b5cbe018e3
We need this in CI when we want to configure Dex with the redirect URI for both primary and secondary deploys at one time (since we only stand up Dex once). Signed-off-by: Andrew Keesler <akeesler@vmware.com>
116 lines
2.4 KiB
YAML
116 lines
2.4 KiB
YAML
#! Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
#@ load("@ytt:data", "data")
|
|
#@ load("@ytt:sha256", "sha256")
|
|
#@ load("@ytt:yaml", "yaml")
|
|
|
|
#@ def dexConfig():
|
|
issuer: https://dex.dex.svc.cluster.local/dex
|
|
storage:
|
|
type: sqlite3
|
|
config:
|
|
file: ":memory:"
|
|
web:
|
|
https: 0.0.0.0:8443
|
|
tlsCert: /var/certs/dex.pem
|
|
tlsKey: /var/certs/dex-key.pem
|
|
oauth2:
|
|
skipApprovalScreen: true
|
|
staticClients:
|
|
- id: pinniped-cli
|
|
name: 'Pinniped CLI'
|
|
public: true
|
|
redirectURIs:
|
|
- #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
|
|
- #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
|
|
- id: pinniped-supervisor
|
|
name: 'Pinniped Supervisor'
|
|
secret: pinniped-supervisor-secret
|
|
redirectURIs: #@ data.values.supervisor_redirect_uris
|
|
enablePasswordDB: true
|
|
staticPasswords:
|
|
- username: "pinny"
|
|
email: "pinny@example.com"
|
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password")
|
|
userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
|
|
#@ end
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: dex
|
|
labels:
|
|
name: dex
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: dex-config
|
|
namespace: dex
|
|
labels:
|
|
app: dex
|
|
data:
|
|
config.yaml: #@ yaml.encode(dexConfig())
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: dex
|
|
namespace: dex
|
|
labels:
|
|
app: dex
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: dex
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: dex
|
|
annotations:
|
|
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
|
spec:
|
|
containers:
|
|
- name: dex
|
|
image: ghcr.io/dexidp/dex:v2.27.0
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- /usr/local/bin/dex
|
|
- serve
|
|
- /etc/dex/cfg/config.yaml
|
|
ports:
|
|
- name: https
|
|
containerPort: 8443
|
|
volumeMounts:
|
|
- name: dex-config
|
|
mountPath: /etc/dex/cfg
|
|
- name: certs
|
|
mountPath: /var/certs
|
|
readOnly: true
|
|
volumes:
|
|
- name: dex-config
|
|
configMap:
|
|
name: dex-config
|
|
- name: certs
|
|
secret:
|
|
secretName: certs
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: dex
|
|
namespace: dex
|
|
labels:
|
|
app: dex
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: dex
|
|
ports:
|
|
- name: https
|
|
port: 443
|
|
targetPort: 8443
|