2022-01-18 23:34:19 +00:00
|
|
|
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
2020-10-13 21:09:13 +00:00
|
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
#@ load("@ytt:data", "data")
|
|
|
|
#@ load("@ytt:sha256", "sha256")
|
|
|
|
#@ load("@ytt:yaml", "yaml")
|
|
|
|
|
|
|
|
#@ def dexConfig():
|
2021-04-05 22:01:17 +00:00
|
|
|
issuer: https://dex.tools.svc.cluster.local/dex
|
2020-10-13 21:09:13 +00:00
|
|
|
storage:
|
|
|
|
type: sqlite3
|
|
|
|
config:
|
|
|
|
file: ":memory:"
|
|
|
|
web:
|
2020-12-14 16:56:57 +00:00
|
|
|
https: 0.0.0.0:8443
|
2020-11-16 20:04:08 +00:00
|
|
|
tlsCert: /var/certs/dex.pem
|
|
|
|
tlsKey: /var/certs/dex-key.pem
|
2022-01-18 23:34:19 +00:00
|
|
|
expiry:
|
|
|
|
idTokens: 20m #! this is the lifetime for the id token as well as the access token.
|
2020-10-13 21:09:13 +00:00
|
|
|
oauth2:
|
|
|
|
skipApprovalScreen: true
|
2021-08-12 17:00:18 +00:00
|
|
|
#! Allow the resource owner password grant, which Dex implements to also return ID tokens.
|
|
|
|
passwordConnector: local
|
2020-10-13 21:09:13 +00:00
|
|
|
staticClients:
|
|
|
|
- id: pinniped-cli
|
|
|
|
name: 'Pinniped CLI'
|
2020-12-14 16:56:57 +00:00
|
|
|
public: true
|
2020-10-13 21:09:13 +00:00
|
|
|
redirectURIs:
|
|
|
|
- #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
|
|
|
|
- #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
|
2020-11-19 21:05:31 +00:00
|
|
|
- id: pinniped-supervisor
|
|
|
|
name: 'Pinniped Supervisor'
|
|
|
|
secret: pinniped-supervisor-secret
|
2021-01-20 22:06:50 +00:00
|
|
|
redirectURIs: #@ data.values.supervisor_redirect_uris
|
2020-10-13 21:09:13 +00:00
|
|
|
enablePasswordDB: true
|
|
|
|
staticPasswords:
|
|
|
|
- username: "pinny"
|
|
|
|
email: "pinny@example.com"
|
2021-03-25 22:12:17 +00:00
|
|
|
hash: #@ data.values.pinny_bcrypt_passwd_hash
|
2020-10-13 21:09:13 +00:00
|
|
|
userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
|
|
|
|
#@ end
|
|
|
|
|
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: ConfigMap
|
|
|
|
metadata:
|
|
|
|
name: dex-config
|
2021-04-05 22:01:17 +00:00
|
|
|
namespace: tools
|
2020-10-13 21:09:13 +00:00
|
|
|
labels:
|
|
|
|
app: dex
|
|
|
|
data:
|
|
|
|
config.yaml: #@ yaml.encode(dexConfig())
|
|
|
|
---
|
|
|
|
apiVersion: apps/v1
|
|
|
|
kind: Deployment
|
|
|
|
metadata:
|
|
|
|
name: dex
|
2021-04-05 22:01:17 +00:00
|
|
|
namespace: tools
|
2020-10-13 21:09:13 +00:00
|
|
|
labels:
|
|
|
|
app: dex
|
|
|
|
spec:
|
|
|
|
replicas: 1
|
|
|
|
selector:
|
|
|
|
matchLabels:
|
|
|
|
app: dex
|
|
|
|
template:
|
|
|
|
metadata:
|
|
|
|
labels:
|
|
|
|
app: dex
|
|
|
|
annotations:
|
|
|
|
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
|
|
|
spec:
|
|
|
|
containers:
|
2020-11-16 20:04:08 +00:00
|
|
|
- name: dex
|
2021-06-03 18:24:26 +00:00
|
|
|
image: #@ data.values.dex_image
|
2021-07-21 14:17:24 +00:00
|
|
|
imagePullPolicy: IfNotPresent
|
2020-11-16 20:04:08 +00:00
|
|
|
command:
|
|
|
|
- /usr/local/bin/dex
|
|
|
|
- serve
|
|
|
|
- /etc/dex/cfg/config.yaml
|
|
|
|
ports:
|
|
|
|
- name: https
|
2020-12-14 16:56:57 +00:00
|
|
|
containerPort: 8443
|
2020-11-16 20:04:08 +00:00
|
|
|
volumeMounts:
|
|
|
|
- name: dex-config
|
|
|
|
mountPath: /etc/dex/cfg
|
|
|
|
- name: certs
|
|
|
|
mountPath: /var/certs
|
|
|
|
readOnly: true
|
2020-10-13 21:09:13 +00:00
|
|
|
volumes:
|
2020-11-16 20:04:08 +00:00
|
|
|
- name: dex-config
|
2020-10-13 21:09:13 +00:00
|
|
|
configMap:
|
|
|
|
name: dex-config
|
2020-11-16 20:04:08 +00:00
|
|
|
- name: certs
|
2020-11-17 17:24:38 +00:00
|
|
|
secret:
|
|
|
|
secretName: certs
|
2020-10-13 21:09:13 +00:00
|
|
|
---
|
|
|
|
apiVersion: v1
|
|
|
|
kind: Service
|
|
|
|
metadata:
|
|
|
|
name: dex
|
2021-04-05 22:01:17 +00:00
|
|
|
namespace: tools
|
2020-10-13 21:09:13 +00:00
|
|
|
labels:
|
|
|
|
app: dex
|
|
|
|
spec:
|
2020-11-16 16:40:18 +00:00
|
|
|
type: ClusterIP
|
2020-10-13 21:09:13 +00:00
|
|
|
selector:
|
|
|
|
app: dex
|
|
|
|
ports:
|
2020-12-14 16:56:57 +00:00
|
|
|
- name: https
|
|
|
|
port: 443
|
|
|
|
targetPort: 8443
|