*: add example for running on kubernetes

This commit is contained in:
Eric Chiang 2016-08-10 17:50:55 -07:00
parent 73e2349270
commit d313e5d493
11 changed files with 239 additions and 11 deletions

View file

@ -94,7 +94,7 @@ func cmd() *cobra.Command {
} }
// This sets the OAuth2 client and oidc client. // This sets the OAuth2 client and oidc client.
a.ctx = context.WithValue(a.ctx, oauth2.HTTPClient, &client) a.ctx = context.WithValue(a.ctx, oauth2.HTTPClient, client)
} }
// TODO(ericchiang): Retry with backoff // TODO(ericchiang): Retry with backoff

View file

@ -47,23 +47,25 @@ func (s *Storage) UnmarshalYAML(unmarshal func(interface{}) error) error {
return err return err
} }
s.Type = storageMeta.Type s.Type = storageMeta.Type
var c struct {
Config StorageConfig `yaml:"config"`
}
// TODO(ericchiang): replace this with a registration process. // TODO(ericchiang): replace this with a registration process.
var err error
switch storageMeta.Type { switch storageMeta.Type {
case "kubernetes": case "kubernetes":
c.Config = &kubernetes.Config{} var config struct {
Config kubernetes.Config `yaml:"config"`
}
err = unmarshal(&config)
s.Config = &config.Config
case "memory": case "memory":
c.Config = &memory.Config{} var config struct {
Config memory.Config `yaml:"config"`
}
err = unmarshal(&config)
s.Config = &config.Config
default: default:
return fmt.Errorf("unknown storage type %q", storageMeta.Type) return fmt.Errorf("unknown storage type %q", storageMeta.Type)
} }
if err := unmarshal(c); err != nil { return err
return err
}
s.Config = c.Config
return nil
} }
// StorageConfig is a configuration that can create a storage. // StorageConfig is a configuration that can create a storage.

1
example/k8s/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
ssl/

19
example/k8s/README.md Normal file
View file

@ -0,0 +1,19 @@
# Running dex as the Kubernetes
```
kubectl create -f thirdpartyresources.yaml
kubectl create configmap dex-config --from-file=config.yaml=config-k8s.yaml
kubectl create -f deployment.yaml
```
```
kubectl create -f https://raw.githubusercontent.com/kubernetes/contrib/master/ingress/controllers/nginx/rc.yaml
./gencert.sh
kubectl create secret tls dex.example.com.tls --cert=ssl/cert.pem --key=ssl/key.pem
kubectl create -f dex-ingress.yaml
```
```
kubectl create -f client.yaml
../../bin/example-app --issuer https://dex.example.com --issuer-root-ca ssl/ca.pem
```

View file

@ -3,6 +3,7 @@ apiVersion: oauth2clients.oidc.coreos.com/v1
metadata: metadata:
name: example-app name: example-app
namespace: default namespace: default
secret: ZXhhbXBsZS1hcHAtc2VjcmV0 secret: ZXhhbXBsZS1hcHAtc2VjcmV0
redirectURIs: redirectURIs:
- http://127.0.0.1:5555/callback - http://127.0.0.1:5555/callback

View file

@ -0,0 +1,13 @@
issuer: https://dex.example.com
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
connectors:
- type: mock
id: mock
name: Mock

View file

@ -0,0 +1,38 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: dex
name: dex
spec:
replicas: 1
template:
metadata:
labels:
app: dex
spec:
containers:
- image: quay.io/ericchiang/poke
name: dex
command:
- "/poke"
- "serve"
- "/dex/config.yaml"
env:
# A value required for dex's Kubernetes client.
- name: KUBERNETES_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 5556
name: worker-port
volumeMounts:
- name: config-volume
mountPath: /dex
volumes:
- name: config-volume
configMap:
name: dex-config

View file

@ -0,0 +1,28 @@
apiVersion: v1
kind: Service
metadata:
name: dex
spec:
ports:
- name: dex
port: 5556
selector:
app: dex
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dex
spec:
tls:
- secretName: dex.example.com.tls
hosts:
- dex.example.com
rules:
- host: dex.example.com
http:
paths:
- backend:
serviceName: dex
servicePort: 5556
path: /

26
example/k8s/gencert.sh Executable file
View file

@ -0,0 +1,26 @@
#!/bin/bash
mkdir -p ssl
cat << EOF > ssl/req.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = dex.example.com
EOF
openssl genrsa -out ssl/ca-key.pem 2048
openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"
openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf

View file

@ -0,0 +1,100 @@
apiVersion: v1
kind: Service
metadata:
name: default-http-backend
labels:
k8s-app: default-http-backend
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
k8s-app: default-http-backend
---
apiVersion: v1
kind: ReplicationController
metadata:
name: default-http-backend
spec:
replicas: 1
selector:
k8s-app: default-http-backend
template:
metadata:
labels:
k8s-app: default-http-backend
spec:
terminationGracePeriodSeconds: 60
containers:
- name: default-http-backend
# Any image is permissable as long as:
# 1. It serves a 404 page at /
# 2. It serves 200 on a /healthz endpoint
image: gcr.io/google_containers/defaultbackend:1.0
livenessProbe:
httpGet:
path: /healthz
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
ports:
- containerPort: 8080
resources:
limits:
cpu: 10m
memory: 20Mi
requests:
cpu: 10m
memory: 20Mi
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: nginx-ingress-controller
labels:
k8s-app: nginx-ingress-lb
spec:
replicas: 1
selector:
web-frontend
template:
metadata:
labels:
k8s-app: nginx-ingress-lb
name: nginx-ingress-lb
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.8.2
name: nginx-ingress-lb
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 10249
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 5
# use downward API
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- containerPort: 443
hostPort: 443
# we expose 18080 to access nginx stats in url /nginx-status
# this is optional
- containerPort: 18080
hostPort: 18080
args:
- /nginx-ingress-controller
- --default-backend-service=default/default-http-backend