b17ac6ec0b
Signed-off-by: Matt Moyer <moyerm@vmware.com>
140 lines
3.2 KiB
YAML
140 lines
3.2 KiB
YAML
#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
#@ load("@ytt:data", "data")
|
|
#@ load("@ytt:sha256", "sha256")
|
|
#@ load("@ytt:yaml", "yaml")
|
|
|
|
#@ def dexConfig():
|
|
issuer: https://dex.dex.svc.cluster.local/dex
|
|
storage:
|
|
type: sqlite3
|
|
config:
|
|
file: ":memory:"
|
|
web:
|
|
https: 0.0.0.0:443
|
|
tlsCert: /var/certs/dex.pem
|
|
tlsKey: /var/certs/dex-key.pem
|
|
oauth2:
|
|
skipApprovalScreen: true
|
|
staticClients:
|
|
- id: pinniped-cli
|
|
name: 'Pinniped CLI'
|
|
#! we can't have "public: true" until https://github.com/dexidp/dex/pull/1822 lands in Dex.
|
|
redirectURIs:
|
|
- #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
|
|
- #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
|
|
enablePasswordDB: true
|
|
staticPasswords:
|
|
- username: "pinny"
|
|
email: "pinny@example.com"
|
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password")
|
|
userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
|
|
#@ end
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: dex
|
|
labels:
|
|
name: dex
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: dex-config
|
|
namespace: dex
|
|
labels:
|
|
app: dex
|
|
data:
|
|
config.yaml: #@ yaml.encode(dexConfig())
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: dex
|
|
namespace: dex
|
|
labels:
|
|
app: dex
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: dex
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: dex
|
|
annotations:
|
|
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
|
|
spec:
|
|
initContainers:
|
|
- name: generate-certs
|
|
image: cfssl/cfssl:1.5.0
|
|
imagePullPolicy: IfNotPresent
|
|
command: ["/bin/bash"]
|
|
args:
|
|
- -c
|
|
- |
|
|
cd /var/certs
|
|
cfssl print-defaults config > /tmp/cfssl-default.json
|
|
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json
|
|
|
|
echo "generating CA key..."
|
|
cfssl genkey \
|
|
-config /tmp/cfssl-default.json \
|
|
-initca csr.json \
|
|
| cfssljson -bare ca
|
|
|
|
echo "generating Dex server certificate..."
|
|
cfssl gencert \
|
|
-ca ca.pem -ca-key ca-key.pem \
|
|
-config /tmp/cfssl-default.json \
|
|
-profile www \
|
|
-cn "dex.dex.svc.cluster.local" \
|
|
-hostname "dex.dex.svc.cluster.local" \
|
|
csr.json \
|
|
| cfssljson -bare dex
|
|
volumeMounts:
|
|
- name: certs
|
|
mountPath: /var/certs
|
|
containers:
|
|
- name: dex
|
|
image: quay.io/dexidp/dex:v2.10.0
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- /usr/local/bin/dex
|
|
- serve
|
|
- /etc/dex/cfg/config.yaml
|
|
ports:
|
|
- name: https
|
|
containerPort: 443
|
|
volumeMounts:
|
|
- name: dex-config
|
|
mountPath: /etc/dex/cfg
|
|
- name: certs
|
|
mountPath: /var/certs
|
|
readOnly: true
|
|
volumes:
|
|
- name: dex-config
|
|
configMap:
|
|
name: dex-config
|
|
- name: certs
|
|
emptyDir: {}
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: dex
|
|
namespace: dex
|
|
labels:
|
|
app: dex
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: dex
|
|
ports:
|
|
- port: 443
|
|
name: https
|