ContainerImage.Pinniped/test/deploy/dex/dex.yaml
Matt Moyer b17ac6ec0b
Update integration tests to run Dex over HTTPS.
Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-16 20:23:20 -06:00

140 lines
3.2 KiB
YAML

#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#@ load("@ytt:sha256", "sha256")
#@ load("@ytt:yaml", "yaml")
#@ def dexConfig():
issuer: https://dex.dex.svc.cluster.local/dex
storage:
type: sqlite3
config:
file: ":memory:"
web:
https: 0.0.0.0:443
tlsCert: /var/certs/dex.pem
tlsKey: /var/certs/dex-key.pem
oauth2:
skipApprovalScreen: true
staticClients:
- id: pinniped-cli
name: 'Pinniped CLI'
#! we can't have "public: true" until https://github.com/dexidp/dex/pull/1822 lands in Dex.
redirectURIs:
- #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
- #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
enablePasswordDB: true
staticPasswords:
- username: "pinny"
email: "pinny@example.com"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password")
userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
#@ end
---
apiVersion: v1
kind: Namespace
metadata:
name: dex
labels:
name: dex
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dex-config
namespace: dex
labels:
app: dex
data:
config.yaml: #@ yaml.encode(dexConfig())
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dex
namespace: dex
labels:
app: dex
spec:
replicas: 1
selector:
matchLabels:
app: dex
template:
metadata:
labels:
app: dex
annotations:
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
spec:
initContainers:
- name: generate-certs
image: cfssl/cfssl:1.5.0
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- |
cd /var/certs
cfssl print-defaults config > /tmp/cfssl-default.json
echo '{"CN": "Pinniped Test","hosts": [],"key": {"algo": "ecdsa","size": 256},"names": [{}]}' > csr.json
echo "generating CA key..."
cfssl genkey \
-config /tmp/cfssl-default.json \
-initca csr.json \
| cfssljson -bare ca
echo "generating Dex server certificate..."
cfssl gencert \
-ca ca.pem -ca-key ca-key.pem \
-config /tmp/cfssl-default.json \
-profile www \
-cn "dex.dex.svc.cluster.local" \
-hostname "dex.dex.svc.cluster.local" \
csr.json \
| cfssljson -bare dex
volumeMounts:
- name: certs
mountPath: /var/certs
containers:
- name: dex
image: quay.io/dexidp/dex:v2.10.0
imagePullPolicy: IfNotPresent
command:
- /usr/local/bin/dex
- serve
- /etc/dex/cfg/config.yaml
ports:
- name: https
containerPort: 443
volumeMounts:
- name: dex-config
mountPath: /etc/dex/cfg
- name: certs
mountPath: /var/certs
readOnly: true
volumes:
- name: dex-config
configMap:
name: dex-config
- name: certs
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: dex
namespace: dex
labels:
app: dex
spec:
type: ClusterIP
selector:
app: dex
ports:
- port: 443
name: https