Salt: Setup the Dex-to-Kubernetes API server integration

This commit adds the following:

Add configuration parameters to the APIserver manifest which is required
by Dex

Define a way to find the Ingress external IP required by Dex config flags

If a minion wants to reference the control-plane Ingress by its external
IP(in our case the Dex service), it needs to know the control-plane IP of
the bootstrap minion (as it is the one used by Salt master when creating the Service).

For posterity, we define a helper that should work even during
the initial boostrap.

Closes: #2010

buildchain/buildchain/salt_tree.py

@@ -292,6 +292,8 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/addons/nginx-ingress-control-plane/deployed/chart.sls'),
     Path('salt/metalk8s/addons/nginx-ingress-control-plane/deployed/',
          'tls-secret.sls'),
+    Path('salt/metalk8s/addons/nginx-ingress-control-plane/',
+         'control-plane-ip.sls'),
 
     Path('salt/metalk8s/container-engine/containerd/configured.sls'),
     Path('salt/metalk8s/container-engine/containerd/files/50-metalk8s.conf'),

salt/metalk8s/addons/nginx-ingress-control-plane/control-plane-ip.sls

@@ -0,0 +1,29 @@
+{# This whole block is used to "know" the Ingress external IP used by Dex.
+  It will be removed once we can have a known LoadBalancer IP for Ingress. #}
+{% if '_errors' in pillar.metalk8s.nodes %}
+  {# Assume this is the bootstrap Node and we haven't an apiserver yet #}
+  {%- set bootstrap_id = grains.id %}
+{%- elif pillar.metalk8s.nodes | length <= 1 %}
+  {# Only one node (or even, zero) can/should only happen during bootstrap #}
+  {%- set bootstrap_id = grains.id %}
+{%- else %}
+  {%- set bootstrap_nodes = salt.metalk8s.minions_by_role('bootstrap') %}
+  {%- if bootstrap_nodes %}
+    {%- set bootstrap_id = bootstrap_nodes | first %}
+  {%- else %}
+    {{ raise('Missing bootstrap node') }}
+  {%- endif %}
+{%- endif %}
+
+{%- if bootstrap_id is none %}
+  {{ raise('Missing bootstrap Node in pillar, cannot proceed.') }}
+{%- elif bootstrap_id == grains.id %}
+  {%- set bootstrap_control_plane_ip = grains.metalk8s.control_plane_ip %}
+{%- else %}
+  {%- set bootstrap_control_plane_ip = salt['mine.get'](bootstrap_id,
+   'control_plane_ip')[bootstrap_id]
+  %}
+{%- endif %}
+
+{%- set ingress_control_plane = bootstrap_control_plane_ip ~ ':8443' %}
+{# (end of Ingress URL retrieval) #}

salt/metalk8s/kubernetes/apiserver/installed.sls

@@ -1,12 +1,16 @@
 {%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
 {%- from "metalk8s/map.jinja" import networks with context %}
+{%- from "metalk8s/addons/nginx-ingress-control-plane/control-plane-ip.sls"
+    import ingress_control_plane with context
+%}
 
 {%- set htpasswd_path = "/etc/kubernetes/htpasswd" %}
 {%- set encryption_k8s_path = "/etc/kubernetes/encryption.conf" %}
 
 include:
   - metalk8s.kubernetes.ca.advertised
   - metalk8s.kubernetes.sa.advertised
+  - metalk8s.addons.nginx-ingress.ca.advertised
   - .certs
 
 {%- if pillar.metalk8s.api_server.keepalived.enabled %}
@@ -95,6 +99,7 @@ Create kube-apiserver Pod manifest:
         - /etc/kubernetes/pki/front-proxy-client.crt
         - /etc/kubernetes/pki/front-proxy-client.key
         - /etc/kubernetes/pki/sa.pub
+        - /etc/metalk8s/pki/nginx-ingress/ca.crt
         - {{ htpasswd_path }}
 {%- if pillar.metalk8s.api_server.keepalived.enabled %}
         - /etc/keepalived/check-apiserver.sh
@@ -137,6 +142,11 @@ Create kube-apiserver Pod manifest:
           - --service-cluster-ip-range={{ networks.service }}
           - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
           - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
+          - --oidc-issuer-url=https://{{ ingress_control_plane }}/oidc
+          - --oidc-client-id=oidc-auth-client
+          - --oidc-ca-file=/etc/metalk8s/pki/nginx-ingress/ca.crt
+          - --oidc-username-claim=email
+          - --oidc-groups-claim=groups
         requested_cpu: 250m
         volumes:
           - path: {{ encryption_k8s_path }}
@@ -148,6 +158,8 @@ Create kube-apiserver Pod manifest:
           {%- endif %}
           - path: /etc/kubernetes/pki
             name: k8s-certs
+          - path: /etc/metalk8s/pki
+            name: metalk8s-certs
           - path: /etc/ssl/certs
             name: ca-certs
           - path: {{ htpasswd_path }}
@@ -215,6 +227,7 @@ Create kube-apiserver Pod manifest:
       - file: Ensure front-proxy CA cert is present
       - file: Ensure SA pub key is present
       - file: Set up default basic auth htpasswd
+      - file: Ensure Ingress CA cert is present
 {%- if pillar.metalk8s.api_server.keepalived.enabled %}
       - file: Create keepalived check script
       - file: Create keepalived configuration file generator