Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

integrate dex operator credential creation/deletion in MC bootstrap process #2532

Closed
Tracked by #2473
anvddriesch opened this issue Jun 5, 2023 · 3 comments
Closed
Tracked by #2473

integrate dex operator credential creation/deletion in MC bootstrap process #2532

anvddriesch opened this issue Jun 5, 2023 · 3 comments
Assignees
@anvddriesch
Labels
team/bigmac Team BigMac

Comments

@anvddriesch
Copy link

anvddriesch commented Jun 5, 2023
edited
Loading

We can use opsctl create dexconfig to create, update, clean and delete dex operator configuration.
The actual logic is in the setup module in dex-operator repo and can be imported by a different tool if needed, so opsctl isn't important here. (plus its deprecated)

For CAPI we are still running these commands manually so that credentials are available as secrets during bootstrap.
It should be possible to use the same logic (or update it a little to make it work) in mc bootstrap so that dex credentials management is automated during the bootstrap process and the manual step is not needed.
@anvddriesch anvddriesch mentioned this issue Jun 5, 2023
Open
@anvddriesch anvddriesch added the needs/refinement Needs refinement in order to be actionable label Sep 11, 2023
@anvddriesch
Copy link
Author

  • mc might not be recreated that often so we need to be able to only run this part
  • we want to have a spike and look into what we would need for this to work

@anvddriesch anvddriesch self-assigned this Sep 19, 2023
@architectbot architectbot added the team/bigmac Team BigMac label Sep 19, 2023
@anvddriesch
Copy link
Author

what happens currently if nothing exists yet

  • pulling default secrets
  • manually creating configuration via opsctl
  • replacing secret values
  • it is then used in installation secrets

what we could do:

  • ensure default contains a dedicated default credential
  • directly calling opsctl inside mc bootstrap to create new credentials from default ones
  • use created values in installation secrets

what happens currently if file exists

  • installation secrets is simply reused

what we could do:

  • call opsctl inside mc bootstrap to update credentials
  • replace values in installation secrets

things to consider:

  • rotation of default credentials
  • some steps need manual intervention: github in general needs a person going through the flow and azure first time creation needs admin approval. Is that okay?
  • just azure could be run without opening any windows, for creation, consent would then need to be given at some point. update would just work
  • calling opsctl is not a long term solution. It would be very easy to just use the module if mcb was golang but like this it's tricky.

@anvddriesch
Copy link
Author

  • for now adding opsctl create dexconfig to setup-config.sh can be most simple but we still need to think about rotation
  • we should have a designated note for the credential that is used
  • lets look into alternative ways of how dex operator can request new credentials itself, too

@anvddriesch anvddriesch mentioned this issue Oct 17, 2023
Merged
@gawertm gawertm removed the needs/refinement Needs refinement in order to be actionable label Oct 24, 2023
@gawertm gawertm closed this as completed Nov 15, 2023
@teemow teemow added this to Roadmap Nov 20, 2023
@teemow teemow moved this to Done ✅ in Roadmap Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anvddriesch anvddriesch

Labels
team/bigmac Team BigMac
Projects
Roadmap
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@anvddriesch @gawertm @architectbot