diff --git a/manifests/components/04d_argocd-server-deployment.yaml b/manifests/components/04d_argocd-server-deployment.yaml index ae774357697cd..ccd55648ed4f8 100644 --- a/manifests/components/04d_argocd-server-deployment.yaml +++ b/manifests/components/04d_argocd-server-deployment.yaml @@ -39,12 +39,6 @@ spec: port: 8080 initialDelaySeconds: 3 periodSeconds: 30 - - name: dex - image: quay.io/coreos/dex:v2.10.0 - command: [/shared/argocd-util, rundex] - volumeMounts: - - mountPath: /shared - name: static-files volumes: - emptyDir: {} name: static-files diff --git a/manifests/components/06a_dex-server-sa.yaml b/manifests/components/06a_dex-server-sa.yaml new file mode 100644 index 0000000000000..0413108841492 --- /dev/null +++ b/manifests/components/06a_dex-server-sa.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dex-server diff --git a/manifests/components/06b_dex-server-role.yaml b/manifests/components/06b_dex-server-role.yaml new file mode 100644 index 0000000000000..576d258b36372 --- /dev/null +++ b/manifests/components/06b_dex-server-role.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dex-server-role +rules: +- apiGroups: + - "" + resourceNames: + - argocd-cm + - argocd-secret + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch diff --git a/manifests/components/06c_dex-server-rolebinding.yaml b/manifests/components/06c_dex-server-rolebinding.yaml new file mode 100644 index 0000000000000..02eeee5c8c895 --- /dev/null +++ b/manifests/components/06c_dex-server-rolebinding.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dex-server-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dex-server-role +subjects: +- kind: ServiceAccount + name: dex-server diff --git a/manifests/components/06d_dex-server-deployment.yaml b/manifests/components/06d_dex-server-deployment.yaml new file mode 100644 index 0000000000000..c8abf63e133d7 --- /dev/null +++ b/manifests/components/06d_dex-server-deployment.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dex-server +spec: + selector: + matchLabels: + app: dex-server + template: + metadata: + labels: + app: dex-server + spec: + serviceAccountName: dex-server + initContainers: + - name: copyutil + image: argoproj/argocd-server:v0.8.0 + command: [cp, /argocd-util, /shared] + volumeMounts: + - mountPath: /shared + name: static-files + containers: + - name: dex + image: quay.io/coreos/dex:v2.10.0 + command: [/shared/argocd-util, rundex] + ports: + - containerPort: 5556 + - containerPort: 5557 + volumeMounts: + - mountPath: /shared + name: static-files + volumes: + - emptyDir: {} + name: static-files diff --git a/manifests/components/06e_dex-server-service.yaml b/manifests/components/06e_dex-server-service.yaml new file mode 100644 index 0000000000000..ddb0b2e606fb0 --- /dev/null +++ b/manifests/components/06e_dex-server-service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: dex-server +spec: + ports: + - name: http + protocol: TCP + port: 5556 + targetPort: 5556 + - name: grpc + protocol: TCP + port: 5557 + targetPort: 5557 + selector: + app: dex-server diff --git a/manifests/install.yaml b/manifests/install.yaml index eb743d5a6f521..fc5c8d9e061f5 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -1,4 +1,3 @@ -# This is an auto-generated file. DO NOT EDIT --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -265,12 +264,6 @@ spec: port: 8080 initialDelaySeconds: 3 periodSeconds: 30 - - name: dex - image: quay.io/coreos/dex:v2.10.0 - command: [/shared/argocd-util, rundex] - volumeMounts: - - mountPath: /shared - name: static-files volumes: - emptyDir: {} name: static-files @@ -322,3 +315,90 @@ spec: targetPort: 8081 selector: app: argocd-repo-server +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dex-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dex-server-role +rules: +- apiGroups: + - "" + resourceNames: + - argocd-cm + - argocd-secret + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dex-server-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dex-server-role +subjects: +- kind: ServiceAccount + name: dex-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dex-server +spec: + selector: + matchLabels: + app: dex-server + template: + metadata: + labels: + app: dex-server + spec: + serviceAccountName: dex-server + initContainers: + - name: copyutil + image: argoproj/argocd-server:v0.8.0 + command: [cp, /argocd-util, /shared] + volumeMounts: + - mountPath: /shared + name: static-files + containers: + - name: dex + image: quay.io/coreos/dex:v2.10.0 + command: [/shared/argocd-util, rundex] + ports: + - containerPort: 5556 + - containerPort: 5557 + volumeMounts: + - mountPath: /shared + name: static-files + volumes: + - emptyDir: {} + name: static-files +--- +apiVersion: v1 +kind: Service +metadata: + name: dex-server +spec: + ports: + - name: http + protocol: TCP + port: 5556 + targetPort: 5556 + - name: grpc + protocol: TCP + port: 5557 + targetPort: 5557 + selector: + app: dex-server diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index 3a7160878aac7..6b6dfbdf67856 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -7,20 +7,23 @@ import ( ) func TestGenerateYamlManifestInDir(t *testing.T) { + // update this value if we add/remove manifests + const countOfManifests = 21 + q := ManifestRequest{} res1, err := generateManifests("../../manifests/components", &q) assert.Nil(t, err) - assert.True(t, len(res1.Manifests) == 16) // update this value if we add/remove manifests + assert.Equal(t, len(res1.Manifests), countOfManifests) // this will test concatenated manifests to verify we split YAMLs correctly res2, err := generateManifests("../../manifests", &q) assert.Nil(t, err) - assert.True(t, len(res2.Manifests) == len(res1.Manifests)) + assert.Equal(t, len(res2.Manifests), len(res1.Manifests)) } func TestGenerateJsonnetManifestInDir(t *testing.T) { q := ManifestRequest{} res1, err := generateManifests("./testdata/jsonnet", &q) assert.Nil(t, err) - assert.True(t, len(res1.Manifests) == 2) + assert.Equal(t, len(res1.Manifests), 2) } diff --git a/util/dex/dex.go b/util/dex/dex.go index 0253d2020b894..76cd0b3c4408a 100644 --- a/util/dex/dex.go +++ b/util/dex/dex.go @@ -2,11 +2,12 @@ package dex import ( "context" + "crypto/rand" "encoding/json" "fmt" "html" "io/ioutil" - "math/rand" + "math/big" "net" "net/http" "net/http/httputil" @@ -14,6 +15,7 @@ import ( "os" "regexp" "strconv" + "strings" "time" "github.com/coreos/dex/api" @@ -32,10 +34,10 @@ import ( const ( // DexReverseProxyAddr is the address of the Dex OIDC server, which we run a reverse proxy against - DexReverseProxyAddr = "http://localhost:5556" + DexReverseProxyAddr = "http://dex-server:5556" // DexgRPCAPIAddr is the address to the Dex gRPC API server for managing dex. This is assumed to run // locally (as a sidecar) - DexgRPCAPIAddr = "localhost:5557" + DexgRPCAPIAddr = "dex-server:5557" ) var messageRe = regexp.MustCompile(`

(.*)([\s\S]*?)<\/p>`) @@ -187,23 +189,34 @@ func (a *ClientApp) oauth2Config(scopes []string) (*oauth2.Config, error) { }, nil } -var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") +// RandString generates, from a given charset, a cryptographically-secure pseudo-random string of a given length. +// If the random number reader is unable to gather enough entropy to generate a secure random number, an error will be returned. +func randString(n int, charset string) (string, error) { + var b strings.Builder + rr := []rune(charset) + m := big.NewInt(int64(len(rr))) -func randString(n int) string { - b := make([]rune, n) - for i := range b { - b[i] = letters[rand.Intn(len(letters))] + for i := 0; i < n; i++ { + pos, err := rand.Int(rand.Reader, m) + if err != nil { + return b.String(), err + } + _, _ = b.WriteRune(rr[pos.Int64()]) } - return string(b) + return b.String(), nil } // generateAppState creates an app state nonce func (a *ClientApp) generateAppState(returnURL string) string { - randStr := randString(10) + const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + randStr, err := randString(10, letters) + if err != nil { + log.Fatalf("Could not generate entropy: %v", err) + } if returnURL == "" { returnURL = "/" } - err := a.states.Set(&cache.Item{ + err = a.states.Set(&cache.Item{ Key: randStr, Object: &appState{ ReturnURL: returnURL, diff --git a/util/dex/dex_test.go b/util/dex/dex_test.go new file mode 100644 index 0000000000000..df1ec952a323e --- /dev/null +++ b/util/dex/dex_test.go @@ -0,0 +1,26 @@ +package dex + +import ( + "testing" +) + +func TestRandString(t *testing.T) { + var ss string + var err error + + ss, err = randString(10, "A") + if err != nil { + t.Fatalf("Could not generate entropy: %v", err) + } + if ss != "AAAAAAAAAA" { + t.Errorf("Expected 10 As, but got %q", ss) + } + + ss, err = randString(5, "ABC123") + if err != nil { + t.Fatalf("Could not generate entropy: %v", err) + } + if len(ss) != 5 { + t.Errorf("Expected random string of length 10, but got %q", ss) + } +} diff --git a/util/test/test.go b/util/test/test.go deleted file mode 100644 index 8fd46053079d8..0000000000000 --- a/util/test/test.go +++ /dev/null @@ -1,18 +0,0 @@ -package test - -import ( - "math/rand" - "time" -) - -const charset = "abcdefghijklmnopqrstuvwxyz" - -// RandString returns a random string of a specified length -func RandString(length int) string { - seededRand := rand.New(rand.NewSource(time.Now().UnixNano())) - b := make([]byte, length) - for i := range b { - b[i] = charset[seededRand.Intn(len(charset))] - } - return string(b) -}