Add support for a backup IdP to dex-app

[snizhana-dynnyk]

User story

- As a customer, I want to have a way to use my backup authentication method when my Idp is down so that I can always access the management cluster.

- As a GS engineer, I want to have a backup authentication method so that I can do operations / on-call when GitHub is down.

Description

A customer asked for this option to be able to move from using kube login to Dex managed by us.
There is also an internal use case of GitHub being a SPOF.

TODO

• Make Dex authenticator work with multiple identity providers #555 Add support for a backup IdP to Dex
• Adapt a Web UI login page for a multiple options for IdP
• Adapt the kubectl-gs login command to allow selection of the connector/IdP
• Decide what to do with k8s-authenticator
• Documentation
• Set up a backup IdP (Azure AD or Google) for Giant Swarm staff
• Add customer-facing documentation

[snizhana-dynnyk]

@marians will prepare a picture and explain it better :)

[marians]

Drawing is here: https://docs.google.com/drawings/d/1OnhApm0wrGKsabEwuDJrc56F-hZoJPX9JxLZSYHVWdo/edit

Let't talk about it.

[ghost]

Cooool proposals, I like the far right most, which is very friendly.
To be discussed: Maybe not to repeat "Giant Swarm staff" in the Buttons, given in the label already state so.

[marians]

That's not a spec BTW, it's there to support explanation in the team.

FYI I just added these two items to the TODO list:

Adapt the kubectl-gs login command to allow selection of the connector/IdP

Currently we assume one connector for the normal user (customer) and one for Giant Swarm, the latter one being selected via the --cluster-admin flag of kubectl gs login. For arbitrary connectors, this behaviour must be adapted and we have to define how.

Decide what to do with k8s-authenticator

Currently we deploy exactly two k8s-authenticator Deployments (Pod, Ingress, Service, ...). One for customer and one for giantswarm. The URL schema under https://login.g8s.../ currently doesn't allow for growth. We must specify how this should look like with an arbitrary number of connectors.

[anvddriesch]

Reopened because while we do support multiple idps in dex now, we did not really document/announce how customers can set it up :)

[anvddriesch]

Checked public docs and they do mention the ability to add more than one connector