Moncommit

.gitignore

@@ -0,0 +1 @@
+ssl

README.md

@@ -0,0 +1,7 @@
+WORK IN PROGRESS.
+
+See: https://github.com/coreos/dex/tree/47f48658c2dcf4893c2d07855e5a0da236b3847c/examples/k8s
+
+kg create -n dex secret generic gitlab-client \
+       --from-literal=client-id=$GITLAB_CLIENT_ID \
+       --from-literal=client-secret=$GITLAB_CLIENT_SECRET

dex-ns.yml

@@ -0,0 +1,46 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dex
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: dex
+rules:
+  - apiGroups: ["oidc.coreos.com"] # API group created by dex
+    resources: ["*"]
+    verbs: ["*"]
+    nonResourceURLs: []
+  - apiGroups: ["extensions"]
+    resources: ["thirdpartyresources"]
+    verbs: ["create"] # To manage its own resources identity must be able to create thirdpartyresources.
+    nonResourceURLs: []
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: dex
+  namespace: dex
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: dex
+subjects:
+  - kind: ServiceAccount
+    name: dex                 # Service account assigned to the dex pod.
+    namespace: dex # The namespace dex is running in.
+roleRef:
+  kind: ClusterRole
+  name: dex
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ThirdPartyResource
+apiVersion: extensions/v1beta1
+metadata:
+  name: o-auth2-client.oidc.coreos.com
+versions:
+  - name: v1
+description: "An OAuth2 client."

dex.yml

@@ -0,0 +1,128 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  labels:
+    app: dex
+  name: dex
+  namespace: dex
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: dex
+    spec:
+      serviceAccountName: dex
+      containers:
+      - image: quay.io/coreos/dex:v2.4.1
+        name: dex
+        command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
+
+        ports:
+        - name: http
+          containerPort: 5556
+
+        volumeMounts:
+        - name: config
+          mountPath: /etc/dex/cfg
+        - name: tls
+          mountPath: /etc/dex/tls
+
+        env:
+        - name: GITLAB_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: gitlab-client
+              key: client-id
+        - name: GITLAB_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: gitlab-client
+              key: client-secret
+      volumes:
+      - name: config
+        configMap:
+          name: dex
+          items:
+          - key: config.yaml
+            path: config.yaml
+      - name: tls
+        secret:
+          secretName: dex.cluster.gsi.dit.upm.es.tls
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: dex
+  namespace: dex
+data:
+  config.yaml: |
+    issuer: https://dex.cluster.gsi.dit.upm.es:32000
+    storage:
+      # type: sqlite3
+      # config:
+      #   file: /tmp/dex.db
+      type: kubernetes
+      config:
+        inCluster: true
+    web:
+      https: 0.0.0.0:5556
+      tlsCert: /etc/dex/tls/tls.crt
+      tlsKey: /etc/dex/tls/tls.key
+    connectors:
+    - type: gitlab
+      id: gitlab
+      name: GitLab
+      config:
+        baseURL: https://lab.cluster.gsi.dit.upm.es
+        clientID: $GITLAB_CLIENT_ID
+        clientSecret: $GITLAB_CLIENT_SECRET
+        redirectURI: https://dex.cluster.gsi.dit.upm.es:32000/callback
+    oauth2:
+      skipApprovalScreen: true
+
+    staticClients:
+    - id: example-app
+      redirectURIs:
+      - 'http://localhost:5555/callback'
+      name: 'Example App'
+      secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+
+    enablePasswordDB: true
+    staticPasswords:
+    - email: "admin@example.com"
+      # bcrypt hash of the string "password"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+  namespace: dex
+spec:
+  type: NodePort
+  ports:
+  - name: dex
+    port: 5556
+    protocol: TCP
+    targetPort: 5556
+    nodePort: 32000
+  selector:
+    app: dex
+# ---
+# apiVersion: extensions/v1beta1
+# kind: Ingress
+# metadata:
+#   name: dex-ingress
+#   namespace: dex
+# spec:
+#   rules:
+#   - host: dex.cluster.gsi.dit.upm.es
+#     http:
+#       paths:
+#       - path: /
+#         backend:
+#           serviceName: dex
+#           servicePort: 5556

gencert.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+mkdir -p ssl
+
+cat << EOF > ssl/req.cnf
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = dex.cluster.gsi.dit.upm.es
+EOF
+
+openssl genrsa -out ssl/ca-key.pem 2048
+openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"
+
+openssl genrsa -out ssl/key.pem 2048
+openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
+openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf