contrib/k8s: Use secrets to store secrets.

Also, move most flags to environment variables.
2015-09-09 14:29:41 -07:00 · 2015-09-09 14:29:41 -07:00 · edd88db932
parent d9b668002c
commit edd88db932
3 changed files with 45 additions and 3 deletions
--- a/contrib/k8s/dex-overlord-rc.yaml
+++ b/contrib/k8s/dex-overlord-rc.yaml
@ -19,7 +19,15 @@ spec:
      containers:
          - image: quay.io/coreos/dex
            name: dex-overlord
-            command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"]
+            env:
+              - name: DEX_OVERLORD_DB_URL
+                value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
+              - name: DEX_OVERLORD_ADMIN_LISTEN
+                value: http://0.0.0.0:5557
+            command:
+              - "sh"
+              - "-c"
+              - "/opt/dex/bin/dex-overlord  --key-secrets=$(cat /etc/dex/key-secrets)"
            ports:
            - containerPort: 5557
              name: overlord-port
@ -29,3 +37,11 @@ spec:
                port: 5557
              initialDelaySeconds: 15
              timeoutSeconds: 1
+            volumeMounts:
+              - name: dex
+                mountPath: "/etc/dex"
+                readOnly: true
+      volumes:
+        - name: dex
+          secret:
+            secretName: "dex"
--- a/contrib/k8s/dex-secrets.yaml
+++ b/contrib/k8s/dex-secrets.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dex
+type: Opaque
+data:
+  key-secrets: ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIZz0= # 32 x's base64 encoded twice.
--- a/contrib/k8s/dex-worker-rc.yaml
+++ b/contrib/k8s/dex-worker-rc.yaml
@ -19,7 +19,19 @@ spec:
      containers:
          - image: quay.io/coreos/dex
            name: dex-worker
-            command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"]
+            env:
+              - name: DEX_WORKER_ISSUER
+                value: http://dex-worker.default:5556
+              - name: DEX_WORKER_DB_URL
+                value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
+              - name: DEX_WORKER_EMAIL_CFG
+                value: /opt/dex/email/emailer.json
+              - name: DEX_WORKER_LISTEN
+                value: http://0.0.0.0:5556
+            command:
+              - "sh"
+              - "-c"
+              - "/opt/dex/bin/dex-worker --key-secrets=$(cat /etc/dex/key-secrets)"
            ports:
            - containerPort: 5556
              name: worker-port
@ -29,4 +41,11 @@ spec:
                port: 5556
              initialDelaySeconds: 15
              timeoutSeconds: 1
-
+            volumeMounts:
+              - name: dex
+                mountPath: "/etc/dex"
+                readOnly: true
+      volumes:
+        - name: dex
+          secret:
+            secretName: "dex"