Derive dedicated Dex deployment

[merenbach]

Dutifully closes #555.

Help wanted: how to test properly? I can see that the local Dex container gets created.

Testing in progress.

Also updates pseudo-random token generation for SSO to be more cryptographically secure.

[jessesuen]

Help wanted: how to test properly? I can see that the local Dex container gets created.

Go through the steps of configure SSO for your minikube environment:
https://github.com/argoproj/argo-cd/blob/master/docs/sso.md

[alexmt]

dex don't talk to kubernetes, so we can remove serviceAccountName.

[alexmt]

please disregard this comment. we need to launch /shared/argocd-util which reads configmaps, so we need separate service account, role and binding.

[alexmt]

copyutil init container is not needed for dex

[alexmt]

please disregard this comment. we need both volume and init container

[alexmt]

volume is not required for dex

[alexmt]

please disregard this comment. we need both volume and init container

[jessesuen]

A code change is needed to update the reverse proxy to point to the new dex hostname. Which means you need a service object for dex (in addition to the deployment).

[merenbach]

@jessesuen decided it would be over-engineering to bring in my other code. :p Just rewrote the token generation instead.

Clarified concerns

[alexmt]

LGTM

[jessesuen]

We do not want this role to read all secrets and configmaps in the namespace just the settings one. We should add:

resourceNames:
- argocd-cm
- argocd-secret

[merenbach]

For posterity, here's testing instructions:

1. Modify the Argo CD server service (manifests/components/04e_argocd-server-service.yaml) to set spec.type: LoadBalancer.
2. Modify the Argo CD config map (manifests/components/02a_argocd-cm.yaml) to include the desired SSO config.
3. Update the callback address on your GitHub app (if using GitHub) to be https://<your IP address>/api/dex/callback.
4. Modify the following script (has a DESTRUCTIVE effect on your existing running local services/deployments, even if they're not related, so those lines are commented out) and run it. Please read through carefully before use.

#! /bin/sh -x

build_containers() {
	make all
}

push_containers() {
	USERNAME=$1
	for CONTAINER in argocd-server argocd-application-controller argocd-repo-server
	do
		docker tag "${CONTAINER}" "${USERNAME}/${CONTAINER}"
		docker push "${USERNAME}/${CONTAINER}"
	done
}

apply_local_manifest() {
	cat manifests/components/*.yaml | sed "s/argoproj\/\([^:]*\):.*$/andrewdm\/\1:latest/g" | tee manifests/local-install.yaml | kubectl -n argocd apply -f -
}

# comment the following two lines out to save lots of time if you're just tinkering with manifest changes
build_containers
push_containers <your DockerHub username>

# Required to run script properly, but DESTRUCTIVE, so commented out so you don't run verbatim
#kubectl -n argocd delete services --all
#kubectl -n argocd delete deployments --all

sleep 10

apply_local_manifest

# adapt as needed to `en1` or any other relevant network device name
PUB_URL=https://`ipconfig getifaddr en0`
kubectl -n argocd get configmap/argocd-cm -o json | jq --arg puburl "${PUB_URL}" '.data.url=$puburl' | kubectl apply -f -

sleep 20

kubectl -n argocd get pods,deployments,services