contrib/k8s: Use secrets to store secrets.

Also, move most flags to environment variables.
This commit is contained in:
Bobby Rullo 2015-09-09 14:29:41 -07:00
parent d9b668002c
commit edd88db932
3 changed files with 45 additions and 3 deletions

View file

@ -19,7 +19,15 @@ spec:
containers:
- image: quay.io/coreos/dex
name: dex-overlord
command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"]
env:
- name: DEX_OVERLORD_DB_URL
value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
- name: DEX_OVERLORD_ADMIN_LISTEN
value: http://0.0.0.0:5557
command:
- "sh"
- "-c"
- "/opt/dex/bin/dex-overlord --key-secrets=$(cat /etc/dex/key-secrets)"
ports:
- containerPort: 5557
name: overlord-port
@ -29,3 +37,11 @@ spec:
port: 5557
initialDelaySeconds: 15
timeoutSeconds: 1
volumeMounts:
- name: dex
mountPath: "/etc/dex"
readOnly: true
volumes:
- name: dex
secret:
secretName: "dex"

View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: Secret
metadata:
name: dex
type: Opaque
data:
key-secrets: ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIZz0= # 32 x's base64 encoded twice.

View file

@ -19,7 +19,19 @@ spec:
containers:
- image: quay.io/coreos/dex
name: dex-worker
command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"]
env:
- name: DEX_WORKER_ISSUER
value: http://dex-worker.default:5556
- name: DEX_WORKER_DB_URL
value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
- name: DEX_WORKER_EMAIL_CFG
value: /opt/dex/email/emailer.json
- name: DEX_WORKER_LISTEN
value: http://0.0.0.0:5556
command:
- "sh"
- "-c"
- "/opt/dex/bin/dex-worker --key-secrets=$(cat /etc/dex/key-secrets)"
ports:
- containerPort: 5556
name: worker-port
@ -29,4 +41,11 @@ spec:
port: 5556
initialDelaySeconds: 15
timeoutSeconds: 1
volumeMounts:
- name: dex
mountPath: "/etc/dex"
readOnly: true
volumes:
- name: dex
secret:
secretName: "dex"