Gangway configuration reference for Lokomotive

Introduction

Gangway is a web application that allows obtaining OIDC tokens from identity providers and automatically generating kubeconfigs to be used by Kubernetes users.

Prerequisites

  • A Lokomotive cluster accessible via kubectl.

  • Dex installed with a static client for gangway.

Configuration

Gangway component configuration example:

# gangway.lokocfg

variable "gangway_session_key" {
  type = "string"
}

component "gangway" {
  # The name of the cluster. This is used to name the kubectl configuration context.
  cluster_name = "example"

  # Used as the `hosts` domain in the ingress resource for gangway that is
  # automatically created
  ingress_host = "gangway.example.lokomotive-k8s.org"

  session_key = var.gangway_session_key

  # Where kube-apiserver is reachable
  api_server_url = "https://example.lokomotive-k8s.org:6443"

  # Where the 'auth' endpoint is
  authorize_url = "https://dex.example.lokomotive-k8s.org/auth"

  # Where the 'token' endpoint is
  token_url = "https://dex.example.lokomotive-k8s.org/token"

  # The static client id and secret
  client_id     = var.dex_static_client_clusterauth_id
  client_secret = var.dex_static_client_clusterauth_secret

  # gangway's redirect URL, i.e. where the OIDC endpoint should callback to
  redirect_url = var.gangway_redirect_url
}

The secrets can be defined in another file (lokocfg.vars) like following:

gangway_redirect_url         = "https://gangway.example.lokomotive-k8s.org/callback"

# A random secret key (create one with `openssl rand -base64 32`)
gangway_session_key              = "5Rsz5C4qRqYFoAfYcXOedQOyQpHTXyLiWFYvtjwjtm0="
dex_static_client_clusterauth_secret = "2KBvQkjOZdc3iHt4KSb9GUECdenH/VDl04TwMdSyPcs="
dex_static_client_clusterauth_id     = "clusterauth"

Attribute reference

Table of all the arguments accepted by the component.

Argument Description Default Type Required
cluster_name The name of the cluster. - string true
ingress_host Used as the hosts domain in the ingress resource for gangway that is automatically created. - string true
certmanager_cluster_issuer ClusterIssuer to be used by cert-manager while issuing TLS certificates. Supported values: letsencrypt-production, letsencrypt-staging. letsencrypt-production string false
sesion_key Gangway session key. - string true
api_server_url URL of Kubernetes API server. - string true
authorize_url Auth endpoint of Dex. - string true
token_url Token endpoint of Dex. - string true
client_id Static client ID. - string true
client_secret Static client secret. - string true
redirect_url Gangway’s redirect URL, i.e. OIDC callback endpoint. - string true

Applying

To apply the Gangway component:

lokoctl component apply gangway

Deleting

To destroy the component:

lokoctl component delete gangway --delete-namespace