#! Copyright 2020 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") #@ load("@ytt:sha256", "sha256") #@ load("@ytt:yaml", "yaml") #@ def dexConfig(): issuer: https://dex.dex.svc.cluster.local/dex storage: type: sqlite3 config: file: ":memory:" web: https: 0.0.0.0:443 tlsCert: /var/certs/dex.pem tlsKey: /var/certs/dex-key.pem oauth2: skipApprovalScreen: true staticClients: - id: pinniped-cli name: 'Pinniped CLI' #! we can't have "public: true" until https://github.com/dexidp/dex/pull/1822 lands in Dex. redirectURIs: - #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback" - #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback" - id: pinniped-supervisor name: 'Pinniped Supervisor' secret: pinniped-supervisor-secret redirectURIs: - #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback" - #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback" enablePasswordDB: true staticPasswords: - username: "pinny" email: "pinny@example.com" hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password") userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa" #@ end --- apiVersion: v1 kind: Namespace metadata: name: dex labels: name: dex --- apiVersion: v1 kind: ConfigMap metadata: name: dex-config namespace: dex labels: app: dex data: config.yaml: #@ yaml.encode(dexConfig()) --- apiVersion: apps/v1 kind: Deployment metadata: name: dex namespace: dex labels: app: dex spec: replicas: 1 selector: matchLabels: app: dex template: metadata: labels: app: dex annotations: dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig())) spec: containers: - name: dex image: quay.io/dexidp/dex:v2.10.0 imagePullPolicy: IfNotPresent command: - /usr/local/bin/dex - serve - /etc/dex/cfg/config.yaml ports: - name: https containerPort: 443 volumeMounts: - name: dex-config mountPath: /etc/dex/cfg - name: certs mountPath: /var/certs readOnly: true volumes: - name: dex-config configMap: name: dex-config - name: certs secret: secretName: certs --- apiVersion: v1 kind: Service metadata: name: dex namespace: dex labels: app: dex spec: type: ClusterIP selector: app: dex ports: - port: 443 name: https