Gangway configuration reference for Lokomotive
Introduction
Gangway is a web application that allows obtaining OIDC tokens from identity providers and automatically generating kubeconfigs to be used by Kubernetes users.
Prerequisites
-
A Lokomotive cluster accessible via
kubectl
. -
Dex installed with a static client for gangway.
Configuration
Gangway component configuration example:
# gangway.lokocfg
variable "gangway_session_key" {
type = "string"
}
component "gangway" {
# The name of the cluster. This is used to name the kubectl configuration context.
cluster_name = "example"
# Used as the `hosts` domain in the ingress resource for gangway that is
# automatically created
ingress_host = "gangway.example.lokomotive-k8s.org"
session_key = var.gangway_session_key
# Where kube-apiserver is reachable
api_server_url = "https://example.lokomotive-k8s.org:6443"
# Where the 'auth' endpoint is
authorize_url = "https://dex.example.lokomotive-k8s.org/auth"
# Where the 'token' endpoint is
token_url = "https://dex.example.lokomotive-k8s.org/token"
# The static client id and secret
client_id = var.dex_static_client_clusterauth_id
client_secret = var.dex_static_client_clusterauth_secret
# gangway's redirect URL, i.e. where the OIDC endpoint should callback to
redirect_url = var.gangway_redirect_url
}
The secrets can be defined in another file (lokocfg.vars
) like following:
gangway_redirect_url = "https://gangway.example.lokomotive-k8s.org/callback"
# A random secret key (create one with `openssl rand -base64 32`)
gangway_session_key = "5Rsz5C4qRqYFoAfYcXOedQOyQpHTXyLiWFYvtjwjtm0="
dex_static_client_clusterauth_secret = "2KBvQkjOZdc3iHt4KSb9GUECdenH/VDl04TwMdSyPcs="
dex_static_client_clusterauth_id = "clusterauth"
Attribute reference
Table of all the arguments accepted by the component.
Argument | Description | Default | Type | Required |
---|---|---|---|---|
cluster_name |
The name of the cluster. | - | string | true |
ingress_host |
Used as the hosts domain in the ingress resource for gangway that is automatically created. |
- | string | true |
certmanager_cluster_issuer |
ClusterIssuer to be used by cert-manager while issuing TLS certificates. Supported values: letsencrypt-production , letsencrypt-staging . |
letsencrypt-production |
string | false |
sesion_key |
Gangway session key. | - | string | true |
api_server_url |
URL of Kubernetes API server. | - | string | true |
authorize_url |
Auth endpoint of Dex. | - | string | true |
token_url |
Token endpoint of Dex. | - | string | true |
client_id |
Static client ID. | - | string | true |
client_secret |
Static client secret. | - | string | true |
redirect_url |
Gangway’s redirect URL, i.e. OIDC callback endpoint. | - | string | true |
Applying
To apply the Gangway component:
lokoctl component apply gangway
Deleting
To destroy the component:
lokoctl component delete gangway --delete-namespace