From dc9bb0798bace1386809b8bf660adfadf01e3989 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 7 Sep 2018 14:55:22 -0700 Subject: [PATCH 01/22] Rm Dex from Argo CD server deployment --- manifests/components/04d_argocd-server-deployment.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/manifests/components/04d_argocd-server-deployment.yaml b/manifests/components/04d_argocd-server-deployment.yaml index ae774357697cd..ccd55648ed4f8 100644 --- a/manifests/components/04d_argocd-server-deployment.yaml +++ b/manifests/components/04d_argocd-server-deployment.yaml @@ -39,12 +39,6 @@ spec: port: 8080 initialDelaySeconds: 3 periodSeconds: 30 - - name: dex - image: quay.io/coreos/dex:v2.10.0 - command: [/shared/argocd-util, rundex] - volumeMounts: - - mountPath: /shared - name: static-files volumes: - emptyDir: {} name: static-files From 4df7efad00586fce7e8d31d2825b3de6225111cb Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 7 Sep 2018 14:55:33 -0700 Subject: [PATCH 02/22] Add Dex server deployment --- .../components/04f_dex-server-deployment.yaml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 manifests/components/04f_dex-server-deployment.yaml diff --git a/manifests/components/04f_dex-server-deployment.yaml b/manifests/components/04f_dex-server-deployment.yaml new file mode 100644 index 0000000000000..8cee2fadb8072 --- /dev/null +++ b/manifests/components/04f_dex-server-deployment.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: argocd-server +spec: + selector: + matchLabels: + app: argocd-server + template: + metadata: + labels: + app: argocd-server + spec: + serviceAccountName: argocd-server + initContainers: + - name: copyutil + image: argoproj/argocd-server:v0.8.0 + command: [cp, /argocd-util, /shared] + volumeMounts: + - mountPath: /shared + name: static-files + - name: ui + image: argoproj/argocd-ui:v0.8.0 + command: [cp, -r, /app, /shared] + volumeMounts: + - mountPath: /shared + name: static-files + containers: + - name: argocd-server + image: argoproj/argocd-server:v0.8.0 + command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081'] + volumeMounts: + - mountPath: /shared + name: static-files + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + - name: dex + image: quay.io/coreos/dex:v2.10.0 + command: [/shared/argocd-util, rundex] + volumeMounts: + - mountPath: /shared + name: static-files + volumes: + - emptyDir: {} + name: static-files From 01b1315354154d517750124ba8da10a42dd1d0d9 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 7 Sep 2018 14:57:05 -0700 Subject: [PATCH 03/22] Separate out Dex-specific server steps --- .../components/04f_dex-server-deployment.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/manifests/components/04f_dex-server-deployment.yaml b/manifests/components/04f_dex-server-deployment.yaml index 8cee2fadb8072..5d66170df2b5f 100644 --- a/manifests/components/04f_dex-server-deployment.yaml +++ b/manifests/components/04f_dex-server-deployment.yaml @@ -20,25 +20,7 @@ spec: volumeMounts: - mountPath: /shared name: static-files - - name: ui - image: argoproj/argocd-ui:v0.8.0 - command: [cp, -r, /app, /shared] - volumeMounts: - - mountPath: /shared - name: static-files containers: - - name: argocd-server - image: argoproj/argocd-server:v0.8.0 - command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081'] - volumeMounts: - - mountPath: /shared - name: static-files - readinessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 30 - name: dex image: quay.io/coreos/dex:v2.10.0 command: [/shared/argocd-util, rundex] From 41e0e953caa2d1cb2960ac5029131d20750dd63d Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 7 Sep 2018 14:58:19 -0700 Subject: [PATCH 04/22] Update Dex deployment name --- manifests/components/04f_dex-server-deployment.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/components/04f_dex-server-deployment.yaml b/manifests/components/04f_dex-server-deployment.yaml index 5d66170df2b5f..102106a525161 100644 --- a/manifests/components/04f_dex-server-deployment.yaml +++ b/manifests/components/04f_dex-server-deployment.yaml @@ -2,15 +2,15 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: argocd-server + name: dex-server spec: selector: matchLabels: - app: argocd-server + app: dex-server template: metadata: labels: - app: argocd-server + app: dex-server spec: serviceAccountName: argocd-server initContainers: From 63900f1a6f5fdcb1f80d1351b0d5efbb9050f0ac Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 7 Sep 2018 15:37:39 -0700 Subject: [PATCH 05/22] Update install.yaml --- manifests/install.yaml | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/manifests/install.yaml b/manifests/install.yaml index eb743d5a6f521..fe3a2223df777 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -1,4 +1,3 @@ -# This is an auto-generated file. DO NOT EDIT --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -265,12 +264,6 @@ spec: port: 8080 initialDelaySeconds: 3 periodSeconds: 30 - - name: dex - image: quay.io/coreos/dex:v2.10.0 - command: [/shared/argocd-util, rundex] - volumeMounts: - - mountPath: /shared - name: static-files volumes: - emptyDir: {} name: static-files @@ -294,6 +287,38 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: dex-server +spec: + selector: + matchLabels: + app: dex-server + template: + metadata: + labels: + app: dex-server + spec: + serviceAccountName: argocd-server + initContainers: + - name: copyutil + image: argoproj/argocd-server:v0.8.0 + command: [cp, /argocd-util, /shared] + volumeMounts: + - mountPath: /shared + name: static-files + containers: + - name: dex + image: quay.io/coreos/dex:v2.10.0 + command: [/shared/argocd-util, rundex] + volumeMounts: + - mountPath: /shared + name: static-files + volumes: + - emptyDir: {} + name: static-files +--- +apiVersion: apps/v1 +kind: Deployment metadata: name: argocd-repo-server spec: From 5e2116524d7487c18265786cf9ffe96f1ab162a2 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Tue, 11 Sep 2018 17:16:43 -0700 Subject: [PATCH 06/22] Update container port for Dex --- manifests/components/04f_dex-server-deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifests/components/04f_dex-server-deployment.yaml b/manifests/components/04f_dex-server-deployment.yaml index 102106a525161..5044f36155ee3 100644 --- a/manifests/components/04f_dex-server-deployment.yaml +++ b/manifests/components/04f_dex-server-deployment.yaml @@ -24,6 +24,8 @@ spec: - name: dex image: quay.io/coreos/dex:v2.10.0 command: [/shared/argocd-util, rundex] + ports: + - containerPort: 8082 volumeMounts: - mountPath: /shared name: static-files From c5804de6107d930847ab1d45ec75bd6057cf09a5 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Tue, 11 Sep 2018 17:17:35 -0700 Subject: [PATCH 07/22] Add Dex service, rename manifest components --- ...ment.yaml => 06a_dex-server-deployment.yaml} | 0 .../components/06b_dex-server-service.yaml | 17 +++++++++++++++++ 2 files changed, 17 insertions(+) rename manifests/components/{04f_dex-server-deployment.yaml => 06a_dex-server-deployment.yaml} (100%) create mode 100644 manifests/components/06b_dex-server-service.yaml diff --git a/manifests/components/04f_dex-server-deployment.yaml b/manifests/components/06a_dex-server-deployment.yaml similarity index 100% rename from manifests/components/04f_dex-server-deployment.yaml rename to manifests/components/06a_dex-server-deployment.yaml diff --git a/manifests/components/06b_dex-server-service.yaml b/manifests/components/06b_dex-server-service.yaml new file mode 100644 index 0000000000000..a36bf4923dcaa --- /dev/null +++ b/manifests/components/06b_dex-server-service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: dex-server +spec: + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 8082 + - name: https + protocol: TCP + port: 443 + targetPort: 8082 + selector: + app: dex-server From 326230a212b7c042dc0a9af669021652b96d05ac Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Wed, 12 Sep 2018 14:17:13 -0700 Subject: [PATCH 08/22] Update ports --- .../components/06a_dex-server-deployment.yaml | 5 ++++- .../components/06b_dex-server-service.yaml | 20 +++++++++++++------ 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/manifests/components/06a_dex-server-deployment.yaml b/manifests/components/06a_dex-server-deployment.yaml index 5044f36155ee3..a69063dc7cfc7 100644 --- a/manifests/components/06a_dex-server-deployment.yaml +++ b/manifests/components/06a_dex-server-deployment.yaml @@ -25,7 +25,10 @@ spec: image: quay.io/coreos/dex:v2.10.0 command: [/shared/argocd-util, rundex] ports: - - containerPort: 8082 + - containerPort: 5554 + # - containerPort: 5555 + - containerPort: 5556 + # - containerPort: 5557 volumeMounts: - mountPath: /shared name: static-files diff --git a/manifests/components/06b_dex-server-service.yaml b/manifests/components/06b_dex-server-service.yaml index a36bf4923dcaa..afdf719f9b612 100644 --- a/manifests/components/06b_dex-server-service.yaml +++ b/manifests/components/06b_dex-server-service.yaml @@ -5,13 +5,21 @@ metadata: name: dex-server spec: ports: - - name: http - protocol: TCP - port: 80 - targetPort: 8082 - name: https protocol: TCP - port: 443 - targetPort: 8082 + port: 5554 + targetPort: 5554 + # - name: callback + # protocol: TCP + # port: 5555 + # targetPort: 5555 + - name: http + protocol: TCP + port: 5556 + targetPort: 5556 + # - name: redirect + # protocol: TCP + # port: 5557 + # targetPort: 5557 selector: app: dex-server From 02f265559f2d08d092499b4bd397b9b612cb8a68 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Wed, 12 Sep 2018 14:21:34 -0700 Subject: [PATCH 09/22] Update dex endpoint --- util/dex/dex.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/dex/dex.go b/util/dex/dex.go index 0253d2020b894..d1bd7e9b29619 100644 --- a/util/dex/dex.go +++ b/util/dex/dex.go @@ -32,7 +32,7 @@ import ( const ( // DexReverseProxyAddr is the address of the Dex OIDC server, which we run a reverse proxy against - DexReverseProxyAddr = "http://localhost:5556" + DexReverseProxyAddr = "http://dex-server:5556" // DexgRPCAPIAddr is the address to the Dex gRPC API server for managing dex. This is assumed to run // locally (as a sidecar) DexgRPCAPIAddr = "localhost:5557" From 26bcda5b85e15e447cd2a64bcf6b7b29873e5664 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 15:06:07 -0700 Subject: [PATCH 10/22] Rename manifest files for ordering --- ..._dex-server-deployment.yaml => 06d_dex-server-deployment.yaml} | 0 .../{06b_dex-server-service.yaml => 06e_dex-server-service.yaml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename manifests/components/{06a_dex-server-deployment.yaml => 06d_dex-server-deployment.yaml} (100%) rename manifests/components/{06b_dex-server-service.yaml => 06e_dex-server-service.yaml} (100%) diff --git a/manifests/components/06a_dex-server-deployment.yaml b/manifests/components/06d_dex-server-deployment.yaml similarity index 100% rename from manifests/components/06a_dex-server-deployment.yaml rename to manifests/components/06d_dex-server-deployment.yaml diff --git a/manifests/components/06b_dex-server-service.yaml b/manifests/components/06e_dex-server-service.yaml similarity index 100% rename from manifests/components/06b_dex-server-service.yaml rename to manifests/components/06e_dex-server-service.yaml From a71de54c001d197ebc95f657a4d3490b9bc70a4e Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 15:07:46 -0700 Subject: [PATCH 11/22] Add service account for Dex, with too many perms --- manifests/components/06a_dex-server-sa.yaml | 5 +++ manifests/components/06b_dex-server-role.yaml | 39 +++++++++++++++++++ .../06c_dex-server-rolebinding.yaml | 12 ++++++ .../components/06d_dex-server-deployment.yaml | 2 +- 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 manifests/components/06a_dex-server-sa.yaml create mode 100644 manifests/components/06b_dex-server-role.yaml create mode 100644 manifests/components/06c_dex-server-rolebinding.yaml diff --git a/manifests/components/06a_dex-server-sa.yaml b/manifests/components/06a_dex-server-sa.yaml new file mode 100644 index 0000000000000..0413108841492 --- /dev/null +++ b/manifests/components/06a_dex-server-sa.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dex-server diff --git a/manifests/components/06b_dex-server-role.yaml b/manifests/components/06b_dex-server-role.yaml new file mode 100644 index 0000000000000..5e4d0a0d76780 --- /dev/null +++ b/manifests/components/06b_dex-server-role.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dex-server-role +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - get + - list + - watch + - update + - delete + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list diff --git a/manifests/components/06c_dex-server-rolebinding.yaml b/manifests/components/06c_dex-server-rolebinding.yaml new file mode 100644 index 0000000000000..02eeee5c8c895 --- /dev/null +++ b/manifests/components/06c_dex-server-rolebinding.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dex-server-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dex-server-role +subjects: +- kind: ServiceAccount + name: dex-server diff --git a/manifests/components/06d_dex-server-deployment.yaml b/manifests/components/06d_dex-server-deployment.yaml index a69063dc7cfc7..0b1416f82b528 100644 --- a/manifests/components/06d_dex-server-deployment.yaml +++ b/manifests/components/06d_dex-server-deployment.yaml @@ -12,7 +12,7 @@ spec: labels: app: dex-server spec: - serviceAccountName: argocd-server + serviceAccountName: dex-server initContainers: - name: copyutil image: argoproj/argocd-server:v0.8.0 From 75faa73836aa7ecaf968a23609e45b53e428cc4a Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 15:14:44 -0700 Subject: [PATCH 12/22] Try a limited set of perms for Dex --- manifests/components/06b_dex-server-role.yaml | 31 +++++-------------- 1 file changed, 7 insertions(+), 24 deletions(-) diff --git a/manifests/components/06b_dex-server-role.yaml b/manifests/components/06b_dex-server-role.yaml index 5e4d0a0d76780..b59a442389311 100644 --- a/manifests/components/06b_dex-server-role.yaml +++ b/manifests/components/06b_dex-server-role.yaml @@ -10,30 +10,13 @@ rules: - secrets - configmaps verbs: - - create - get - list - watch - - update - - patch - - delete -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - create - - get - - list - - watch - - update - - delete - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list +# - apiGroups: +# - "" +# resources: +# - events +# verbs: +# - create +# - list From 3b5848f2cbf24d965113a84633bef9afad051944 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 15:43:16 -0700 Subject: [PATCH 13/22] Update ports for Dex --- .../components/06d_dex-server-deployment.yaml | 4 +--- manifests/components/06e_dex-server-service.yaml | 16 ++++------------ util/dex/dex.go | 2 +- 3 files changed, 6 insertions(+), 16 deletions(-) diff --git a/manifests/components/06d_dex-server-deployment.yaml b/manifests/components/06d_dex-server-deployment.yaml index 0b1416f82b528..c8abf63e133d7 100644 --- a/manifests/components/06d_dex-server-deployment.yaml +++ b/manifests/components/06d_dex-server-deployment.yaml @@ -25,10 +25,8 @@ spec: image: quay.io/coreos/dex:v2.10.0 command: [/shared/argocd-util, rundex] ports: - - containerPort: 5554 - # - containerPort: 5555 - containerPort: 5556 - # - containerPort: 5557 + - containerPort: 5557 volumeMounts: - mountPath: /shared name: static-files diff --git a/manifests/components/06e_dex-server-service.yaml b/manifests/components/06e_dex-server-service.yaml index afdf719f9b612..ddb0b2e606fb0 100644 --- a/manifests/components/06e_dex-server-service.yaml +++ b/manifests/components/06e_dex-server-service.yaml @@ -5,21 +5,13 @@ metadata: name: dex-server spec: ports: - - name: https - protocol: TCP - port: 5554 - targetPort: 5554 - # - name: callback - # protocol: TCP - # port: 5555 - # targetPort: 5555 - name: http protocol: TCP port: 5556 targetPort: 5556 - # - name: redirect - # protocol: TCP - # port: 5557 - # targetPort: 5557 + - name: grpc + protocol: TCP + port: 5557 + targetPort: 5557 selector: app: dex-server diff --git a/util/dex/dex.go b/util/dex/dex.go index d1bd7e9b29619..b1dbde139546a 100644 --- a/util/dex/dex.go +++ b/util/dex/dex.go @@ -35,7 +35,7 @@ const ( DexReverseProxyAddr = "http://dex-server:5556" // DexgRPCAPIAddr is the address to the Dex gRPC API server for managing dex. This is assumed to run // locally (as a sidecar) - DexgRPCAPIAddr = "localhost:5557" + DexgRPCAPIAddr = "dex-server:5557" ) var messageRe = regexp.MustCompile(`

(.*)([\s\S]*?)<\/p>`) From 73a35f80179cc9a4bbd3fc44176cc869ba5def0c Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 16:00:50 -0700 Subject: [PATCH 14/22] Update install.yaml --- manifests/install.yaml | 109 +++++++++++++++++++++++++++++++---------- 1 file changed, 84 insertions(+), 25 deletions(-) diff --git a/manifests/install.yaml b/manifests/install.yaml index fe3a2223df777..b1f40752bc508 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -287,6 +287,76 @@ spec: --- apiVersion: apps/v1 kind: Deployment +metadata: + name: argocd-repo-server +spec: + selector: + matchLabels: + app: argocd-repo-server + template: + metadata: + labels: + app: argocd-repo-server + spec: + containers: + - name: argocd-repo-server + image: argoproj/argocd-repo-server:v0.8.2 + command: [/argocd-repo-server] + ports: + - containerPort: 8081 +--- +apiVersion: v1 +kind: Service +metadata: + name: argocd-repo-server +spec: + ports: + - port: 8081 + targetPort: 8081 + selector: + app: argocd-repo-server +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dex-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: dex-server-role +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +# - apiGroups: +# - "" +# resources: +# - events +# verbs: +# - create +# - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: dex-server-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: dex-server-role +subjects: +- kind: ServiceAccount + name: dex-server +--- +apiVersion: apps/v1 +kind: Deployment metadata: name: dex-server spec: @@ -298,7 +368,7 @@ spec: labels: app: dex-server spec: - serviceAccountName: argocd-server + serviceAccountName: dex-server initContainers: - name: copyutil image: argoproj/argocd-server:v0.8.0 @@ -310,6 +380,9 @@ spec: - name: dex image: quay.io/coreos/dex:v2.10.0 command: [/shared/argocd-util, rundex] + ports: + - containerPort: 5556 + - containerPort: 5557 volumeMounts: - mountPath: /shared name: static-files @@ -317,33 +390,19 @@ spec: - emptyDir: {} name: static-files --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-repo-server -spec: - selector: - matchLabels: - app: argocd-repo-server - template: - metadata: - labels: - app: argocd-repo-server - spec: - containers: - - name: argocd-repo-server - image: argoproj/argocd-repo-server:v0.8.2 - command: [/argocd-repo-server] - ports: - - containerPort: 8081 ---- apiVersion: v1 kind: Service metadata: - name: argocd-repo-server + name: dex-server spec: ports: - - port: 8081 - targetPort: 8081 + - name: http + protocol: TCP + port: 5556 + targetPort: 5556 + - name: grpc + protocol: TCP + port: 5557 + targetPort: 5557 selector: - app: argocd-repo-server + app: dex-server From 94e664bcbe651c6471604ca3cb643a19f76851d2 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 17:07:16 -0700 Subject: [PATCH 15/22] Make token generation more cryptographically secure --- util/dex/dex.go | 31 ++++++++++++++++++++++--------- util/dex/dex_test.go | 26 ++++++++++++++++++++++++++ util/test/test.go | 18 ------------------ 3 files changed, 48 insertions(+), 27 deletions(-) create mode 100644 util/dex/dex_test.go delete mode 100644 util/test/test.go diff --git a/util/dex/dex.go b/util/dex/dex.go index b1dbde139546a..37b2bd6f0cfa4 100644 --- a/util/dex/dex.go +++ b/util/dex/dex.go @@ -2,11 +2,12 @@ package dex import ( "context" + "crypto/rand" "encoding/json" "fmt" "html" "io/ioutil" - "math/rand" + "math/big" "net" "net/http" "net/http/httputil" @@ -14,6 +15,7 @@ import ( "os" "regexp" "strconv" + "strings" "time" "github.com/coreos/dex/api" @@ -187,23 +189,34 @@ func (a *ClientApp) oauth2Config(scopes []string) (*oauth2.Config, error) { }, nil } -var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") +// RandString generates, from a given charset, a cryptographically-secure pseudo-random string of a given length. +// If the random number reader is unable to gather enough entropy to generate a secure random number, an error will be returned. +func randString(n int, charset string) (string, error) { + var b strings.Builder + rr := []rune(charset) + m := big.NewInt(int64(len(rr))) -func randString(n int) string { - b := make([]rune, n) - for i := range b { - b[i] = letters[rand.Intn(len(letters))] + for i := 0; i < n; i++ { + pos, err := rand.Int(rand.Reader, m) + if err != nil { + return b.String(), err + } + b.WriteRune(rr[pos.Int64()]) } - return string(b) + return b.String(), nil } // generateAppState creates an app state nonce func (a *ClientApp) generateAppState(returnURL string) string { - randStr := randString(10) + const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + randStr, err := randString(10, letters) + if err != nil { + log.Fatalf("Could not generate entropy: %v", err) + } if returnURL == "" { returnURL = "/" } - err := a.states.Set(&cache.Item{ + err = a.states.Set(&cache.Item{ Key: randStr, Object: &appState{ ReturnURL: returnURL, diff --git a/util/dex/dex_test.go b/util/dex/dex_test.go new file mode 100644 index 0000000000000..df1ec952a323e --- /dev/null +++ b/util/dex/dex_test.go @@ -0,0 +1,26 @@ +package dex + +import ( + "testing" +) + +func TestRandString(t *testing.T) { + var ss string + var err error + + ss, err = randString(10, "A") + if err != nil { + t.Fatalf("Could not generate entropy: %v", err) + } + if ss != "AAAAAAAAAA" { + t.Errorf("Expected 10 As, but got %q", ss) + } + + ss, err = randString(5, "ABC123") + if err != nil { + t.Fatalf("Could not generate entropy: %v", err) + } + if len(ss) != 5 { + t.Errorf("Expected random string of length 10, but got %q", ss) + } +} diff --git a/util/test/test.go b/util/test/test.go deleted file mode 100644 index 8fd46053079d8..0000000000000 --- a/util/test/test.go +++ /dev/null @@ -1,18 +0,0 @@ -package test - -import ( - "math/rand" - "time" -) - -const charset = "abcdefghijklmnopqrstuvwxyz" - -// RandString returns a random string of a specified length -func RandString(length int) string { - seededRand := rand.New(rand.NewSource(time.Now().UnixNano())) - b := make([]byte, length) - for i := range b { - b[i] = charset[seededRand.Intn(len(charset))] - } - return string(b) -} From 2a9f0551d98f4198f4b717894225dc5f35a39438 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 17:15:29 -0700 Subject: [PATCH 16/22] Rm comments from components --- manifests/components/06b_dex-server-role.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/manifests/components/06b_dex-server-role.yaml b/manifests/components/06b_dex-server-role.yaml index b59a442389311..d0170d812c43c 100644 --- a/manifests/components/06b_dex-server-role.yaml +++ b/manifests/components/06b_dex-server-role.yaml @@ -13,10 +13,3 @@ rules: - get - list - watch -# - apiGroups: -# - "" -# resources: -# - events -# verbs: -# - create -# - list From 2153c48c5b2e3409b20414c848151d91f7e88aeb Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 17:36:03 -0700 Subject: [PATCH 17/22] Update install.yaml --- manifests/install.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/manifests/install.yaml b/manifests/install.yaml index b1f40752bc508..36113323d8454 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -335,13 +335,6 @@ rules: - get - list - watch -# - apiGroups: -# - "" -# resources: -# - events -# verbs: -# - create -# - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding From 1e975cdfaa83036111a4203cd88e867f0da4a494 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Thu, 13 Sep 2018 17:37:58 -0700 Subject: [PATCH 18/22] Reinsert warning at top of install.yaml --- manifests/install.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/install.yaml b/manifests/install.yaml index 36113323d8454..15b0e3944be7b 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -1,3 +1,4 @@ +# This is an auto-generated file. DO NOT EDIT --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition From bd64278af2fda7237872885831b27b5b83d8ed6e Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 14 Sep 2018 10:00:03 -0700 Subject: [PATCH 19/22] Update manifest generation tests and counts --- reposerver/repository/repository_test.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index 3a7160878aac7..6b6dfbdf67856 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -7,20 +7,23 @@ import ( ) func TestGenerateYamlManifestInDir(t *testing.T) { + // update this value if we add/remove manifests + const countOfManifests = 21 + q := ManifestRequest{} res1, err := generateManifests("../../manifests/components", &q) assert.Nil(t, err) - assert.True(t, len(res1.Manifests) == 16) // update this value if we add/remove manifests + assert.Equal(t, len(res1.Manifests), countOfManifests) // this will test concatenated manifests to verify we split YAMLs correctly res2, err := generateManifests("../../manifests", &q) assert.Nil(t, err) - assert.True(t, len(res2.Manifests) == len(res1.Manifests)) + assert.Equal(t, len(res2.Manifests), len(res1.Manifests)) } func TestGenerateJsonnetManifestInDir(t *testing.T) { q := ManifestRequest{} res1, err := generateManifests("./testdata/jsonnet", &q) assert.Nil(t, err) - assert.True(t, len(res1.Manifests) == 2) + assert.Equal(t, len(res1.Manifests), 2) } From 58410da44bac3934bbafea8a1b5de4275105b80a Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 14 Sep 2018 10:23:12 -0700 Subject: [PATCH 20/22] Don't ignore return values --- util/dex/dex.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/dex/dex.go b/util/dex/dex.go index 37b2bd6f0cfa4..76cd0b3c4408a 100644 --- a/util/dex/dex.go +++ b/util/dex/dex.go @@ -201,7 +201,7 @@ func randString(n int, charset string) (string, error) { if err != nil { return b.String(), err } - b.WriteRune(rr[pos.Int64()]) + _, _ = b.WriteRune(rr[pos.Int64()]) } return b.String(), nil } From 38129ed40d71b79a81f907dc02e87bba935c6b6a Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 14 Sep 2018 16:26:32 -0700 Subject: [PATCH 21/22] Restrict to particular resource names, thanks @jessesuen --- manifests/components/06b_dex-server-role.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifests/components/06b_dex-server-role.yaml b/manifests/components/06b_dex-server-role.yaml index d0170d812c43c..576d258b36372 100644 --- a/manifests/components/06b_dex-server-role.yaml +++ b/manifests/components/06b_dex-server-role.yaml @@ -6,6 +6,9 @@ metadata: rules: - apiGroups: - "" + resourceNames: + - argocd-cm + - argocd-secret resources: - secrets - configmaps From d9b41eeb76061ce9713e1c656e4e1895c170f665 Mon Sep 17 00:00:00 2001 From: Andrew Merenbach Date: Fri, 14 Sep 2018 16:29:01 -0700 Subject: [PATCH 22/22] Update install.yaml --- manifests/install.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/manifests/install.yaml b/manifests/install.yaml index 15b0e3944be7b..fc5c8d9e061f5 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -1,4 +1,3 @@ -# This is an auto-generated file. DO NOT EDIT --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition @@ -329,6 +328,9 @@ metadata: rules: - apiGroups: - "" + resourceNames: + - argocd-cm + - argocd-secret resources: - secrets - configmaps