Add metal-apiserver as preview in the mini-lab (#231)

majst01 · web-flow · commit d46c896faaa5 · 2025-03-25T15:33:29.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,4 @@ sonic-vs.img
 files/certs/*.pem
 files/certs/**/*.pem
 files/certs/**/*.crt
+.vscode
diff --git a/deploy_control_plane.yaml b/deploy_control_plane.yaml
@@ -24,6 +24,10 @@
     - name: metal-roles/control-plane/roles/auditing-meili
       when: metal_auditing_meili_enabled
       tags: auditing
+    - name: metal-roles/control-plane/roles/valkey
+      tags: valkey
+    - name: auth-dex
+      tags: auth
     - name: metal-roles/control-plane/roles/metal
       tags: metal
 
diff --git a/inventories/group_vars/all/images.yaml b/inventories/group_vars/all/images.yaml
@@ -12,6 +12,8 @@ setup_yaml:
 # metal_hammer_image_url: https://images.metal-stack.io/metal-hammer/pull-requests/<pr-number-and-title>/metal-hammer-initrd.img.lz4
 # metal_api_image_name:
 # metal_api_image_tag:
+# metal_apiserver_image_name:
+# metal_apiserver_image_tag:
 # metal_metalctl_image_name:
 # metal_metalctl_image_tag:
 # metal_masterdata_api_image_name:
diff --git a/inventories/group_vars/control-plane/dex.yaml b/inventories/group_vars/control-plane/dex.yaml
@@ -0,0 +1,25 @@
+---
+auth_dex_ingress_dns: "auth.{{ metal_control_plane_ingress_dns }}"
+auth_dex_issuer_url: http://auth.{{ metal_control_plane_ingress_dns }}:8080/dex
+
+auth_dex_static_clients:
+- id: metal-stack
+  public: true
+  name: "metal-stack"
+  secret: secret
+  redirectURIs:
+  - 'http://v2.api.172.17.0.1.nip.io:8080/auth/oidc/callback'
+
+auth_dex_static_passwords:
+- email: admin@metal-stack.io
+  hash: "{{ 'change-me' | string | password_hash('bcrypt', salt='jKfnxzOP3oJPeZYXMOc00Y') }}"
+  username: "admin"
+  userID: "00000000-0000-0000-0000-000000000001"
+- email: editor@metal-stack.io
+  hash: "{{ 'change-me' | string | password_hash('bcrypt', salt='jKfnxzOP3oJPeZYXMOc00Y') }}"
+  username: "editor"
+  userID: "00000000-0000-0000-0000-000000000002"
+- email: viewer@metal-stack.io
+  hash: "{{ 'change-me' | string | password_hash('bcrypt', salt='jKfnxzOP3oJPeZYXMOc00Y') }}"
+  username: "viewer"
+  userID: "00000000-0000-0000-0000-000000000003"
diff --git a/inventories/group_vars/control-plane/metal.yml b/inventories/group_vars/control-plane/metal.yml
@@ -11,6 +11,17 @@ metal_api_admin_key: metal-admin
 
 metal_api_nsq_tcp_address: nsqd:4150
 
+metal_apiserver_enabled: true
+metal_apiserver_url: http://v2.api.{{ metal_control_plane_ingress_dns }}:8080
+
+metal_apiserver_oidc_discovery_url: http://auth.{{ metal_control_plane_ingress_dns }}:8080/dex/.well-known/openid-configuration
+metal_apiserver_oidc_end_session_url: ""
+metal_apiserver_oidc_client_id: metal-stack
+metal_apiserver_oidc_client_secret: secret
+
+metal_apiserver_redis_password: change-me-soon
+metal_apiserver_admin_subjects: "CiQwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDESBWxvY2Fs@oidc"
+
 metal_api_images:
 - id: firewall-ubuntu-3.0
   name: Firewall 3 Ubuntu
diff --git a/inventories/group_vars/control-plane/valkey.yaml b/inventories/group_vars/control-plane/valkey.yaml
@@ -0,0 +1,2 @@
+---
+valkey_replicas: 1
diff --git a/roles/auth-dex/README.md b/roles/auth-dex/README.md
@@ -0,0 +1,3 @@
+# auth-dex
+
+Deploys [Dex](https://dexidp.io/).
diff --git a/roles/auth-dex/defaults/main/main.yaml b/roles/auth-dex/defaults/main/main.yaml
@@ -0,0 +1,21 @@
+---
+auth_dex_namespace: "metal-control-plane"
+
+auth_dex_image_name: ghcr.io/dexidp/dex
+auth_dex_image_tag: latest
+
+auth_dex_ingress_dns: https://{{ auth_dex_issuer_url }}/dex
+auth_dex_issuer_url: "{{ auth_dex_ingress_dns }}"
+
+auth_dex_static_clients: []
+# - id: metal-stack
+#   public: true
+#   name: "metal-stack"
+#   secret: secret
+
+auth_dex_static_passwords: []
+# - email: "admin@metal-stack.io"
+#   # password in bcrypt
+#   hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+#   username: "admin"
+#   userID: "00000000-0000-0000-0000-000000000001"
diff --git a/roles/auth-dex/tasks/main.yaml b/roles/auth-dex/tasks/main.yaml
@@ -0,0 +1,6 @@
+---
+- name: Deploy dex
+  k8s:
+    definition: "{{ lookup('template', 'dex.yaml') }}"
+    namespace: "{{ auth_dex_namespace }}"
+    apply: true
diff --git a/roles/auth-dex/templates/dex-config.yaml b/roles/auth-dex/templates/dex-config.yaml
@@ -0,0 +1,18 @@
+issuer: {{ auth_dex_issuer_url }}
+
+storage:
+  type: sqlite3
+  config:
+    file: /data/sqlite.db
+
+web:
+  http: 0.0.0.0:5556
+telemetry:
+  http: 0.0.0.0:5558
+grpc:
+  addr: 0.0.0.0:5557
+
+staticClients: {{ auth_dex_static_clients | to_json }}
+staticPasswords: {{ auth_dex_static_passwords | to_json }}
+
+enablePasswordDB: true
diff --git a/roles/auth-dex/templates/dex.yaml b/roles/auth-dex/templates/dex.yaml
@@ -0,0 +1,113 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: dex
+  namespace: {{ auth_dex_namespace }}
+  labels:
+    app.kubernetes.io/name: dex
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dex
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: dex
+      annotations:
+        checksum/certs: "{{ lookup('template', 'dex-config.yaml') | string | hash('sha1') }}"
+    spec:
+      containers:
+        - name: dex
+          image: ghcr.io/dexidp/dex
+          args:
+            - dex
+            - serve
+            - /dex-config/config.yaml
+          volumeMounts:
+            - name: configuration
+              readonly: true
+              mountPath: /dex-config
+            - name: data
+              mountPath: /data
+          ports:
+            - name: web
+              containerPort: 5556
+            - name: grpc
+              containerPort: 5557
+            - name: telemetry
+              containerPort: 5558
+
+      volumes:
+        - name: configuration
+          secret:
+            secretName: dex-config
+            items:
+              - key: config.yaml
+                path: config.yaml
+
+  volumeClaimTemplates:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
+        name: data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dex-config
+  namespace: {{ auth_dex_namespace }}
+  labels:
+    app.kubernetes.io/part-of: dex
+stringData:
+  config.yaml: |
+    {{ lookup('template', 'dex-config.yaml') | indent(width=4, first=false) }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+  namespace: {{ auth_dex_namespace }}
+  labels:
+    app.kubernetes.io/name: dex
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: dex
+  ports:
+    - name: web
+      port: 5556
+      targetPort: 5556
+    - name: grpc
+      port: 5557
+      targetPort: 5557
+    - name: telemetry
+      port: 5558
+      targetPort: 5558
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dex
+  namespace: {{ auth_dex_namespace }}
+  labels:
+    app.kubernetes.io/name: dex
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: {{ auth_dex_ingress_dns }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: dex
+                port:
+                  name: web
+            path: /
+            pathType: Prefix

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# auth-dex`
	`2`	`+`
	`3`	`+Deploys [Dex](https://dexidp.io/).`