dex/examples/k8s
2016-10-05 17:26:41 -07:00
..
.gitignore example -> examples 2016-08-10 21:32:21 -07:00
client.yaml example -> examples 2016-08-10 21:32:21 -07:00
config-k8s.yaml example -> examples 2016-08-10 21:32:21 -07:00
deployment.yaml rename 2016-08-10 22:31:42 -07:00
dex-ingress.yaml example -> examples 2016-08-10 21:32:21 -07:00
gencert.sh example -> examples 2016-08-10 21:32:21 -07:00
nginx-ingress.yaml example -> examples 2016-08-10 21:32:21 -07:00
README.md example -> examples 2016-08-10 21:32:21 -07:00
thirdpartyresources.yaml *: add password resource to kubernetes storage implementation 2016-10-05 17:26:41 -07:00

Running dex as the Kubernetes authenticator

Running dex as the Kubernetes authenticator requires.

  • dex is running on HTTPS.
  • Your browser can navigate to dex at the same address Kubernetes refers to it as.

To accomplish this locally, these scripts assume you're using the single host vagrant setup provided by the coreos-kubernetes repo with a couple of changes (a complete diff is provided at the bottom of this document). Namely that:

  • The API server isn't running on host port 443.
  • The virtual machine has a populated /etc/hosts

The following entry must be added to your host's /etc/hosts file as well as the VM.

172.17.4.99        dex.example.com

In the future this document will provide instructions for a more general Kubernetes installation.

Once you have Kubernetes configured, set up the ThirdPartyResources and a ConfigMap for dex to use. These run dex as a deployment with configuration and storage, allowing it to get started.

kubectl create -f thirdpartyresources.yaml
kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml
kubectl create -f deployment.yaml

To get dex running at an HTTPS endpoint, create an ingress controller, some self-signed TLS assets and an ingress rule for dex. These TLS assest should normally be provided by an actual CA (public or internal).

kubectl create -f https://raw.githubusercontent.com/kubernetes/contrib/master/ingress/controllers/nginx/rc.yaml
./gencert.sh
kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
kubectl create -f dex-ingress.yaml

To test that the everything has been installed correctly. Configure a client with some credentials, and run the example-app (run make at the top level of this repo if you haven't already). The second command will error out if your example-app can't find dex.

kubectl create -f client.yaml
../../bin/example-app --issuer https://dex.example.com --issuer-root-ca ssl/ca.pem

Navigate to 127.0.0.1:5555 and try to login. You should be redirected to dex.example.com with lots of TLS errors. Proceed around them, authorize the example-app's OAuth2 client and you should be redirected back to the example-app with valid OpenID Connect credentials.

Finally, to configure Kubernetes to use dex as its authenticator, copy ssl/ca.pem to /etc/kubernetes/ssl/openid-ca.pem onto the VM and update the API server's manifest at /etc/kubernetes/manifests/kube-apiserver.yaml to add the following flags.

--oidc-issuer-url=https://dex.example.com
--oidc-client-id=example-app
--oidc-ca-file=/etc/kubernetes/ssl/openid-ca.pem
--oidc-username-claim=email
--oidc-groups-claim=groups

Kick the API server by killing its Docker container, and when it comes up again it should be using dex. Login again through the example-app and you should be able to use the provided token as a bearer token to hit the Kubernetes API.

Changes to coreos-kubernetes

The following is a diff to the coreos-kubernetes repo that accomplishes the required changes.

diff --git a/single-node/user-data b/single-node/user-data
index f419f09..ed42055 100644
--- a/single-node/user-data
+++ b/single-node/user-data
@@ -80,6 +80,15 @@ function init_flannel {
 }
 
 function init_templates {
+    local TEMPLATE=/etc/hosts
+    if [ ! -f $TEMPLATE ]; then
+        echo "TEMPLATE: $TEMPLATE"
+        mkdir -p $(dirname $TEMPLATE)
+        cat << EOF > $TEMPLATE
+172.17.4.99		dex.example.com
+EOF
+    fi
+
     local TEMPLATE=/etc/systemd/system/kubelet.service
     if [ ! -f $TEMPLATE ]; then
         echo "TEMPLATE: $TEMPLATE"
@@ -195,7 +204,7 @@ spec:
     - --etcd-servers=${ETCD_ENDPOINTS}
     - --allow-privileged=true
     - --service-cluster-ip-range=${SERVICE_IP_RANGE}
-    - --secure-port=443
+    - --secure-port=8443
     - --advertise-address=${ADVERTISE_IP}
     - --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
     - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem
@@ -211,8 +220,8 @@ spec:
       initialDelaySeconds: 15
       timeoutSeconds: 15
     ports:
-    - containerPort: 443
-      hostPort: 443
+    - containerPort: 8443
+      hostPort: 8443
       name: https
     - containerPort: 8080
       hostPort: 8080