#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") #@ load("@ytt:sha256", "sha256") #@ load("@ytt:yaml", "yaml") #@ def dexConfig(): issuer: https://dex.tools.svc.cluster.local/dex storage: type: sqlite3 config: file: ":memory:" web: https: 0.0.0.0:8443 tlsCert: /var/certs/dex.pem tlsKey: /var/certs/dex-key.pem expiry: idTokens: 20m #! this is the lifetime for the id token as well as the access token. oauth2: skipApprovalScreen: true #! Allow the resource owner password grant, which Dex implements to also return ID tokens. passwordConnector: local staticClients: - id: pinniped-cli name: 'Pinniped CLI' public: true redirectURIs: - #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback" - #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback" - id: pinniped-supervisor name: 'Pinniped Supervisor' secret: pinniped-supervisor-secret redirectURIs: #@ data.values.supervisor_redirect_uris enablePasswordDB: true staticPasswords: - username: "pinny" email: "pinny@example.com" hash: #@ data.values.pinny_bcrypt_passwd_hash userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa" #@ end --- apiVersion: v1 kind: ConfigMap metadata: name: dex-config namespace: tools labels: app: dex data: config.yaml: #@ yaml.encode(dexConfig()) --- apiVersion: apps/v1 kind: Deployment metadata: name: dex namespace: tools labels: app: dex spec: replicas: 1 selector: matchLabels: app: dex template: metadata: labels: app: dex annotations: dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig())) spec: containers: - name: dex image: #@ data.values.dex_image imagePullPolicy: IfNotPresent command: - /usr/local/bin/dex - serve - /etc/dex/cfg/config.yaml ports: - name: https containerPort: 8443 volumeMounts: - name: dex-config mountPath: /etc/dex/cfg - name: certs mountPath: /var/certs readOnly: true volumes: - name: dex-config configMap: name: dex-config - name: certs secret: secretName: certs tolerations: - key: kubernetes.io/arch effect: NoSchedule operator: Equal value: amd64 #! Allow running on amd64 nodes. - key: kubernetes.io/arch effect: NoSchedule operator: Equal value: arm64 #! Also allow running on arm64 nodes. --- apiVersion: v1 kind: Service metadata: name: dex namespace: tools labels: app: dex spec: type: ClusterIP selector: app: dex ports: - name: https port: 443 targetPort: 8443