contrib/k8s: Use secrets to store secrets.

Also, move most flags to environment variables.
2015-09-09 14:29:41 -07:00 · 2015-09-09 14:29:41 -07:00 · edd88db932
commit edd88db932
parent d9b668002c
3 changed files with 45 additions and 3 deletions
--- a/contrib/k8s/dex-overlord-rc.yaml
+++ b/contrib/k8s/dex-overlord-rc.yaml
@ -19,7 +19,15 @@ spec:
      containers:
          - image: quay.io/coreos/dex
            name: dex-overlord
-            command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"]
+            env:
              - name: DEX_OVERLORD_DB_URL
                value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
              - name: DEX_OVERLORD_ADMIN_LISTEN
                value: http://0.0.0.0:5557
            command:
              - "sh"
              - "-c"
              - "/opt/dex/bin/dex-overlord  --key-secrets=$(cat /etc/dex/key-secrets)"
            ports:
            - containerPort: 5557
              name: overlord-port
@ -29,3 +37,11 @@ spec:
                port: 5557
              initialDelaySeconds: 15
              timeoutSeconds: 1
            volumeMounts:
              - name: dex
                mountPath: "/etc/dex"
                readOnly: true
      volumes:
        - name: dex
          secret:
            secretName: "dex"
--- a/contrib/k8s/dex-secrets.yaml
+++ b/contrib/k8s/dex-secrets.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: dex
 type: Opaque
 data:
  key-secrets: ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIZz0= # 32 x's base64 encoded twice.
--- a/contrib/k8s/dex-worker-rc.yaml
+++ b/contrib/k8s/dex-worker-rc.yaml
@ -19,7 +19,19 @@ spec:
      containers:
          - image: quay.io/coreos/dex
            name: dex-worker
-            command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"]
+            env:
              - name: DEX_WORKER_ISSUER
                value: http://dex-worker.default:5556
              - name: DEX_WORKER_DB_URL
                value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
              - name: DEX_WORKER_EMAIL_CFG
                value: /opt/dex/email/emailer.json
              - name: DEX_WORKER_LISTEN
                value: http://0.0.0.0:5556
            command:
              - "sh"
              - "-c"
              - "/opt/dex/bin/dex-worker --key-secrets=$(cat /etc/dex/key-secrets)"
            ports:
            - containerPort: 5556
              name: worker-port
@ -29,4 +41,11 @@ spec:
                port: 5556
              initialDelaySeconds: 15
              timeoutSeconds: 1
-
+            volumeMounts:
              - name: dex
                mountPath: "/etc/dex"
                readOnly: true
      volumes:
        - name: dex
          secret:
            secretName: "dex"