diff --git a/Documentation/storage.md b/Documentation/storage.md
index 2dd6b32579eccff296692ac00081ddca3cbccc1d..ba9e1a9c90a17f4491db63ffe54aa30587417032 100644
--- a/Documentation/storage.md
+++ b/Documentation/storage.md
@@ -4,13 +4,68 @@ Dex requires persisting state to perform various tasks such as track refresh tok
Storage breaches are serious as they can affect applications that rely on dex. Dex saves sensitive data in its backing storage, including signing keys and bcrypt'd passwords. As such, transport security and database ACLs should both be used, no matter which storage option is chosen.
-## Kubernetes third party resources
+## Kubernetes custom resource definitions (CRDs)
-__NOTE:__ Dex requires Kubernetes version 1.4+.
+__NOTE:__ CRDs are only supported by Kubernetes version 1.7+.
-Kubernetes third party resources are a way for applications to create new resources types in the Kubernetes API. This allows dex to run on top of an existing Kubernetes cluster without the need for an external database. While this storage may not be appropriate for a large number of users, it's extremely effective for many Kubernetes use cases.
+Kubernetes [custom resource definitions](crd) are a way for applications to create new resources types in the Kubernetes API. The Custom Resource Definition (CRD) API object was introduced in Kubernetes version 1.7 to replace the Third Party Resource (TPR) extension. CRDs allows dex to run on top of an existing Kubernetes cluster without the need for an external database. While this storage may not be appropriate for a large number of users, it's extremely effective for many Kubernetes use cases.
-The rest of this section will explore internal details of how dex uses `ThirdPartyResources`. __Admins should not interact with these resources directly__, except when debugging. These resources are only designed to store state and aren't meant to be consumed by humans. For modifying dex's state dynamically see the [API documentation](api.md).
+The rest of this section will explore internal details of how dex uses CRDs. __Admins should not interact with these resources directly__, except while debugging. These resources are only designed to store state and aren't meant to be consumed by end users. For modifying dex's state dynamically see the [API documentation](api.md).
+
+The following is an example of the AuthCode resource managed by dex:
+
+```
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: 2017-09-13T19:56:28Z
+ name: authcodes.dex.coreos.com
+ resourceVersion: "288893"
+ selfLink: /apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/authcodes.dex.coreos.com
+ uid: a1cb72dc-98bd-11e7-8f6a-02d13336a01e
+spec:
+ group: dex.coreos.com
+ names:
+ kind: AuthCode
+ listKind: AuthCodeList
+ plural: authcodes
+ singular: authcode
+ scope: Namespaced
+ version: v1
+status:
+ acceptedNames:
+ kind: AuthCode
+ listKind: AuthCodeList
+ plural: authcodes
+ singular: authcode
+ conditions:
+ - lastTransitionTime: null
+ message: no conflicts found
+ reason: NoConflicts
+ status: "True"
+ type: NamesAccepted
+ - lastTransitionTime: 2017-09-13T19:56:28Z
+ message: the initial names have been accepted
+ reason: InitialNamesAccepted
+ status: "True"
+ type: Established
+```
+
+Once the `CustomResourceDefinition` is created, custom resources can be created and stored at a namespace level. The CRD type and the custom resources can be queried, deleted, and edited like any other resource using `kubectl`.
+
+## Kubernetes third party resources(TPRs)
+
+__NOTE:__ TPRs will be deprecated by Kubernetes version 1.8.
+
+The default behavior of dex from release v2.7.0 onwards is to utitlize CRDs to manage its custom resources. If users would like to use dex with a Kubernetes version lower than 1.7, they will have to force dex to use TPRs instead of CRDs by setting the `UseTPR` flag in the storage configuration as shown below:
+
+```
+storage:
+ type: kubernetes
+ config:
+ kubeConfigFile: kubeconfig
+ useTPR: true
+```
The `ThirdPartyResource` type acts as a description for the new resource a user wishes to create. The following an example of a resource managed by dex:
@@ -166,3 +221,4 @@ Any proposal to add a new implementation must address the following:
[issues-transaction-tests]: https://github.com/coreos/dex/issues/600
[k8s-api]: https://github.com/kubernetes/kubernetes/blob/master/docs/devel/api-conventions.md#concurrency-control-and-consistency
[psql-conn-options]: https://godoc.org/github.com/lib/pq#hdr-Connection_String_Parameters
+[crd]: https://kubernetes.io/docs/tasks/access-kubernetes-api/extend-api-custom-resource-definitions/
diff --git a/storage/kubernetes/client.go b/storage/kubernetes/client.go
index 9a14d34b9b33abaf0cb05753b5cde0d7fdc4be1f..57c975cfa7bf2400f84b6c3afbc05119df16ae98 100644
--- a/storage/kubernetes/client.go
+++ b/storage/kubernetes/client.go
@@ -249,7 +249,7 @@ func (c *client) put(resource, name string, v interface{}) error {
return checkHTTPErr(resp, http.StatusOK)
}
-func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, logger logrus.FieldLogger, apiVersion string) (*client, error) {
+func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, logger logrus.FieldLogger, useTPR bool) (*client, error) {
tlsConfig := cryptopasta.DefaultTLSConfig()
data := func(b string, file string) ([]byte, error) {
if b != "" {
@@ -325,13 +325,13 @@ func newClient(cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, l
}
}
- // if the apiVersion is not configured default to `oidc.coreos.com/v1`
- if apiVersion == "" {
+ // the API Group and version differ depending on if CRDs or TPRs are used.
+ apiVersion := "dex.coreos.com/v1"
+ if useTPR {
apiVersion = "oidc.coreos.com/v1"
}
logger.Infof("kubernetes client apiVersion = %s", apiVersion)
- // TODO(ericchiang): make API Group and version configurable.
return &client{
client: &http.Client{Transport: t},
baseURL: cluster.Server,
diff --git a/storage/kubernetes/k8sapi/crd_extensions.go b/storage/kubernetes/k8sapi/crd_extensions.go
index 0c36f9d0c8b7708a166fdef76151bf683fbcb7e2..4b55e393488f52fc978163da01dc8ac35e2ec9fc 100644
--- a/storage/kubernetes/k8sapi/crd_extensions.go
+++ b/storage/kubernetes/k8sapi/crd_extensions.go
@@ -47,10 +47,13 @@ type CustomResourceDefinitionNames struct {
type ResourceScope string
const (
- ClusterScoped ResourceScope = "Cluster"
+ // ClusterScoped is the `cluster` scope for a custom resource.
+ ClusterScoped ResourceScope = "Cluster"
+ // NamespaceScoped is the `namespaced` scope for a custom resource.
NamespaceScoped ResourceScope = "Namespaced"
)
+// ConditionStatus reflects if a resource
type ConditionStatus string
// These are valid condition statuses. "ConditionTrue" means a resource is in the condition.
diff --git a/storage/kubernetes/storage.go b/storage/kubernetes/storage.go
index 92c5e3fc8dbc2dea471d8a310a03b4e38c09e734..56a7dd8990acab342034cec571ab4b1c4a92db6b 100644
--- a/storage/kubernetes/storage.go
+++ b/storage/kubernetes/storage.go
@@ -38,8 +38,7 @@ const (
type Config struct {
InCluster bool `json:"inCluster"`
KubeConfigFile string `json:"kubeConfigFile"`
- APIVersion string `json:"apiVersion"` // API Group and version
- UseCRD bool `json:"useCRD"` // Flag option to use CRDs instead of TPRs
+ UseTPR bool `json:"useTPR"` // Flag option to use TPRs instead of CRDs
}
// Open returns a storage using Kubernetes third party resource.
@@ -79,57 +78,26 @@ func (c *Config) open(logger logrus.FieldLogger, errOnResources bool) (*client,
return nil, err
}
- cli, err := newClient(cluster, user, namespace, logger, c.APIVersion)
+ cli, err := newClient(cluster, user, namespace, logger, c.UseTPR)
if err != nil {
return nil, fmt.Errorf("create client: %v", err)
}
ctx, cancel := context.WithCancel(context.Background())
- if c.UseCRD {
- if !cli.createCustomResourceDefinitions() {
- if errOnResources {
- cancel()
- return nil, fmt.Errorf("failed creating custom resource definitions")
- }
- }
-
- // Try to synchronously create the custom resource definitions once. This doesn't mean
- // they'll immediately be available, but ensures that the client will actually try
- // once.
- logger.Errorf("failed creating custom resource definitions: %v", err)
- go func() {
- for {
- if cli.createCustomResourceDefinitions() {
- return
- }
-
- select {
- case <-ctx.Done():
- return
- case <-time.After(30 * time.Second):
- }
- }
- }()
- // If the client is closed, stop trying to create third party resources.
- cli.cancel = cancel
- return cli, nil
-
- }
-
- if !cli.createThirdPartyResources() {
+ if !cli.registerCustomResources(c.UseTPR) {
if errOnResources {
cancel()
- return nil, fmt.Errorf("failed creating third party resources")
+ return nil, fmt.Errorf("failed creating custom resources")
}
- // Try to synchronously create the third party resources once. This doesn't mean
+ // Try to synchronously create the custom resources once. This doesn't mean
// they'll immediately be available, but ensures that the client will actually try
// once.
- logger.Errorf("failed creating third party resources: %v", err)
+ logger.Errorf("failed creating custom resources: %v", err)
go func() {
for {
- if cli.createThirdPartyResources() {
+ if cli.registerCustomResources(c.UseTPR) {
return
}
@@ -142,64 +110,56 @@ func (c *Config) open(logger logrus.FieldLogger, errOnResources bool) (*client,
}()
}
- // If the client is closed, stop trying to create third party resources.
+ // If the client is closed, stop trying to create resources.
cli.cancel = cancel
return cli, nil
}
-// createThirdPartyResources attempts to create the third party resources dex
-// requires or identifies that they're already enabled. It logs all errors,
-// returning true if the third party resources were created successfully.
+// registerCustomResources attempts to create the custom resources dex
+// requires or identifies that they're already enabled. This function creates
+// third party resources(TPRs) or custom resource definitions(CRDs) depending
+// on the `useTPR` flag passed in as an argument.
+// It logs all errors, returning true if the resources were created successfully.
//
-// Creating a third party resource does not mean that they'll be immediately available.
+// Creating a custom resource does not mean that they'll be immediately available.
//
-// TODO(ericchiang): Provide an option to wait for the third party resources
-// to actually be available.
-func (cli *client) createThirdPartyResources() (ok bool) {
+// TODO(ericchiang): Provide an option to wait for the resources to actually
+// be available.
+func (cli *client) registerCustomResources(useTPR bool) (ok bool) {
ok = true
- for _, r := range thirdPartyResources {
- err := cli.postResource("extensions/v1beta1", "", "thirdpartyresources", r)
- if err != nil {
- switch err {
- case storage.ErrAlreadyExists:
- cli.logger.Infof("third party resource already created %s", r.ObjectMeta.Name)
- case storage.ErrNotFound:
- cli.logger.Errorf("third party resources not found, please enable API group extensions/v1beta1")
- ok = false
- default:
- cli.logger.Errorf("creating third party resource %s: %v", r.ObjectMeta.Name, err)
- ok = false
- }
- continue
+ length := len(customResourceDefinitions)
+ if useTPR {
+ length = len(thirdPartyResources)
+ }
+
+ for i := 0; i < length; i++ {
+ var err error
+ var resourceName string
+
+ if useTPR {
+ r := thirdPartyResources[i]
+ err = cli.postResource("extensions/v1beta1", "", "thirdpartyresources", r)
+ resourceName = r.ObjectMeta.Name
+ } else {
+ r := customResourceDefinitions[i]
+ err = cli.postResource("apiextensions.k8s.io/v1beta1", "", "customresourcedefinitions", r)
+ resourceName = r.ObjectMeta.Name
}
- cli.logger.Errorf("create third party resource %s", r.ObjectMeta.Name)
- }
- return ok
-}
-// createCustomResourceDefinitions attempts to create the custom resource definitions(CRDs)
-// required by dex. If the CRDs exist, this information is logged. It logs all errors,
-// returning true if the CRDs were created successfully.
-//
-// TODO: Provide an option to wait for the CRDs to actually be available.
-func (cli *client) createCustomResourceDefinitions() (ok bool) {
- ok = true
- for _, r := range customResourceDefinitions {
- err := cli.postResource("apiextensions.k8s.io/v1beta1", "", "customresourcedefinition", r)
if err != nil {
switch err {
case storage.ErrAlreadyExists:
- cli.logger.Infof("custom resource definition already created %s", r.ObjectMeta.Name)
+ cli.logger.Infof("custom resource already created %s", resourceName)
case storage.ErrNotFound:
- cli.logger.Errorf("custom resource definition not found, please enable API group apiextensions.k8s.io/v1beta1")
+ cli.logger.Errorf("custom resources not found, please enable the respective API group")
ok = false
default:
- cli.logger.Errorf("creating custom resource definition %s: %v", r.ObjectMeta.Name, err)
+ cli.logger.Errorf("creating custom resource %s: %v", resourceName, err)
ok = false
}
continue
}
- cli.logger.Errorf("create custom resource definition %s", r.ObjectMeta.Name)
+ cli.logger.Errorf("create custom resource %s", resourceName)
}
return ok
}
diff --git a/storage/kubernetes/types.go b/storage/kubernetes/types.go
index 8ffee1d6f365da4c6b0bf255eacd7fae1ac3b312..b593e4122ca7e6de949c411c336f218ad2640ae5 100644
--- a/storage/kubernetes/types.go
+++ b/storage/kubernetes/types.go
@@ -119,8 +119,8 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Version: "v1",
Names: k8sapi.CustomResourceDefinitionNames{
Plural: "authrequests",
- Singular: "authcodrequest",
- Kind: "AuthRequests",
+ Singular: "authrequest",
+ Kind: "AuthRequest",
},
},
},
@@ -135,7 +135,7 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Names: k8sapi.CustomResourceDefinitionNames{
Plural: "oauth2clients",
Singular: "oauth2client",
- Kind: "Oauth2Client",
+ Kind: "OAuth2Client",
},
},
},
@@ -148,6 +148,9 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Group: apiGroup,
Version: "v1",
Names: k8sapi.CustomResourceDefinitionNames{
+ // `signingkeies` is an artifact from the old TPR pluralization.
+ // Users don't directly interact with this value, hence leaving it
+ // as is.
Plural: "signingkeies",
Singular: "signingkey",
Kind: "SigningKey",
@@ -195,7 +198,7 @@ var customResourceDefinitions = []k8sapi.CustomResourceDefinition{
Names: k8sapi.CustomResourceDefinitionNames{
Plural: "offlinesessionses",
Singular: "offlinesessions",
- Kind: "OfflineSessions",
+ Kind: "OfflineSession",
},
},
},