From edd88db932ba8444ec08cdb2508463e71635e419 Mon Sep 17 00:00:00 2001 From: Bobby Rullo Date: Wed, 9 Sep 2015 14:29:41 -0700 Subject: [PATCH] contrib/k8s: Use secrets to store secrets. Also, move most flags to environment variables. --- contrib/k8s/dex-overlord-rc.yaml | 18 +++++++++++++++++- contrib/k8s/dex-secrets.yaml | 7 +++++++ contrib/k8s/dex-worker-rc.yaml | 23 +++++++++++++++++++++-- 3 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 contrib/k8s/dex-secrets.yaml diff --git a/contrib/k8s/dex-overlord-rc.yaml b/contrib/k8s/dex-overlord-rc.yaml index 8966375e..d595fe69 100644 --- a/contrib/k8s/dex-overlord-rc.yaml +++ b/contrib/k8s/dex-overlord-rc.yaml @@ -19,7 +19,15 @@ spec: containers: - image: quay.io/coreos/dex name: dex-overlord - command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"] + env: + - name: DEX_OVERLORD_DB_URL + value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable + - name: DEX_OVERLORD_ADMIN_LISTEN + value: http://0.0.0.0:5557 + command: + - "sh" + - "-c" + - "/opt/dex/bin/dex-overlord --key-secrets=$(cat /etc/dex/key-secrets)" ports: - containerPort: 5557 name: overlord-port @@ -29,3 +37,11 @@ spec: port: 5557 initialDelaySeconds: 15 timeoutSeconds: 1 + volumeMounts: + - name: dex + mountPath: "/etc/dex" + readOnly: true + volumes: + - name: dex + secret: + secretName: "dex" diff --git a/contrib/k8s/dex-secrets.yaml b/contrib/k8s/dex-secrets.yaml new file mode 100644 index 00000000..ac67d5d4 --- /dev/null +++ b/contrib/k8s/dex-secrets.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: dex +type: Opaque +data: + key-secrets: ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIZz0= # 32 x's base64 encoded twice. diff --git a/contrib/k8s/dex-worker-rc.yaml b/contrib/k8s/dex-worker-rc.yaml index 6d26f841..163e3ce7 100644 --- a/contrib/k8s/dex-worker-rc.yaml +++ b/contrib/k8s/dex-worker-rc.yaml @@ -19,7 +19,19 @@ spec: containers: - image: quay.io/coreos/dex name: dex-worker - command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"] + env: + - name: DEX_WORKER_ISSUER + value: http://dex-worker.default:5556 + - name: DEX_WORKER_DB_URL + value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable + - name: DEX_WORKER_EMAIL_CFG + value: /opt/dex/email/emailer.json + - name: DEX_WORKER_LISTEN + value: http://0.0.0.0:5556 + command: + - "sh" + - "-c" + - "/opt/dex/bin/dex-worker --key-secrets=$(cat /etc/dex/key-secrets)" ports: - containerPort: 5556 name: worker-port @@ -29,4 +41,11 @@ spec: port: 5556 initialDelaySeconds: 15 timeoutSeconds: 1 - + volumeMounts: + - name: dex + mountPath: "/etc/dex" + readOnly: true + volumes: + - name: dex + secret: + secretName: "dex"