diff --git a/cmd/example-app/main.go b/cmd/example-app/main.go
index 60223e4a698be8a129016df74930530aea87b01d..56d1a2c8964dff4273bb02b5811d08588e87343a 100644
--- a/cmd/example-app/main.go
+++ b/cmd/example-app/main.go
@@ -94,7 +94,7 @@ func cmd() *cobra.Command {
}
// This sets the OAuth2 client and oidc client.
- a.ctx = context.WithValue(a.ctx, oauth2.HTTPClient, &client)
+ a.ctx = context.WithValue(a.ctx, oauth2.HTTPClient, client)
}
// TODO(ericchiang): Retry with backoff
diff --git a/cmd/poke/config.go b/cmd/poke/config.go
index 89d1ae218b4c8ac2e7f9c122575bc44f9345dbd4..ed39beb3c8b68232d192495e040ed715ccddf9b9 100644
--- a/cmd/poke/config.go
+++ b/cmd/poke/config.go
@@ -47,23 +47,25 @@ func (s *Storage) UnmarshalYAML(unmarshal func(interface{}) error) error {
return err
}
s.Type = storageMeta.Type
- var c struct {
- Config StorageConfig `yaml:"config"`
- }
// TODO(ericchiang): replace this with a registration process.
+ var err error
switch storageMeta.Type {
case "kubernetes":
- c.Config = &kubernetes.Config{}
+ var config struct {
+ Config kubernetes.Config `yaml:"config"`
+ }
+ err = unmarshal(&config)
+ s.Config = &config.Config
case "memory":
- c.Config = &memory.Config{}
+ var config struct {
+ Config memory.Config `yaml:"config"`
+ }
+ err = unmarshal(&config)
+ s.Config = &config.Config
default:
return fmt.Errorf("unknown storage type %q", storageMeta.Type)
}
- if err := unmarshal(c); err != nil {
- return err
- }
- s.Config = c.Config
- return nil
+ return err
}
// StorageConfig is a configuration that can create a storage.
diff --git a/example/k8s/.gitignore b/example/k8s/.gitignore
new file mode 100644
index 0000000000000000000000000000000000000000..6a0b115e65dcb69d98efb63f37f20e482981716d
--- /dev/null
+++ b/example/k8s/.gitignore
@@ -0,0 +1 @@
+ssl/
diff --git a/example/k8s/README.md b/example/k8s/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..28cfe643fd281b0d4d22c131da0762f8ee4733aa
--- /dev/null
+++ b/example/k8s/README.md
@@ -0,0 +1,19 @@
+# Running dex as the Kubernetes
+
+```
+kubectl create -f thirdpartyresources.yaml
+kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml
+kubectl create -f deployment.yaml
+```
+
+```
+kubectl create -f https://raw.githubusercontent.com/kubernetes/contrib/master/ingress/controllers/nginx/rc.yaml
+./gencert.sh
+kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
+kubectl create -f dex-ingress.yaml
+```
+
+```
+kubectl create -f client.yaml
+../../bin/example-app --issuer https://dex.example.com --issuer-root-ca ssl/ca.pem
+```
diff --git a/example/client.yaml b/example/k8s/client.yaml
similarity index 99%
rename from example/client.yaml
rename to example/k8s/client.yaml
index aa974230f9c19b4ccbf2b7e892de863a2977679c..b294c6f9cfce86245432a5211d3f559de69fe720 100644
--- a/example/client.yaml
+++ b/example/k8s/client.yaml
@@ -3,6 +3,7 @@ apiVersion: oauth2clients.oidc.coreos.com/v1
metadata:
name: example-app
namespace: default
+
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
redirectURIs:
- http://127.0.0.1:5555/callback
diff --git a/example/k8s/config-k8s.yaml b/example/k8s/config-k8s.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a27200164d8449474334535d3e057a9ee02ae465
--- /dev/null
+++ b/example/k8s/config-k8s.yaml
@@ -0,0 +1,13 @@
+issuer: https://dex.example.com
+storage:
+ type: kubernetes
+ config:
+ inCluster: true
+
+web:
+ http: 0.0.0.0:5556
+
+connectors:
+- type: mock
+ id: mock
+ name: Mock
diff --git a/example/k8s/deployment.yaml b/example/k8s/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..c059d59c52775f0158713fa8b1578368011db9b3
--- /dev/null
+++ b/example/k8s/deployment.yaml
@@ -0,0 +1,38 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+ labels:
+ app: dex
+ name: dex
+spec:
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: dex
+ spec:
+ containers:
+ - image: quay.io/ericchiang/poke
+ name: dex
+ command:
+ - "/poke"
+ - "serve"
+ - "/dex/config.yaml"
+ env:
+ # A value required for dex's Kubernetes client.
+ - name: KUBERNETES_POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+
+ ports:
+ - containerPort: 5556
+ name: worker-port
+
+ volumeMounts:
+ - name: config-volume
+ mountPath: /dex
+ volumes:
+ - name: config-volume
+ configMap:
+ name: dex-config
diff --git a/example/k8s/dex-ingress.yaml b/example/k8s/dex-ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..1c52fb09d22ef3e3680fd41fcd1905b86e30d079
--- /dev/null
+++ b/example/k8s/dex-ingress.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: dex
+spec:
+ ports:
+ - name: dex
+ port: 5556
+ selector:
+ app: dex
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: dex
+spec:
+ tls:
+ - secretName: dex.example.com.tls
+ hosts:
+ - dex.example.com
+ rules:
+ - host: dex.example.com
+ http:
+ paths:
+ - backend:
+ serviceName: dex
+ servicePort: 5556
+ path: /
diff --git a/example/k8s/gencert.sh b/example/k8s/gencert.sh
new file mode 100755
index 0000000000000000000000000000000000000000..774358573fbd72af308555938534c50937aa2e60
--- /dev/null
+++ b/example/k8s/gencert.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+mkdir -p ssl
+
+cat << EOF > ssl/req.cnf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = dex.example.com
+EOF
+
+openssl genrsa -out ssl/ca-key.pem 2048
+openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"
+
+openssl genrsa -out ssl/key.pem 2048
+openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
+openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf
diff --git a/example/k8s/nginx-ingress.yaml b/example/k8s/nginx-ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9740ff5a6ee873a99bc2abc4431f7971503f416d
--- /dev/null
+++ b/example/k8s/nginx-ingress.yaml
@@ -0,0 +1,100 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: default-http-backend
+ labels:
+ k8s-app: default-http-backend
+spec:
+ ports:
+ - port: 80
+ targetPort: 8080
+ protocol: TCP
+ name: http
+ selector:
+ k8s-app: default-http-backend
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+ name: default-http-backend
+spec:
+ replicas: 1
+ selector:
+ k8s-app: default-http-backend
+ template:
+ metadata:
+ labels:
+ k8s-app: default-http-backend
+ spec:
+ terminationGracePeriodSeconds: 60
+ containers:
+ - name: default-http-backend
+ # Any image is permissable as long as:
+ # 1. It serves a 404 page at /
+ # 2. It serves 200 on a /healthz endpoint
+ image: gcr.io/google_containers/defaultbackend:1.0
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 8080
+ scheme: HTTP
+ initialDelaySeconds: 30
+ timeoutSeconds: 5
+ ports:
+ - containerPort: 8080
+ resources:
+ limits:
+ cpu: 10m
+ memory: 20Mi
+ requests:
+ cpu: 10m
+ memory: 20Mi
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+ name: nginx-ingress-controller
+ labels:
+ k8s-app: nginx-ingress-lb
+spec:
+ replicas: 1
+ selector:
+ web-frontend
+ template:
+ metadata:
+ labels:
+ k8s-app: nginx-ingress-lb
+ name: nginx-ingress-lb
+ spec:
+ terminationGracePeriodSeconds: 60
+ containers:
+ - image: gcr.io/google_containers/nginx-ingress-controller:0.8.2
+ name: nginx-ingress-lb
+ imagePullPolicy: Always
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: 10249
+ scheme: HTTP
+ initialDelaySeconds: 30
+ timeoutSeconds: 5
+ # use downward API
+ env:
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ ports:
+ - containerPort: 443
+ hostPort: 443
+ # we expose 18080 to access nginx stats in url /nginx-status
+ # this is optional
+ - containerPort: 18080
+ hostPort: 18080
+ args:
+ - /nginx-ingress-controller
+ - --default-backend-service=default/default-http-backend
diff --git a/example/thirdpartyresources.yaml b/example/k8s/thirdpartyresources.yaml
similarity index 100%
rename from example/thirdpartyresources.yaml
rename to example/k8s/thirdpartyresources.yaml