Merge pull request #42 from jetstack/disable-dex-on-none-masters

jetstack-bot · web-flow · commit eb27ef4142e1 · 2019-04-18T15:38:05.000+01:00
Don't deploy dex on non-masters
diff --git a/demo/Makefile b/demo/Makefile
@@ -4,8 +4,12 @@ CLOUD  ?= google
 
 KUBECONFIG := $(CURDIR)/.kubeconfig-$(CLOUD)
 
-ifeq ($(CLOUD),google)
 GOOGLE_PROJECT := $(shell gcloud config get-value core/project)
+
+ifeq ($(CLOUD),google)
+EXT_VARS ?= "master=true,cloud=$(CLOUD)"
+else
+EXT_VARS ?= "master=false,cloud=$(CLOUD)"
 endif
 
 UNAME_S := $(shell uname -s)
@@ -32,38 +36,37 @@ help:  ## Display this help
 .PHONY: terraform_apply
 terraform_apply: ## Applies terraform infrastructure
 	echo '' > infrastructure/$(CLOUD)/terraform.tfvars
-ifeq ($(CLOUD),google)
 	echo 'google_project = "$(GOOGLE_PROJECT)"' > infrastructure/$(CLOUD)/terraform.tfvars
-endif
 	cd infrastructure/$(CLOUD) && terraform init && terraform apply
-	cd infrastructure/$(CLOUD) && terraform output config > ../../manifests/config.json
+	cd infrastructure/$(CLOUD) && terraform output config > ../../manifests/$(CLOUD)-config.json
 	$(shell cd infrastructure/$(CLOUD) && terraform output kubeconfig_command)
 
 .PHONY: terraform_destroy
 terraform_destroy: ## Destroy terraform infrastructure
 	cd infrastructure/$(CLOUD) && terraform init && terraform destroy
 
-manifests/config.json:
+manifests/$(CLOUD)-config.json:
 	$(MAKE) terraform_apply
 
 .PHONY: manifests_apply
-manifests_apply: depend manifests/config.json ## Use kubecfg to apply manifests into cluster
+manifests_apply: depend manifests/$(CLOUD)-config.json ## Use kubecfg to apply manifests into cluster
+	rm -f manifests/config.json && ln -s $(CLOUD)-config.json manifests/config.json
 	# apply all CRDs
-	$(BINDIR)/kubecfg show config.jsonnet --format json | sed 's#^---$$##' | jq 'select(.kind == "CustomResourceDefinition")' | kubectl apply -f -
+	$(BINDIR)/kubecfg -V ${EXT_VARS} show config.jsonnet --format json | sed 's#^---$$##' | jq 'select(.kind == "CustomResourceDefinition")' | kubectl apply -f -
 	# apply everything
-	$(BINDIR)/kubecfg show config.jsonnet | kubectl apply -f -
+	$(BINDIR)/kubecfg -V ${EXT_VARS} show config.jsonnet | kubectl apply -f -
 
 .PHONY: manifests_validate
-manifests_validate: depend manifests/config.json ## Use kubecfg to validate manifests
-	$(BINDIR)/kubecfg validate config.jsonnet
+manifests_validate: depend manifests/$(CLOUD)-config.json ## Use kubecfg to validate manifests
+	$(BINDIR)/kubecfg -V ${EXT_VARS} validate config.jsonnet
 
 .PHONY: manifests_validate
 jsonnet_fmt: depend ## validate formatting of jsonnet files
 	$(BINDIR)/jsonnet fmt --test $(shell find manifests/components/. manifests/main.jsonnet -name "*.jsonnet")
 
 .PHONY: manifests_destroy
-manifests_destroy: depend manifests/config.json ## Use kubecfg to delete manifests
-	$(BINDIR)/kubecfg show config.jsonnet | kubectl delete -f - --ignore-not-found
+manifests_destroy: depend manifests/$(CLOUD)-config.json ## Use kubecfg to delete manifests
+	$(BINDIR)/kubecfg -V ${EXT_VARS} show config.jsonnet | kubectl delete -f - --ignore-not-found
 
 .PHONY: manifests_backup_certificates
 manifests_backup_certificates:
diff --git a/demo/config.dist.jsonnet b/demo/config.dist.jsonnet
@@ -1,5 +1,6 @@
 (import './manifests/main.jsonnet') {
   base_domain: 'kubernetes.example.net',
+  // dex_domain: 'dex.kubernetes.example.net',  // to be used on non dex hosting clusters
   cert_manager+: {
     letsencrypt_contact_email:: 'certificates@example.net',
   },
@@ -18,4 +19,12 @@
       }),
     ],
   },
+
+  // Here we can register more dex clients
+  //extraClient: $.dex.Client('123') + $.dex.metadata {
+  //  secret: '4567',
+  //  redirectURIs: [
+  //    'https://gangway.other.kubernetes.example.net/callback',
+  //  ],
+  //},
 }
diff --git a/demo/infrastructure/amazon/dns.tf b/demo/infrastructure/amazon/dns.tf
@@ -1,5 +1,9 @@
-module "dns" {
-  source = "../modules/amazon-dns"
-  suffix = "${random_id.suffix.hex}"
-  region = "${var.region}"
+data "external" "cert_manager" {
+  program = ["jq", ".cert_manager", "../../manifests/google-config.json"]
+  query   = { }
+}
+
+data "external" "externaldns" {
+  program = ["jq", ".externaldns", "../../manifests/google-config.json"]
+  query   = { }
 }
diff --git a/demo/infrastructure/amazon/outputs.tf b/demo/infrastructure/amazon/outputs.tf
@@ -1,7 +1,7 @@
 locals {
   config = {
-    cert_manager = "${module.dns.config}"
-    externaldns  = "${module.dns.config}"
+    cert_manager = "${data.external.cert_manager.result}"
+    externaldns  = "${data.external.externaldns.result}"
     gangway      = "${module.gangway.config}"
   }
 }
diff --git a/demo/infrastructure/amazon/providers.tf b/demo/infrastructure/amazon/providers.tf
@@ -1,4 +1,4 @@
-variable "region" {
+variable "aws_region" {
   default = "eu-west-1"
 }
 
@@ -7,7 +7,7 @@ variable "cluster_version" {
 }
 
 provider "aws" {
-  region = "${var.region}"
+  region = "${var.aws_region}"
 }
 
 module "cluster" {
diff --git a/demo/infrastructure/modules/amazon-dns/dns.tf b/demo/infrastructure/modules/amazon-dns/dns.tf
diff --git a/demo/manifests/.gitignore b/demo/manifests/.gitignore
@@ -1 +1,2 @@
 /config.json
+/*-config.json
diff --git a/demo/manifests/components/contour.jsonnet b/demo/manifests/components/contour.jsonnet
@@ -10,6 +10,15 @@ local ENVOY_IMAGE = 'docker.io/envoyproxy/envoy-alpine:v1.9.0';
 local apiGroup = 'contour.heptio.com';
 local apiVersion = 'v1beta1';
 
+local ServiceAnnotations(cloud) =
+  if cloud == 'amazon' then
+    {
+      'service.beta.kubernetes.io/aws-load-balancer-backend-protocol': 'tcp',
+      'service.beta.kubernetes.io/aws-load-balancer-type': 'nlb',
+    }
+  else
+    {};
+
 {
   p:: '',
   app:: 'contour',
@@ -128,9 +137,7 @@ local apiVersion = 'v1beta1';
 
   svc: kube._Object('v1', 'Service', $.name) + $.metadata {
     metadata+: {
-      annotations+: {
-        'service.beta.kubernetes.io/aws-load-balancer-backend-protocol': 'tcp',
-      },
+      annotations+: ServiceAnnotations(std.extVar('cloud')),
     },
     spec+: {
       type: 'LoadBalancer',
diff --git a/demo/manifests/components/dex.jsonnet b/demo/manifests/components/dex.jsonnet
@@ -74,7 +74,7 @@ local dexNameHash(s) = std.asciiLower(std.strReplace(base32.base32(fakeHashFNV(s
 
   domain:: $.name + '.' + $.base_domain,
 
-  namespace:: 'foo',
+  namespace:: 'dex',
 
   labels:: {
     metadata+: {
diff --git a/demo/manifests/main.jsonnet b/demo/manifests/main.jsonnet
@@ -43,6 +43,12 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
   },
 };
 
+local only_master(obj) =
+  if std.extVar('master') == 'true' then
+    obj
+  else
+    {};
+
 {
   config:: config,
 
@@ -56,6 +62,8 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
 
   ns: kube.Namespace($.namespace),
 
+  dex_domain:: $.dex.domain,
+
   cert_manager: cert_manager {
     google_secret: kube.Secret($.cert_manager.p + 'clouddns-google-credentials') + $.cert_manager.metadata {
       data_+: {
@@ -154,14 +162,14 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
           // this add a final dot to the domain name and joins the list
           'external-dns.alpha.kubernetes.io/hostname': std.join(',', std.map(
             (function(o) o + '.'),
-            [$.dex.domain, $.gangway.domain, $.kube_oidc_proxy.domain],
+            [$.dex_domain, $.gangway.domain, $.kube_oidc_proxy.domain],
           )),
         },
       },
     },
   },
 
-  dex: dex {
+  dex: only_master(dex {
     local this = self,
     base_domain:: $.base_domain,
     p:: $.p,
@@ -184,7 +192,7 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
       [this.domain]
     ),
     ingressRoute: IngressRouteTLSPassthrough($.namespace, this.name, this.domain, this.name, 5556),
-  },
+  }),
 
   gangway: gangway {
     local this = self,
@@ -248,20 +256,20 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
     sessionSecurityKey: $.config.gangway.session_security_key,
 
     config+: {
-      authorizeURL: 'https://' + $.dex.domain + '/auth',
-      tokenURL: 'https://' + $.dex.domain + '/token',
+      authorizeURL: 'https://' + $.dex_domain + '/auth',
+      tokenURL: 'https://' + $.dex_domain + '/token',
       apiServerURL: 'https://' + $.kube_oidc_proxy.domain,
       clientID: $.config.gangway.client_id,
       clientSecret: $.config.gangway.client_secret,
       clusterCAPath: this.config_path + '/cluster-ca.crt',
     },
 
-    dexClient: dex.Client(this.config.clientID) + $.dex.metadata {
+    dexClient: only_master(dex.Client(this.config.clientID) + $.dex.metadata {
       secret: this.config.clientSecret,
       redirectURIs: [
         this.config.redirectURL,
       ],
-    },
+    }),
   },
 
   kube_oidc_proxy: kube_oidc_proxy {
@@ -276,7 +284,7 @@ local IngressRouteTLSPassthrough(namespace, name, domain, serviceName, servicePo
 
     config+: {
       oidc+: {
-        issuerURL: 'https://' + $.dex.domain,
+        issuerURL: 'https://' + $.dex_domain,
         clientID: $.config.gangway.client_id,
       },
     },

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`locals {`
`2`	`2`	`config = {`
`3`		`- cert_manager = "${module.dns.config}"`
`4`		`- externaldns = "${module.dns.config}"`
	`3`	`+ cert_manager = "${data.external.cert_manager.result}"`
	`4`	`+ externaldns = "${data.external.externaldns.result}"`
`5`	`5`	`gangway = "${module.gangway.config}"`
`6`	`6`	`}`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-variable "region" {`
	`1`	`+variable "aws_region" {`
`2`	`2`	`default = "eu-west-1"`
`3`	`3`	`}`
`4`	`4`
`@@ -7,7 +7,7 @@ variable "cluster_version" {`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`provider "aws" {`
`10`		`- region = "${var.region}"`
	`10`	`+ region = "${var.aws_region}"`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`module "cluster" {`