From d9b668002c46411cca29b929d9d0edeae42e8d4c Mon Sep 17 00:00:00 2001 From: Bobby Rullo Date: Tue, 8 Sep 2015 14:53:53 -0700 Subject: [PATCH 1/3] contrib/k8s: get yaml up-to-date with latest k8s --- .../{authd-overlord-rc.yaml => dex-overlord-rc.yaml} | 10 ++++++++-- ...erlord-service.yaml => dex-overlord-service.yaml} | 2 +- .../k8s/{authd-worker-rc.yaml => dex-worker-rc.yaml} | 4 ++-- ...d-worker-service.yaml => dex-worker-service.yaml} | 8 ++++++-- contrib/k8s/postgres-rc.yaml | 12 ++++-------- contrib/k8s/postgres-service.yaml | 4 ++-- 6 files changed, 23 insertions(+), 17 deletions(-) rename contrib/k8s/{authd-overlord-rc.yaml => dex-overlord-rc.yaml} (52%) rename contrib/k8s/{authd-overlord-service.yaml => dex-overlord-service.yaml} (89%) rename contrib/k8s/{authd-worker-rc.yaml => dex-worker-rc.yaml} (70%) rename contrib/k8s/{authd-worker-service.yaml => dex-worker-service.yaml} (59%) diff --git a/contrib/k8s/authd-overlord-rc.yaml b/contrib/k8s/dex-overlord-rc.yaml similarity index 52% rename from contrib/k8s/authd-overlord-rc.yaml rename to contrib/k8s/dex-overlord-rc.yaml index f05611ad..8966375e 100644 --- a/contrib/k8s/authd-overlord-rc.yaml +++ b/contrib/k8s/dex-overlord-rc.yaml @@ -1,4 +1,4 @@ -apiVersion: v1beta3 +apiVersion: v1 kind: ReplicationController metadata: labels: @@ -19,7 +19,13 @@ spec: containers: - image: quay.io/coreos/dex name: dex-overlord - command: ["/opt/dex/bin/dex-overlord", "-key-secret", "XXXXXXXXXXXXX", "-db-url", "postgres://postgres@auth-postgres.default.tectonic.local:5432/auth?sslmode=disable"] + command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"] ports: - containerPort: 5557 name: overlord-port + livenessProbe: + httpGet: + path: /health + port: 5557 + initialDelaySeconds: 15 + timeoutSeconds: 1 diff --git a/contrib/k8s/authd-overlord-service.yaml b/contrib/k8s/dex-overlord-service.yaml similarity index 89% rename from contrib/k8s/authd-overlord-service.yaml rename to contrib/k8s/dex-overlord-service.yaml index 5df40a9f..a5cb0f74 100644 --- a/contrib/k8s/authd-overlord-service.yaml +++ b/contrib/k8s/dex-overlord-service.yaml @@ -1,4 +1,4 @@ -apiVersion: v1beta3 +apiVersion: v1 kind: Service metadata: labels: diff --git a/contrib/k8s/authd-worker-rc.yaml b/contrib/k8s/dex-worker-rc.yaml similarity index 70% rename from contrib/k8s/authd-worker-rc.yaml rename to contrib/k8s/dex-worker-rc.yaml index 1c0397b7..6d26f841 100644 --- a/contrib/k8s/authd-worker-rc.yaml +++ b/contrib/k8s/dex-worker-rc.yaml @@ -1,4 +1,4 @@ -apiVersion: v1beta3 +apiVersion: v1 kind: ReplicationController metadata: labels: @@ -19,7 +19,7 @@ spec: containers: - image: quay.io/coreos/dex name: dex-worker - command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default.tectonic.local:5556", "-key-secret", "XXXXXXXXXXX", "-db-url", "postgres://postgres@auth-postgres.default.tectonic.local:5432/auth?sslmode=disable"] + command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"] ports: - containerPort: 5556 name: worker-port diff --git a/contrib/k8s/authd-worker-service.yaml b/contrib/k8s/dex-worker-service.yaml similarity index 59% rename from contrib/k8s/authd-worker-service.yaml rename to contrib/k8s/dex-worker-service.yaml index 020fd2a9..514ddb4e 100644 --- a/contrib/k8s/authd-worker-service.yaml +++ b/contrib/k8s/dex-worker-service.yaml @@ -1,4 +1,4 @@ -apiVersion: v1beta3 +apiVersion: v1 kind: Service metadata: labels: @@ -6,8 +6,12 @@ metadata: role: worker name: dex-worker spec: + type: "NodePort" ports: - - port: 5556 + - name: "worker" + port: 5556 + nodePort: 30556 + selector: app: dex role: worker diff --git a/contrib/k8s/postgres-rc.yaml b/contrib/k8s/postgres-rc.yaml index cdb1c8c2..7f7cf76c 100644 --- a/contrib/k8s/postgres-rc.yaml +++ b/contrib/k8s/postgres-rc.yaml @@ -1,9 +1,9 @@ -apiVersion: v1beta3 +apiVersion: v1 kind: ReplicationController metadata: labels: app: postgres - name: auth-postgres + name: dex-postgres spec: replicas: 1 selector: @@ -14,12 +14,8 @@ spec: app: postgres spec: containers: - - image: quay.io/sym3tri/postgres-dev:9.4 - name: auth-postgres - env: - - name: DATABASES - key: DATABASES - value: auth + - image: postgres + name: dex-postgres ports: - containerPort: 5432 name: postgres-port diff --git a/contrib/k8s/postgres-service.yaml b/contrib/k8s/postgres-service.yaml index f3fb7b5e..09e1d27f 100644 --- a/contrib/k8s/postgres-service.yaml +++ b/contrib/k8s/postgres-service.yaml @@ -1,9 +1,9 @@ -apiVersion: v1beta3 +apiVersion: v1 kind: Service metadata: labels: app: postgres - name: auth-postgres + name: dex-postgres spec: ports: - port: 5432 From edd88db932ba8444ec08cdb2508463e71635e419 Mon Sep 17 00:00:00 2001 From: Bobby Rullo Date: Wed, 9 Sep 2015 14:29:41 -0700 Subject: [PATCH 2/3] contrib/k8s: Use secrets to store secrets. Also, move most flags to environment variables. --- contrib/k8s/dex-overlord-rc.yaml | 18 +++++++++++++++++- contrib/k8s/dex-secrets.yaml | 7 +++++++ contrib/k8s/dex-worker-rc.yaml | 23 +++++++++++++++++++++-- 3 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 contrib/k8s/dex-secrets.yaml diff --git a/contrib/k8s/dex-overlord-rc.yaml b/contrib/k8s/dex-overlord-rc.yaml index 8966375e..d595fe69 100644 --- a/contrib/k8s/dex-overlord-rc.yaml +++ b/contrib/k8s/dex-overlord-rc.yaml @@ -19,7 +19,15 @@ spec: containers: - image: quay.io/coreos/dex name: dex-overlord - command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"] + env: + - name: DEX_OVERLORD_DB_URL + value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable + - name: DEX_OVERLORD_ADMIN_LISTEN + value: http://0.0.0.0:5557 + command: + - "sh" + - "-c" + - "/opt/dex/bin/dex-overlord --key-secrets=$(cat /etc/dex/key-secrets)" ports: - containerPort: 5557 name: overlord-port @@ -29,3 +37,11 @@ spec: port: 5557 initialDelaySeconds: 15 timeoutSeconds: 1 + volumeMounts: + - name: dex + mountPath: "/etc/dex" + readOnly: true + volumes: + - name: dex + secret: + secretName: "dex" diff --git a/contrib/k8s/dex-secrets.yaml b/contrib/k8s/dex-secrets.yaml new file mode 100644 index 00000000..ac67d5d4 --- /dev/null +++ b/contrib/k8s/dex-secrets.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: dex +type: Opaque +data: + key-secrets: ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIZz0= # 32 x's base64 encoded twice. diff --git a/contrib/k8s/dex-worker-rc.yaml b/contrib/k8s/dex-worker-rc.yaml index 6d26f841..163e3ce7 100644 --- a/contrib/k8s/dex-worker-rc.yaml +++ b/contrib/k8s/dex-worker-rc.yaml @@ -19,7 +19,19 @@ spec: containers: - image: quay.io/coreos/dex name: dex-worker - command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"] + env: + - name: DEX_WORKER_ISSUER + value: http://dex-worker.default:5556 + - name: DEX_WORKER_DB_URL + value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable + - name: DEX_WORKER_EMAIL_CFG + value: /opt/dex/email/emailer.json + - name: DEX_WORKER_LISTEN + value: http://0.0.0.0:5556 + command: + - "sh" + - "-c" + - "/opt/dex/bin/dex-worker --key-secrets=$(cat /etc/dex/key-secrets)" ports: - containerPort: 5556 name: worker-port @@ -29,4 +41,11 @@ spec: port: 5556 initialDelaySeconds: 15 timeoutSeconds: 1 - + volumeMounts: + - name: dex + mountPath: "/etc/dex" + readOnly: true + volumes: + - name: dex + secret: + secretName: "dex" From 25c21f0f7e0724513df5208367fe22148720abba Mon Sep 17 00:00:00 2001 From: Bobby Rullo Date: Thu, 10 Sep 2015 11:55:52 -0700 Subject: [PATCH 3/3] contrib/k8s: docs for using k8s configs --- contrib/k8s/README.md | 122 +++++++++++++++++++++++++++------ contrib/k8s/dex-worker-rc.yaml | 2 +- 2 files changed, 103 insertions(+), 21 deletions(-) diff --git a/contrib/k8s/README.md b/contrib/k8s/README.md index c4908cca..8ca4d20a 100644 --- a/contrib/k8s/README.md +++ b/contrib/k8s/README.md @@ -1,41 +1,123 @@ -# dex +# Deploying dex on Kubernetes -## Getting Started +This document will allow you to set up dex in your Kubernetes cluster ;the example configuration files are generally useful, but will need to be modified to meet the needs of your deployment. The places that are likely to need modification will be called out as often as possible in this document. -**Warning**: Hacks Ahead. +## Prerequisites and Assumptions -You must be running cluster wide DNS for this to work. +The document assumes that you already have a cluster with at least one worker up and running. The easiest way to bring up a small cluster for experimentation is the [coreos-kubernetes single node](coreos-kubernetes-single-node) Vagrant installer. -Install your dockercfg. There is no nice way to do this: +The other assumption is that your Kubernetes cluster will be routable on `172.17.4.99` (which is what it will be if you use [coreos-kubernetes single node][coreos-kubernetes-single-node], and the issuer URL for your dex installation is `http://172.17.4.99:30556`; in production installations you will need to make sure that you are serving on https and you will likely want to use a hostname rather than an IP address. -``` -ssh worker -cat > /proc/$(pgrep kubelet)/cwd/.dockercfg -``` +[coreos-kubernetes-single-node][https://github.com/coreos/coreos-kubernetes/blob/master/single-node/README.md] -Start postgres +## Start Postgres + +Dex needs a database to store information; these commands will create a Postgres service that dex can use. Note that this configuration is not suitable for production - if the container is destroyed, the data is gone forever. + +In production you should have a sufficiently fault-tolerant Postgres deployment on a persistent volume with backup. ``` kubectl create -f postgres-rc.yaml kubectl create -f postgres-service.yaml ``` -Run dex and setup services +## Create your secrets. + +dex needs a secret key for encrypting private keys in the database. These can be stored as [Kubernetes secrets][k8s-secrets]. + +[k8s-secrets]: http://kubernetes.io/v1.0/docs/user-guide/secrets.html ``` -for i in dex-overlord-rc.yaml dex-overlord-service.yaml dex-worker-rc.yaml dex-worker-service.yaml; do - kubectl create -f ${i} -done +kubectl create -f dex-secrets.yaml ``` -curl http://$(kubectl describe service dex-worker | grep '^IP:' | awk '{print $2}'):5556 +## Start the Overlord -5. [Register your first client](https://github.com/coreos/dex#registering-clients) +Start the overlord. This will also initialize your database the first time it's run, and perform migrations when new versions are installed. + +``` +kubectl create -f dex-overlord-rc.yaml +kubectl create -f dex-overlord-service.yaml +``` + +Note: this will make the admin API available to any pod in the cluster. This API is very powerful, and allows the creation of admin users who can perform any action in dex, including creating, modifying and deleting other users. This will be fixed soon by requirng some sort of authentication. + +## Add a Connector + +This is bit of a hack; right now the only way to add connectors and register +your first client is to use the `dexctl` tool talking directly to the +database. Because the database is only routable inside the cluster, we do it +inside a pod via `kubectl exec`. (note that if your DB is not running on the cluster, you can run the dexctl command directly against your database.) + +The other hacky thing is that this needs to happen before the workers start because workers do not (yet!) respond dynamically to connector configuration changes. + +First, start a shell session on the overlord pod. +``` +DEX_OVERLORD_POD=$(kubectl get pod -l=app=dex,role=overlord -o template -t "{{ (index .items 0).metadata.name }}") + +kubectl exec -ti $DEX_OVERLORD_POD -- sh +``` + +Once we're on the pod, we create a connectors file and upload it to dex. + +``` +DEX_CONNECTORS_FILE=$(mktemp /tmp/dex-conn.XXXXXX) +cat << EOF > $DEX_CONNECTORS_FILE +[ + { + "type": "local", + "id": "local" + } +] +EOF + +/opt/dex/bin/dexctl --db-url=postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable set-connector-configs $DEX_CONNECTORS_FILE +exit +``` + +## Start the Worker + +Start the worker. The worker is exposed as an external service so that end-users can access it. + +``` +kubectl create -f dex-worker-rc.yaml +kubectl create -f dex-worker-service.yaml +``` + +## [Create a client](https://github.com/coreos/dex#registering-clients) + +We then `eval` that which creates the shell variables `DEX_APP_CLIENT_ID` and `DEX_APP_CLIENT_SECRET` + +``` +eval "$(kubectl exec $DEX_OVERLORD_POD -- /opt/dex/bin/dexctl --db-url=postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable new-client http://127.0.0.1:5555/callback )" +``` + +## Build and Run the Example App + +First, go to the root of the dex repo: + +``` +cd ../.. +``` + +Now, build and run the example app. + +``` +./build +./bin/example-app --client-id=$DEX_APP_CLIENT_ID --client-secret=$DEX_APP_CLIENT_SECRET --discovery=http://172.17.4.99:30556 +``` + +Now you can register and log-in to your example app: Go to http://127.0.0.1:5555 ## Debugging -You can use a port forward from the target host to debug the database -IP=$(kubectl describe service dex-postgres | grep '^IP:' | awk '{print $2}') -ssh -F ssh-config -L 5432:${IP}:5432 w1 -psql -h localhost -w -U postgres +### psql + +Here's how to get psql session. +``` +DEX_PSQL_POD=$(kubectl get pod -l=app=postgres -o template -t "{{ (index .items 0).metadata.name }}") +kubectl exec $DEX_PSQL_POD -ti -- psql postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable +``` + + diff --git a/contrib/k8s/dex-worker-rc.yaml b/contrib/k8s/dex-worker-rc.yaml index 163e3ce7..3b86b8ff 100644 --- a/contrib/k8s/dex-worker-rc.yaml +++ b/contrib/k8s/dex-worker-rc.yaml @@ -21,7 +21,7 @@ spec: name: dex-worker env: - name: DEX_WORKER_ISSUER - value: http://dex-worker.default:5556 + value: http://172.17.4.99:30556 - name: DEX_WORKER_DB_URL value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable - name: DEX_WORKER_EMAIL_CFG