djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
86865d155a
ContainerImage.Pinniped/test/deploy/dex/dex.yaml
Matt Moyer 6ce2f109bf
Refactor certificate generation for integration test Dex. 
Before, we did this in an init container, which meant if the Dex pod restarted we would have fresh certs, but our Tilt/bash setup didn't account for this.

Now, the certs are generated by a Job which runs once and saves the generated files into a Secret. This should be a bit more stable.

Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 11:36:36 -06:00

111 lines
2.3 KiB
YAML
Raw Blame History

#! Copyright 2020 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0
#@ load("@ytt:data", "data")
#@ load("@ytt:sha256", "sha256")
#@ load("@ytt:yaml", "yaml")
#@ def dexConfig():
issuer: https://dex.dex.svc.cluster.local/dex
storage:
type: sqlite3
config:
file: ":memory:"
web:
https: 0.0.0.0:443
tlsCert: /var/certs/dex.pem
tlsKey: /var/certs/dex-key.pem
oauth2:
skipApprovalScreen: true
staticClients:
- id: pinniped-cli
name: 'Pinniped CLI'
#! we can't have "public: true" until https://github.com/dexidp/dex/pull/1822 lands in Dex.
redirectURIs:
- #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
- #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
enablePasswordDB: true
staticPasswords:
- username: "pinny"
email: "pinny@example.com"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" #! bcrypt("password")
userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
#@ end
---
apiVersion: v1
kind: Namespace
metadata:
name: dex
labels:
name: dex
---
apiVersion: v1
kind: ConfigMap
metadata:
name: dex-config
namespace: dex
labels:
app: dex
data:
config.yaml: #@ yaml.encode(dexConfig())
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dex
namespace: dex
labels:
app: dex
spec:
replicas: 1
selector:
matchLabels:
app: dex
template:
metadata:
labels:
app: dex
annotations:
dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
spec:
containers:
- name: dex
image: quay.io/dexidp/dex:v2.10.0
imagePullPolicy: IfNotPresent
command:
- /usr/local/bin/dex
- serve
- /etc/dex/cfg/config.yaml
ports:
- name: https
containerPort: 443
volumeMounts:
- name: dex-config
mountPath: /etc/dex/cfg
- name: certs
mountPath: /var/certs
readOnly: true
volumes:
- name: dex-config
configMap:
name: dex-config
- name: certs
secret:
secretName: certs
---
apiVersion: v1
kind: Service
metadata:
name: dex
namespace: dex
labels:
app: dex
spec:
type: ClusterIP
selector:
app: dex
ports:
- port: 443
name: https
Reference in New Issue View Git Blame Copy Permalink