Gangway configuration reference for Lokomotive

    Introduction

    Gangway is a web application that allows obtaining OIDC tokens from identity providers and automatically generating kubeconfigs to be used by Kubernetes users.

    Prerequisites

    • A Lokomotive cluster accessible via kubectl.

    • Dex installed with a static client for gangway.

    Configuration

    Gangway component configuration example:

    # gangway.lokocfg

variable "gangway_session_key" {
  type = "string"
}

component "gangway" {
  # The name of the cluster. This is used to name the kubectl configuration context.
  cluster_name = "example"

  # Used as the `hosts` domain in the ingress resource for gangway that is
  # automatically created
  ingress_host = "gangway.example.lokomotive-k8s.org"

  session_key = var.gangway_session_key

  # Where kube-apiserver is reachable
  api_server_url = "https://example.lokomotive-k8s.org:6443"

  # Where the 'auth' endpoint is
  authorize_url = "https://dex.example.lokomotive-k8s.org/auth"

  # Where the 'token' endpoint is
  token_url = "https://dex.example.lokomotive-k8s.org/token"

  # The static client id and secret
  client_id     = var.dex_static_client_clusterauth_id
  client_secret = var.dex_static_client_clusterauth_secret

  # gangway's redirect URL, i.e. where the OIDC endpoint should callback to
  redirect_url = var.gangway_redirect_url
}

    The secrets can be defined in another file (lokocfg.vars) like following:

    gangway_redirect_url         = "https://gangway.example.lokomotive-k8s.org/callback"

# A random secret key (create one with `openssl rand -base64 32`)
gangway_session_key              = "5Rsz5C4qRqYFoAfYcXOedQOyQpHTXyLiWFYvtjwjtm0="
dex_static_client_clusterauth_secret = "2KBvQkjOZdc3iHt4KSb9GUECdenH/VDl04TwMdSyPcs="
dex_static_client_clusterauth_id     = "clusterauth"

    Attribute reference

    Table of all the arguments accepted by the component.

    Argument Description Default Type Required
    cluster_name The name of the cluster. - string true
    ingress_host Used as the hosts domain in the ingress resource for gangway that is automatically created. - string true
    certmanager_cluster_issuer ClusterIssuer to be used by cert-manager while issuing TLS certificates. Supported values: letsencrypt-production, letsencrypt-staging. letsencrypt-production string false
    sesion_key Gangway session key. - string true
    api_server_url URL of Kubernetes API server. - string true
    authorize_url Auth endpoint of Dex. - string true
    token_url Token endpoint of Dex. - string true
    client_id Static client ID. - string true
    client_secret Static client secret. - string true
    redirect_url Gangway’s redirect URL, i.e. OIDC callback endpoint. - string true

    Applying

    To apply the Gangway component:

    lokoctl component apply gangway

    Deleting

    To destroy the component:

    lokoctl component delete gangway --delete-namespace
    github Edit this page github File documentation issue