*: add example for running on kubernetes
This commit is contained in:
parent
73e2349270
commit
d313e5d493
11 changed files with 239 additions and 11 deletions
|
@ -94,7 +94,7 @@ func cmd() *cobra.Command {
|
|||
}
|
||||
|
||||
// This sets the OAuth2 client and oidc client.
|
||||
a.ctx = context.WithValue(a.ctx, oauth2.HTTPClient, &client)
|
||||
a.ctx = context.WithValue(a.ctx, oauth2.HTTPClient, client)
|
||||
}
|
||||
|
||||
// TODO(ericchiang): Retry with backoff
|
||||
|
|
|
@ -47,23 +47,25 @@ func (s *Storage) UnmarshalYAML(unmarshal func(interface{}) error) error {
|
|||
return err
|
||||
}
|
||||
s.Type = storageMeta.Type
|
||||
var c struct {
|
||||
Config StorageConfig `yaml:"config"`
|
||||
}
|
||||
// TODO(ericchiang): replace this with a registration process.
|
||||
var err error
|
||||
switch storageMeta.Type {
|
||||
case "kubernetes":
|
||||
c.Config = &kubernetes.Config{}
|
||||
var config struct {
|
||||
Config kubernetes.Config `yaml:"config"`
|
||||
}
|
||||
err = unmarshal(&config)
|
||||
s.Config = &config.Config
|
||||
case "memory":
|
||||
c.Config = &memory.Config{}
|
||||
var config struct {
|
||||
Config memory.Config `yaml:"config"`
|
||||
}
|
||||
err = unmarshal(&config)
|
||||
s.Config = &config.Config
|
||||
default:
|
||||
return fmt.Errorf("unknown storage type %q", storageMeta.Type)
|
||||
}
|
||||
if err := unmarshal(c); err != nil {
|
||||
return err
|
||||
}
|
||||
s.Config = c.Config
|
||||
return nil
|
||||
return err
|
||||
}
|
||||
|
||||
// StorageConfig is a configuration that can create a storage.
|
||||
|
|
1
example/k8s/.gitignore
vendored
Normal file
1
example/k8s/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
ssl/
|
19
example/k8s/README.md
Normal file
19
example/k8s/README.md
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Running dex as the Kubernetes
|
||||
|
||||
```
|
||||
kubectl create -f thirdpartyresources.yaml
|
||||
kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml
|
||||
kubectl create -f deployment.yaml
|
||||
```
|
||||
|
||||
```
|
||||
kubectl create -f https://raw.githubusercontent.com/kubernetes/contrib/master/ingress/controllers/nginx/rc.yaml
|
||||
./gencert.sh
|
||||
kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
|
||||
kubectl create -f dex-ingress.yaml
|
||||
```
|
||||
|
||||
```
|
||||
kubectl create -f client.yaml
|
||||
../../bin/example-app --issuer https://dex.example.com --issuer-root-ca ssl/ca.pem
|
||||
```
|
|
@ -3,6 +3,7 @@ apiVersion: oauth2clients.oidc.coreos.com/v1
|
|||
metadata:
|
||||
name: example-app
|
||||
namespace: default
|
||||
|
||||
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
|
||||
redirectURIs:
|
||||
- http://127.0.0.1:5555/callback
|
13
example/k8s/config-k8s.yaml
Normal file
13
example/k8s/config-k8s.yaml
Normal file
|
@ -0,0 +1,13 @@
|
|||
issuer: https://dex.example.com
|
||||
storage:
|
||||
type: kubernetes
|
||||
config:
|
||||
inCluster: true
|
||||
|
||||
web:
|
||||
http: 0.0.0.0:5556
|
||||
|
||||
connectors:
|
||||
- type: mock
|
||||
id: mock
|
||||
name: Mock
|
38
example/k8s/deployment.yaml
Normal file
38
example/k8s/deployment.yaml
Normal file
|
@ -0,0 +1,38 @@
|
|||
apiVersion: extensions/v1beta1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: dex
|
||||
name: dex
|
||||
spec:
|
||||
replicas: 1
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: dex
|
||||
spec:
|
||||
containers:
|
||||
- image: quay.io/ericchiang/poke
|
||||
name: dex
|
||||
command:
|
||||
- "/poke"
|
||||
- "serve"
|
||||
- "/dex/config.yaml"
|
||||
env:
|
||||
# A value required for dex's Kubernetes client.
|
||||
- name: KUBERNETES_POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
|
||||
ports:
|
||||
- containerPort: 5556
|
||||
name: worker-port
|
||||
|
||||
volumeMounts:
|
||||
- name: config-volume
|
||||
mountPath: /dex
|
||||
volumes:
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: dex-config
|
28
example/k8s/dex-ingress.yaml
Normal file
28
example/k8s/dex-ingress.yaml
Normal file
|
@ -0,0 +1,28 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: dex
|
||||
spec:
|
||||
ports:
|
||||
- name: dex
|
||||
port: 5556
|
||||
selector:
|
||||
app: dex
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: dex
|
||||
spec:
|
||||
tls:
|
||||
- secretName: dex.example.com.tls
|
||||
hosts:
|
||||
- dex.example.com
|
||||
rules:
|
||||
- host: dex.example.com
|
||||
http:
|
||||
paths:
|
||||
- backend:
|
||||
serviceName: dex
|
||||
servicePort: 5556
|
||||
path: /
|
26
example/k8s/gencert.sh
Executable file
26
example/k8s/gencert.sh
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/bin/bash
|
||||
|
||||
mkdir -p ssl
|
||||
|
||||
cat << EOF > ssl/req.cnf
|
||||
[req]
|
||||
req_extensions = v3_req
|
||||
distinguished_name = req_distinguished_name
|
||||
|
||||
[req_distinguished_name]
|
||||
|
||||
[ v3_req ]
|
||||
basicConstraints = CA:FALSE
|
||||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
DNS.1 = dex.example.com
|
||||
EOF
|
||||
|
||||
openssl genrsa -out ssl/ca-key.pem 2048
|
||||
openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"
|
||||
|
||||
openssl genrsa -out ssl/key.pem 2048
|
||||
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
|
||||
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf
|
100
example/k8s/nginx-ingress.yaml
Normal file
100
example/k8s/nginx-ingress.yaml
Normal file
|
@ -0,0 +1,100 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: default-http-backend
|
||||
labels:
|
||||
k8s-app: default-http-backend
|
||||
spec:
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8080
|
||||
protocol: TCP
|
||||
name: http
|
||||
selector:
|
||||
k8s-app: default-http-backend
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ReplicationController
|
||||
metadata:
|
||||
name: default-http-backend
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
k8s-app: default-http-backend
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: default-http-backend
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- name: default-http-backend
|
||||
# Any image is permissable as long as:
|
||||
# 1. It serves a 404 page at /
|
||||
# 2. It serves 200 on a /healthz endpoint
|
||||
image: gcr.io/google_containers/defaultbackend:1.0
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 8080
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 5
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
resources:
|
||||
limits:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 20Mi
|
||||
---
|
||||
apiVersion: extensions/v1beta1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: nginx-ingress-controller
|
||||
labels:
|
||||
k8s-app: nginx-ingress-lb
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
web-frontend
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: nginx-ingress-lb
|
||||
name: nginx-ingress-lb
|
||||
spec:
|
||||
terminationGracePeriodSeconds: 60
|
||||
containers:
|
||||
- image: gcr.io/google_containers/nginx-ingress-controller:0.8.2
|
||||
name: nginx-ingress-lb
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: 10249
|
||||
scheme: HTTP
|
||||
initialDelaySeconds: 30
|
||||
timeoutSeconds: 5
|
||||
# use downward API
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
- name: POD_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 443
|
||||
hostPort: 443
|
||||
# we expose 18080 to access nginx stats in url /nginx-status
|
||||
# this is optional
|
||||
- containerPort: 18080
|
||||
hostPort: 18080
|
||||
args:
|
||||
- /nginx-ingress-controller
|
||||
- --default-backend-service=default/default-http-backend
|
Reference in a new issue