contrib/k8s: Use secrets to store secrets.
Also, move most flags to environment variables.
This commit is contained in:
parent
d9b668002c
commit
edd88db932
3 changed files with 45 additions and 3 deletions
|
@ -19,7 +19,15 @@ spec:
|
|||
containers:
|
||||
- image: quay.io/coreos/dex
|
||||
name: dex-overlord
|
||||
command: ["/opt/dex/bin/dex-overlord", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable"]
|
||||
env:
|
||||
- name: DEX_OVERLORD_DB_URL
|
||||
value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
|
||||
- name: DEX_OVERLORD_ADMIN_LISTEN
|
||||
value: http://0.0.0.0:5557
|
||||
command:
|
||||
- "sh"
|
||||
- "-c"
|
||||
- "/opt/dex/bin/dex-overlord --key-secrets=$(cat /etc/dex/key-secrets)"
|
||||
ports:
|
||||
- containerPort: 5557
|
||||
name: overlord-port
|
||||
|
@ -29,3 +37,11 @@ spec:
|
|||
port: 5557
|
||||
initialDelaySeconds: 15
|
||||
timeoutSeconds: 1
|
||||
volumeMounts:
|
||||
- name: dex
|
||||
mountPath: "/etc/dex"
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: dex
|
||||
secret:
|
||||
secretName: "dex"
|
||||
|
|
7
contrib/k8s/dex-secrets.yaml
Normal file
7
contrib/k8s/dex-secrets.yaml
Normal file
|
@ -0,0 +1,7 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: dex
|
||||
type: Opaque
|
||||
data:
|
||||
key-secrets: ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIZz0= # 32 x's base64 encoded twice.
|
|
@ -19,7 +19,19 @@ spec:
|
|||
containers:
|
||||
- image: quay.io/coreos/dex
|
||||
name: dex-worker
|
||||
command: ["/opt/dex/bin/dex-worker", "-issuer", "http://dex-worker.default:5556", "-key-secrets", "eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg=", "-db-url", "postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable", "-email-cfg", "/opt/dex/email/emailer.json", "-listen", "http://0.0.0.0:5556"]
|
||||
env:
|
||||
- name: DEX_WORKER_ISSUER
|
||||
value: http://dex-worker.default:5556
|
||||
- name: DEX_WORKER_DB_URL
|
||||
value: postgres://postgres@dex-postgres.default:5432/postgres?sslmode=disable
|
||||
- name: DEX_WORKER_EMAIL_CFG
|
||||
value: /opt/dex/email/emailer.json
|
||||
- name: DEX_WORKER_LISTEN
|
||||
value: http://0.0.0.0:5556
|
||||
command:
|
||||
- "sh"
|
||||
- "-c"
|
||||
- "/opt/dex/bin/dex-worker --key-secrets=$(cat /etc/dex/key-secrets)"
|
||||
ports:
|
||||
- containerPort: 5556
|
||||
name: worker-port
|
||||
|
@ -29,4 +41,11 @@ spec:
|
|||
port: 5556
|
||||
initialDelaySeconds: 15
|
||||
timeoutSeconds: 1
|
||||
|
||||
volumeMounts:
|
||||
- name: dex
|
||||
mountPath: "/etc/dex"
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: dex
|
||||
secret:
|
||||
secretName: "dex"
|
||||
|
|
Reference in a new issue