We’re integrating Tectonic with Red Hat OpenShift

We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.

Tectonic Deployer Configuration Details

This guide walks through the configuration details manipulated by deployers, including the deployer-config secret, the Identity service's emailer, and the Connectors that define Identity's connections to authentication services, including its default local identity provider.

Create and Convert Deployer Config

A file, conventionally named deployer-config.txt, contains settings for Tectonic. The generate-deployer-config.sh script converts this file into a Kubernetes secret for upload through kubectl. The following example deployer-config.txt must be adjusted for your configuration.

Example Deployer Config

# This file contains the necessary user-supplied settings for Tectonic.
# It is intended as input to generate-deployer-config.sh

# URL for Identity DB

# Issuer for identity; used by Identity itself, Console, and other Relying Parties of Identity.

# Customizes identity screens
identity-issuer-name=Organization ID Services

# Email address for Identity to send from.

# Console URL

# Email address of the identity admin user

# Certificate Authorities for Console: This should be the name of a Kubernetes Secret
# containing a "config" key, whose values are PEM-formatted certificates. These
# will be the trusted CAs that Console uses to make https requests. If this
# value is empty, then the host's root CAs will be used.

# Secret containing TLS cert and key for Dex.

# Secret containing TLS cert and key for Console

Customizing the Deployer Config for your Site

The fields in the deployer-config.txt file understood by the generate-deployer-config script are described below.

  • identity-db-url: The database used by Identity to store user information. Should be a PostgreSQL DSN format string yielding a connection to an existing, empty PostgreSQL DB.
  • identity-issuer-url: This is the URL for the Tectonic Identity service, against which Console will authorize users. This should be the same URL as set in Tectonic Services for the tectonic-identity-worker service.
  • identity-issuer-name: This string will appear to users, e.g., "Sign into identity-issuer-name …"
  • identity-email-from: This is the email address that Identity will send email from.
  • console-url - This is the URL used to access Console. Used by tectonic-manager to set up post-authentication redirects. This should be the same URL set in "Tectonic Services" for the tectonic-console service.
  • identity-admin-user - Email address of primary administrator; granted full administrator rights. Password will be created and stored in a secret later in this guide.
  • tectonic-ca-cert-secret: Name of the secret containing signing CA for the console and identity services' TLS certificates. May be empty, in which case only host CAs are used.
  • tectonic-identity-tls-secret, tectonic-console-tls-secret: Names of secrets containing TLS cert, key for terminating TLS in identity and console apps. They can be the same if they are using wildcard domain certs. These are the names of the secrets created in the configure TLS certs step.

After adjusting your deployer-config.txt according to the above, use the script to convert it to a secret for loading into your cluster:

$ ./generate-deployer-config.sh deployer-config.txt tectonic-deployer-config-secret.yml

$ kubectl create -f tectonic-deployer-config-secret.yml

Configuring the Identity Emailer

Identity expects an emailer configuration in the JSON format consumed by the underlying Dex engine to control how it sends email for events like password resets. Create such an emailer config file, then convert it into a secret in the manner that is probably becoming familiar, returning to the generate-secrets-from-file.sh script used previously:

$ ./generate-secrets-from-file.sh tectonic-identity-emailer-config tectonic-identity-emailer-config-secret.yml identity-emailer.json

Load the resulting secret into the cluster:

$ kubectl create -f tectonic-identity-emailer-config-secret.yml

Creating Identity Connectors

Connectors allow Identity's underlying Dex engine to delegate authentication to one or more external identity providers. In the simplest case, described here, local logins are authenticated by Identity itself based on user ID and password. The simple connector definition for this configuration looks like:

		"type": "local",
		"id": "local"

Store this JSON excerpt in a file named identity-connectors.json for conversion into a secret named tectonic-identity-connectors, by the usual means:

$ ./generate-secrets-from-file.sh tectonic-identity-connectors tectonic-identity-connectors-secret.yml identity-connectors.json

$ kubectl create -f tectonic-identity-connectors-secret.yml

See Configuring Connectors for information on Connector setups for external providers and other advanced configurations.