues/kustomization.yaml index b8357db07..8a4daace5 100644 --- a/manifests/site/virtual-network-cloud/sub-clusters/lma/catalogues/kustomization.yaml +++ b/manifests/site/virtual-network-cloud/sub-clusters/lma/catalogues/kustomization.yaml @@ -4,6 +4,7 @@ resources: # This pulls in general site catalog information which is valid across clusters # It also pulls in undercloud-specific values, which will be replaced below - ../../../target/catalogues/ + - ../../../../../type/multi-tenant/sub-clusters/lma/catalogues/ patchesStrategicMerge: - patches/versions-treasuremap.yaml @@ -12,3 +13,4 @@ transformers: # This replaces lma-specific network data from the lma stanza # of the subcluster-networking catalogue into the standard networking catalogue - ../../../../../type/multi-tenant/sub-clusters/lma/catalogue-replacements + diff --git a/manifests/site/virtual-network-cloud/sub-clusters/wordpress/catalogues/kustomization.yaml b/manifests/site/virtual-network-cloud/sub-clusters/wordpress/catalogues/kustomization.yaml index 3ffedcd1b..b693ef284 100644 --- a/manifests/site/virtual-network-cloud/sub-clusters/wordpress/catalogues/kustomization.yaml +++ b/manifests/site/virtual-network-cloud/sub-clusters/wordpress/catalogues/kustomization.yaml @@ -4,6 +4,7 @@ resources: # This pulls in general site catalog information which is valid across clusters # It also pulls in undercloud-specific values, which will be replaced below - ../../../target/catalogues/ + - ../../../../../type/multi-tenant/sub-clusters/wordpress/catalogues/ patchesStrategicMerge: - patches/versions-treasuremap.yaml @@ -12,3 +13,4 @@ transformers: # This replaces wordpress-specific network data from the wordpress stanza # of the subcluster-networking catalogue into the standard networking catalogue - ../../../../../type/multi-tenant/sub-clusters/wordpress/catalogue-replacements + diff --git a/manifests/site/virtual-network-cloud/sub-clusters/wordpress/controlplane/kustomization.yaml b/manifests/site/virtual-network-cloud/sub-clusters/wordpress/controlplane/kustomization.yaml index be1241e1e..45c758688 100644 --- a/manifests/site/virtual-network-cloud/sub-clusters/wordpress/controlplane/kustomization.yaml +++ b/manifests/site/virtual-network-cloud/sub-clusters/wordpress/controlplane/kustomization.yaml @@ -1,6 +1,6 @@ resources: - ../../../../../type/multi-tenant/sub-clusters/wordpress/controlplane - - ../../../target/catalogues + - ../catalogues transformers: - ../../../../../type/multi-tenant/sub-clusters/wordpress/controlplane/replacements diff --git a/manifests/type/multi-tenant/shared/catalogues/subcluster-networking.yaml b/manifests/type/multi-tenant/shared/catalogues/subcluster-networking.yaml index 4731797ef..41db3d16c 100644 --- a/manifests/type/multi-tenant/shared/catalogues/subcluster-networking.yaml +++ b/manifests/type/multi-tenant/shared/catalogues/subcluster-networking.yaml @@ -27,7 +27,7 @@ spec: exposed_services: - name: auth - nodePort: 30556 + nodePort: 30566 - name: jumpHost nodePort: 30001 - name: loadBalancerControlPlane @@ -59,11 +59,11 @@ spec: controlPlaneEndpoint: host: "10.23.25.102" port: 6443 - apiserverCertSANs: [10.23.25.201, 10.23.24.201] + apiserverCertSANs: "[10.23.25.201, 10.23.24.201]" exposed_services: - name: auth - nodePort: 30556 + nodePort: 30576 - name: jumpHost nodePort: 30001 - name: loadBalancerControlPlane diff --git a/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/kustomization.yaml index da07f073f..f47994974 100644 --- a/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - subcluster-networking.yaml \ No newline at end of file + - subcluster-networking.yaml + - subcluster-dex.yaml \ No newline at end of file diff --git a/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/subcluster-dex.yaml b/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/subcluster-dex.yaml new file mode 100644 index 000000000..7a94c03ef --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/catalogue-replacements/subcluster-dex.yaml @@ -0,0 +1,29 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: dex-subcluster-networking + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +- source: + objref: + kind: VariableCatalogue + name: subcluster-networking + fieldref: "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}" + target: + objref: + kind: VariableCatalogue + name: utility-subcluster-lma + fieldrefs: [".spec.dex.oidc_issuer%PORT%"] +- source: + objref: + kind: VariableCatalogue + name: utility-subcluster-lma + fieldref: "{.spec.dex.oidc_issuer}" + target: + objref: + kind: VariableCatalogue + name: utility-treasuremap + fieldrefs: ["{.spec.dex.oidc_issuer}"] diff --git a/manifests/type/multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml new file mode 100644 index 000000000..8ac2b86a3 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/catalogues/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oidc-utility-subcluster.yaml diff --git a/manifests/type/multi-tenant/sub-clusters/lma/catalogues/oidc-utility-subcluster.yaml b/manifests/type/multi-tenant/sub-clusters/lma/catalogues/oidc-utility-subcluster.yaml new file mode 100644 index 000000000..f02e328e2 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/catalogues/oidc-utility-subcluster.yaml @@ -0,0 +1,7 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + name: utility-subcluster-lma +spec: + dex: + oidc_issuer: https://dex.utility.local:PORT/dex diff --git a/manifests/type/sub-cluster/provide-infra/patches/dex-aio-helm-patch.yaml b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/dex-aio-helm-patch.yaml similarity index 80% rename from manifests/type/sub-cluster/provide-infra/patches/dex-aio-helm-patch.yaml rename to manifests/type/multi-tenant/sub-clusters/lma/controlplane/dex-aio-helm-patch.yaml index aed72350e..4ddd875e1 100644 --- a/manifests/type/sub-cluster/provide-infra/patches/dex-aio-helm-patch.yaml +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/dex-aio-helm-patch.yaml @@ -2,13 +2,11 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: dex-aio - namespace: default spec: values: params: ldap: - bind_password: "your LDAP bind password" - name: "LDAP TEST SERVICES" + name: "LDAP TEST IT SERVICES" config: host: "your LDAP FQDN" bind_dn: "your LDAP bind username" diff --git a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/kustomization.yaml index e72fba935..cea574dd4 100644 --- a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/kustomization.yaml @@ -7,3 +7,14 @@ patchesStrategicMerge: - patches/metal3machinetemplate.yaml - patches/controlplane.yaml - patches/cluster.yaml + - dex-aio-helm-patch.yaml + - subcluster-issuer-patch.yaml + +patches: + - target: + group: controlplane.cluster.x-k8s.io + version: v1alpha3 + kind: KubeadmControlPlane + path: oidc-apiserver-ca-cert.json + +namespace: lma-infra diff --git a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/oidc-apiserver-ca-cert.json b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/oidc-apiserver-ca-cert.json new file mode 100644 index 000000000..4df1074ac --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/oidc-apiserver-ca-cert.json @@ -0,0 +1,14 @@ +[ + { + "op": "replace", + "path": "/spec/kubeadmConfigSpec/files/1/contentFrom", + "value": { + "secret": { + "key": "tls.crt", + "name": "target-cluster-ca-lma" + } + }, + "owner": "root:root", + "permissions": "0644" + } +] diff --git a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/dex-update.yaml b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/dex-update.yaml new file mode 100644 index 000000000..98b6a771b --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/dex-update.yaml @@ -0,0 +1,19 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: subcluster-dex-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +- source: + objref: + kind: Issuer + name: workload-cluster-ca-issuer-lma + fieldref: "{.metadata.name}" + target: + objref: + kind: HelmRelease + name: dex-aio-lma + fieldrefs: ["{.spec.values.params.endpoints.tls.issuer.name}"] diff --git a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/kustomization.yaml index 6a0fe2bb9..7b5cb9688 100644 --- a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/kustomization.yaml @@ -1,6 +1,8 @@ resources: - ../../../../../sub-cluster/controlplane/replacements - networking.yaml + - dex-update.yaml + patchesJson6902: - target: group: airshipit.org @@ -8,3 +10,9 @@ patchesJson6902: kind: ReplacementTransformer name: k8scontrol-cluster-replacements path: patches/cluster.json + - target: + group: airshipit.org + version: v1alpha1 + kind: ReplacementTransformer + name: k8scontrol-dex-replacements + path: patches/subcluster-dex.json diff --git a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/patches/subcluster-dex.json b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/patches/subcluster-dex.json new file mode 100644 index 000000000..474d9ec9c --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/replacements/patches/subcluster-dex.json @@ -0,0 +1,92 @@ +[ + { + "op": "replace", + "path": "/replacements/0/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/1/source/fieldref", + "value": "{.dex.ldap.subcluster-lma.bind_password}" + }, + { + "op": "replace", + "path": "/replacements/1/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/2/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/3/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/4/source/objref/name", + "value": "subcluster-networking" + }, + { + "op": "replace", + "path": "/replacements/4/source/fieldref", + "value": "{.spec.lma.exposed_services[?(.name == 'auth')].nodePort}" + }, + { + "op": "replace", + "path": "/replacements/4/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/5/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/6/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/7/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/8/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/9/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/10/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/11/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/12/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/13/target/objref/name", + "value": "dex-aio-lma" + }, + { + "op": "replace", + "path": "/replacements/14/target/objref/name", + "value": "dex-aio-lma" + } +] diff --git a/manifests/type/multi-tenant/sub-clusters/lma/controlplane/subcluster-issuer-patch.yaml b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/subcluster-issuer-patch.yaml new file mode 100644 index 000000000..84e912782 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/lma/controlplane/subcluster-issuer-patch.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: workload-cluster-ca-issuer +spec: + ca: + secretName: target-cluster-ca-lma diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/kustomization.yaml index da07f073f..f47994974 100644 --- a/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - subcluster-networking.yaml \ No newline at end of file + - subcluster-networking.yaml + - subcluster-dex.yaml \ No newline at end of file diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/subcluster-dex.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/subcluster-dex.yaml new file mode 100644 index 000000000..b7351c729 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogue-replacements/subcluster-dex.yaml @@ -0,0 +1,30 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: dex-subcluster-networking + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +- source: + objref: + kind: VariableCatalogue + name: subcluster-networking + fieldref: "{.spec.wordpress.exposed_services[?(.name == 'auth')].nodePort}" + target: + objref: + kind: VariableCatalogue + name: utility-subcluster-wordpress + fieldrefs: [".spec.dex.oidc_issuer%PORT%"] +# Dex OIDC Issuer URL +- source: + objref: + kind: VariableCatalogue + name: utility-subcluster-wordpress + fieldref: "{.spec.dex.oidc_issuer}" + target: + objref: + kind: VariableCatalogue + name: utility-treasuremap + fieldrefs: ["{.spec.dex.oidc_issuer}"] diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/kustomization.yaml new file mode 100644 index 000000000..8ac2b86a3 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - oidc-utility-subcluster.yaml diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/oidc-utility-subcluster.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/oidc-utility-subcluster.yaml new file mode 100644 index 000000000..45b1c804f --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/catalogues/oidc-utility-subcluster.yaml @@ -0,0 +1,7 @@ +apiVersion: airshipit.org/v1alpha1 +kind: VariableCatalogue +metadata: + name: utility-subcluster-wordpress +spec: + dex: + oidc_issuer: https://dex.utility.local:PORT/dex diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/dex-aio-helm-patch.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/dex-aio-helm-patch.yaml new file mode 100644 index 000000000..4ddd875e1 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/dex-aio-helm-patch.yaml @@ -0,0 +1,17 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: dex-aio +spec: + values: + params: + ldap: + name: "LDAP TEST IT SERVICES" + config: + host: "your LDAP FQDN" + bind_dn: "your LDAP bind username" + username_prompt: SSO Username + user_search: + base_dn: dc=testservices,dc=test,dc=com + group_search: + base_dn: ou=groups,dc=testservices,dc=test,dc=com diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/kustomization.yaml index bb698592d..74d362ab8 100644 --- a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/kustomization.yaml @@ -4,4 +4,15 @@ resources: nameSuffix: -wordpress patchesStrategicMerge: - - patches/metal3machinetemplate.yaml +- patches/metal3machinetemplate.yaml +- dex-aio-helm-patch.yaml +- subcluster-issuer-patch.yaml + +patches: + - target: + group: controlplane.cluster.x-k8s.io + version: v1alpha3 + kind: KubeadmControlPlane + path: oidc-apiserver-ca-cert.json + +namespace: wordpress-infra diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/oidc-apiserver-ca-cert.json b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/oidc-apiserver-ca-cert.json new file mode 100644 index 000000000..bbd7e6591 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/oidc-apiserver-ca-cert.json @@ -0,0 +1,14 @@ +[ + { + "op": "replace", + "path": "/spec/kubeadmConfigSpec/files/1/contentFrom", + "value": { + "secret": { + "key": "tls.crt", + "name": "target-cluster-ca-wordpress" + } + }, + "owner": "root:root", + "permissions": "0644" + } +] diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/dex-update.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/dex-update.yaml new file mode 100644 index 000000000..2ef3b96a2 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/dex-update.yaml @@ -0,0 +1,19 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: subcluster-dex-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +- source: + objref: + kind: Issuer + name: workload-cluster-ca-issuer-wordpress + fieldref: "{.metadata.name}" + target: + objref: + kind: HelmRelease + name: dex-aio-wordpress + fieldrefs: ["{.spec.values.params.endpoints.tls.issuer.name}"] diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/kustomization.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/kustomization.yaml index 6a0fe2bb9..7b5cb9688 100644 --- a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/kustomization.yaml +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/kustomization.yaml @@ -1,6 +1,8 @@ resources: - ../../../../../sub-cluster/controlplane/replacements - networking.yaml + - dex-update.yaml + patchesJson6902: - target: group: airshipit.org @@ -8,3 +10,9 @@ patchesJson6902: kind: ReplacementTransformer name: k8scontrol-cluster-replacements path: patches/cluster.json + - target: + group: airshipit.org + version: v1alpha1 + kind: ReplacementTransformer + name: k8scontrol-dex-replacements + path: patches/subcluster-dex.json diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/patches/subcluster-dex.json b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/patches/subcluster-dex.json new file mode 100644 index 000000000..9d9026a33 --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/replacements/patches/subcluster-dex.json @@ -0,0 +1,92 @@ +[ + { + "op": "replace", + "path": "/replacements/0/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/1/source/fieldref", + "value": "{.dex.ldap.subcluster-wordpress.bind_password}" + }, + { + "op": "replace", + "path": "/replacements/1/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/2/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/3/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/4/source/objref/name", + "value": "subcluster-networking" + }, + { + "op": "replace", + "path": "/replacements/4/source/fieldref", + "value": "{.spec.wordpress.exposed_services[?(.name == 'auth')].nodePort}" + }, + { + "op": "replace", + "path": "/replacements/4/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/5/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/6/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/7/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/8/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/9/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/10/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/11/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/12/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/13/target/objref/name", + "value": "dex-aio-wordpress" + }, + { + "op": "replace", + "path": "/replacements/14/target/objref/name", + "value": "dex-aio-wordpress" + } +] diff --git a/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/subcluster-issuer-patch.yaml b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/subcluster-issuer-patch.yaml new file mode 100644 index 000000000..5b0ac089c --- /dev/null +++ b/manifests/type/multi-tenant/sub-clusters/wordpress/controlplane/subcluster-issuer-patch.yaml @@ -0,0 +1,7 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: workload-cluster-ca-issuer +spec: + ca: + secretName: target-cluster-ca-wordpress diff --git a/manifests/type/sub-cluster/controlplane/kustomization.yaml b/manifests/type/sub-cluster/controlplane/kustomization.yaml index a7d2b00d1..d40649563 100644 --- a/manifests/type/sub-cluster/controlplane/kustomization.yaml +++ b/manifests/type/sub-cluster/controlplane/kustomization.yaml @@ -1,9 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../../../../airshipctl/manifests/function/k8scontrol - # Switch to this once we want to add Dex back in - #- ../../../function/k8scontrol-oidc + - ../../../function/k8scontrol-oidc + - ../../../function/dex-aio patchesJson6902: - target: diff --git a/manifests/type/sub-cluster/controlplane/replacements/kustomization.yaml b/manifests/type/sub-cluster/controlplane/replacements/kustomization.yaml index 66a00c805..d36f6fae0 100644 --- a/manifests/type/sub-cluster/controlplane/replacements/kustomization.yaml +++ b/manifests/type/sub-cluster/controlplane/replacements/kustomization.yaml @@ -2,8 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ../../../../function/dex-aio/replacements - versions.yaml - k8s-control-env-vars.yaml - generated-secrets.yaml - networking.yaml - cluster.yaml + - subcluster-dex.yaml diff --git a/manifests/type/sub-cluster/controlplane/replacements/subcluster-dex.yaml b/manifests/type/sub-cluster/controlplane/replacements/subcluster-dex.yaml new file mode 100644 index 000000000..3fd2d757c --- /dev/null +++ b/manifests/type/sub-cluster/controlplane/replacements/subcluster-dex.yaml @@ -0,0 +1,39 @@ +apiVersion: airshipit.org/v1alpha1 +kind: ReplacementTransformer +metadata: + name: k8scontrol-subcluster-dex-replacements + annotations: + config.kubernetes.io/function: |- + container: + image: localhost/replacement-transformer +replacements: +# Dex OIDC Issuer URL +- source: + objref: + kind: VariableCatalogue + name: utility-treasuremap + fieldref: "{.spec.dex.oidc_issuer}" + target: + objref: + kind: KubeadmControlPlane + fieldrefs: ["{.spec.kubeadmConfigSpec.clusterConfiguration.apiServer.extraArgs.oidc-issuer-url}"] +# Dex client id +- source: + objref: + kind: VariableCatalogue + name: utility-treasuremap + fieldref: "{.spec.dex.client-id}" + target: + objref: + kind: KubeadmControlPlane + fieldrefs: ["{.spec.kubeadmConfigSpec.clusterConfiguration.apiServer.extraArgs.oidc-client-id}"] +# Dex hostname +- source: + objref: + kind: VariableCatalogue + name: utility-treasuremap + fieldref: "{.spec.dex.hostname}" + target: + objref: + kind: KubeadmControlPlane + fieldrefs: [".spec.kubeadmConfigSpec.clusterConfiguration.apiServer.certSANs[0]"] diff --git a/manifests/type/sub-cluster/provide-infra/kustomization.yaml b/manifests/type/sub-cluster/provide-infra/kustomization.yaml index 3f162a48a..3e5107dc0 100644 --- a/manifests/type/sub-cluster/provide-infra/kustomization.yaml +++ b/manifests/type/sub-cluster/provide-infra/kustomization.yaml @@ -1,9 +1,2 @@ # NOTE: This directory should not be inherited; it should be redefined within the # type that defines the actual sub-cluster. -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - .../../../function/dex-aio - -patchesStrategicMerge: -- patches/dex-aio-helm-patch.yaml