salt: Configure the API server to use the OpenID Connect

This commit adds the OpenID connect authentication plugin to metalk8s
by integrating with the API server.

This entails deploying an API server with specific flags.

salt/metalk8s/kubernetes/apiserver/installed.sls

@@ -95,6 +95,7 @@ Create kube-apiserver Pod manifest:
         - /etc/kubernetes/pki/front-proxy-client.crt
         - /etc/kubernetes/pki/front-proxy-client.key
         - /etc/kubernetes/pki/sa.pub
+        - /etc/kubernetes/pki/dex-ca.crt
         - {{ htpasswd_path }}
 {%- if pillar.metalk8s.api_server.keepalived.enabled %}
         - /etc/keepalived/check-apiserver.sh
@@ -137,6 +138,11 @@ Create kube-apiserver Pod manifest:
           - --service-cluster-ip-range={{ networks.service }}
           - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
           - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
+          - --oidc-issuer-url=https://{{ grains.metalk8s.control_plane_ip }}:32000
+          - --oidc-client-id=dex
+          - --oidc-ca-file=/etc/kubernetes/pki/dex-ca.crt
+          - --oidc-username-claim=email
+          - --oidc-groups-claim=groups
         requested_cpu: 250m
         volumes:
           - path: {{ encryption_k8s_path }}
@@ -215,6 +221,7 @@ Create kube-apiserver Pod manifest:
       - file: Ensure front-proxy CA cert is present
       - file: Ensure SA pub key is present
       - file: Set up default basic auth htpasswd
+      - file: Ensure dex CA cert is present
 {%- if pillar.metalk8s.api_server.keepalived.enabled %}
       - file: Create keepalived check script
       - file: Create keepalived configuration file generator