Gangway configuration reference for Lokomotive


    Gangway is a web application that allows obtaining OIDC tokens from identity providers and automatically generating kubeconfigs to be used by Kubernetes users.


    • A Lokomotive cluster accessible via kubectl.

    • Dex installed with a static client for gangway.


    Gangway component configuration example:

    # gangway.lokocfg
    variable "gangway_session_key" {
      type = "string"
    component "gangway" {
      # The name of the cluster. This is used to name the kubectl configuration context.
      cluster_name = "example"
      # Used as the `hosts` domain in the ingress resource for gangway that is
      # automatically created
      ingress_host = ""
      session_key = var.gangway_session_key
      # Where kube-apiserver is reachable
      api_server_url = ""
      # Where the 'auth' endpoint is
      authorize_url = ""
      # Where the 'token' endpoint is
      token_url = ""
      # The static client id and secret
      client_id     = var.dex_static_client_clusterauth_id
      client_secret = var.dex_static_client_clusterauth_secret
      # gangway's redirect URL, i.e. where the OIDC endpoint should callback to
      redirect_url = var.gangway_redirect_url

    The secrets can be defined in another file (lokocfg.vars) like following:

    gangway_redirect_url         = ""
    # A random secret key (create one with `openssl rand -base64 32`)
    gangway_session_key              = "5Rsz5C4qRqYFoAfYcXOedQOyQpHTXyLiWFYvtjwjtm0="
    dex_static_client_clusterauth_secret = "2KBvQkjOZdc3iHt4KSb9GUECdenH/VDl04TwMdSyPcs="
    dex_static_client_clusterauth_id     = "clusterauth"

    Attribute reference

    Table of all the arguments accepted by the component.

    Argument Description Default Type Required
    cluster_name The name of the cluster. - string true
    ingress_host Used as the hosts domain in the ingress resource for gangway that is automatically created. - string true
    certmanager_cluster_issuer ClusterIssuer to be used by cert-manager while issuing TLS certificates. Supported values: letsencrypt-production, letsencrypt-staging. letsencrypt-production string false
    sesion_key Gangway session key. - string true
    api_server_url URL of Kubernetes API server. - string true
    authorize_url Auth endpoint of Dex. - string true
    token_url Token endpoint of Dex. - string true
    client_id Static client ID. - string true
    client_secret Static client secret. - string true
    redirect_url Gangway’s redirect URL, i.e. OIDC callback endpoint. - string true


    To apply the Gangway component:

    lokoctl component apply gangway


    To destroy the component:

    lokoctl component delete gangway --delete-namespace