Skip to content

Derive dedicated Dex deployment #564

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merenbach merged 22 commits into from
Sep 15, 2018
Merged

Derive dedicated Dex deployment #564

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
dc9bb07
Rm Dex from Argo CD server deployment
Sep 7, 2018
4df7efa
Add Dex server deployment
Sep 7, 2018
01b1315
Separate out Dex-specific server steps
Sep 7, 2018
41e0e95
Update Dex deployment name
Sep 7, 2018
63900f1
Update install.yaml
Sep 7, 2018
5e21165
Update container port for Dex
Sep 12, 2018
c5804de
Add Dex service, rename manifest components
Sep 12, 2018
326230a
Update ports
Sep 12, 2018
02f2655
Update dex endpoint
Sep 12, 2018
26bcda5
Rename manifest files for ordering
Sep 13, 2018
a71de54
Add service account for Dex, with too many perms
Sep 13, 2018
75faa73
Try a limited set of perms for Dex
Sep 13, 2018
3b5848f
Update ports for Dex
Sep 13, 2018
73a35f8
Update install.yaml
Sep 13, 2018
94e664b
Make token generation more cryptographically secure
Sep 14, 2018
2a9f055
Rm comments from components
Sep 14, 2018
2153c48
Update install.yaml
Sep 14, 2018
1e975cd
Reinsert warning at top of install.yaml
Sep 14, 2018
bd64278
Update manifest generation tests and counts
Sep 14, 2018
58410da
Don't ignore return values
Sep 14, 2018
38129ed
Restrict to particular resource names, thanks @jessesuen
Sep 14, 2018
d9b41ee
Update install.yaml
Sep 14, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 0 additions & 6 deletions manifests/components/04d_argocd-server-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,12 +39,6 @@ spec:
port: 8080
initialDelaySeconds: 3
periodSeconds: 30
- name: dex
image: quay.io/coreos/dex:v2.10.0
command: [/shared/argocd-util, rundex]
volumeMounts:
- mountPath: /shared
name: static-files
volumes:
- emptyDir: {}
name: static-files
5 changes: 5 additions & 0 deletions manifests/components/06a_dex-server-sa.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dex-server
18 changes: 18 additions & 0 deletions manifests/components/06b_dex-server-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dex-server-role
rules:
- apiGroups:
- ""
resourceNames:
- argocd-cm
- argocd-secret
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
Copy link
Copy Markdown
Member

@jessesuen jessesuen Sep 14, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not want this role to read all secrets and configmaps in the namespace just the settings one. We should add:

resourceNames:
- argocd-cm
- argocd-secret

12 changes: 12 additions & 0 deletions manifests/components/06c_dex-server-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dex-server-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dex-server-role
subjects:
- kind: ServiceAccount
name: dex-server
35 changes: 35 additions & 0 deletions manifests/components/06d_dex-server-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dex-server
spec:
selector:
matchLabels:
app: dex-server
template:
metadata:
labels:
app: dex-server
spec:
serviceAccountName: dex-server
initContainers:
- name: copyutil
image: argoproj/argocd-server:v0.8.0
command: [cp, /argocd-util, /shared]
volumeMounts:
- mountPath: /shared
name: static-files
containers:
- name: dex
image: quay.io/coreos/dex:v2.10.0
command: [/shared/argocd-util, rundex]
ports:
- containerPort: 5556
- containerPort: 5557
volumeMounts:
- mountPath: /shared
name: static-files
volumes:
- emptyDir: {}
name: static-files
17 changes: 17 additions & 0 deletions manifests/components/06e_dex-server-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: Service
metadata:
name: dex-server
spec:
ports:
- name: http
protocol: TCP
port: 5556
targetPort: 5556
- name: grpc
protocol: TCP
port: 5557
targetPort: 5557
selector:
app: dex-server
94 changes: 87 additions & 7 deletions manifests/install.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
# This is an auto-generated file. DO NOT EDIT
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
Expand Down Expand Up @@ -265,12 +264,6 @@ spec:
port: 8080
initialDelaySeconds: 3
periodSeconds: 30
- name: dex
image: quay.io/coreos/dex:v2.10.0
command: [/shared/argocd-util, rundex]
volumeMounts:
- mountPath: /shared
name: static-files
volumes:
- emptyDir: {}
name: static-files
Expand Down Expand Up @@ -322,3 +315,90 @@ spec:
targetPort: 8081
selector:
app: argocd-repo-server
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dex-server
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dex-server-role
rules:
- apiGroups:
- ""
resourceNames:
- argocd-cm
- argocd-secret
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dex-server-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dex-server-role
subjects:
- kind: ServiceAccount
name: dex-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dex-server
spec:
selector:
matchLabels:
app: dex-server
template:
metadata:
labels:
app: dex-server
spec:
serviceAccountName: dex-server
initContainers:
- name: copyutil
image: argoproj/argocd-server:v0.8.0
command: [cp, /argocd-util, /shared]
volumeMounts:
- mountPath: /shared
name: static-files
containers:
- name: dex
image: quay.io/coreos/dex:v2.10.0
command: [/shared/argocd-util, rundex]
ports:
- containerPort: 5556
- containerPort: 5557
volumeMounts:
- mountPath: /shared
name: static-files
volumes:
- emptyDir: {}
name: static-files
---
apiVersion: v1
kind: Service
metadata:
name: dex-server
spec:
ports:
- name: http
protocol: TCP
port: 5556
targetPort: 5556
- name: grpc
protocol: TCP
port: 5557
targetPort: 5557
selector:
app: dex-server
9 changes: 6 additions & 3 deletions reposerver/repository/repository_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,23 @@ import (
)

func TestGenerateYamlManifestInDir(t *testing.T) {
// update this value if we add/remove manifests
const countOfManifests = 21

q := ManifestRequest{}
res1, err := generateManifests("../../manifests/components", &q)
assert.Nil(t, err)
assert.True(t, len(res1.Manifests) == 16) // update this value if we add/remove manifests
assert.Equal(t, len(res1.Manifests), countOfManifests)

// this will test concatenated manifests to verify we split YAMLs correctly
res2, err := generateManifests("../../manifests", &q)
assert.Nil(t, err)
assert.True(t, len(res2.Manifests) == len(res1.Manifests))
assert.Equal(t, len(res2.Manifests), len(res1.Manifests))
}

func TestGenerateJsonnetManifestInDir(t *testing.T) {
q := ManifestRequest{}
res1, err := generateManifests("./testdata/jsonnet", &q)
assert.Nil(t, err)
assert.True(t, len(res1.Manifests) == 2)
assert.Equal(t, len(res1.Manifests), 2)
}
35 changes: 24 additions & 11 deletions util/dex/dex.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,20 @@ package dex

import (
"context"
"crypto/rand"
"encoding/json"
"fmt"
"html"
"io/ioutil"
"math/rand"
"math/big"
"net"
"net/http"
"net/http/httputil"
"net/url"
"os"
"regexp"
"strconv"
"strings"
"time"

"github.com/coreos/dex/api"
Expand All @@ -32,10 +34,10 @@ import (

const (
// DexReverseProxyAddr is the address of the Dex OIDC server, which we run a reverse proxy against
DexReverseProxyAddr = "http://localhost:5556"
DexReverseProxyAddr = "http://dex-server:5556"
// DexgRPCAPIAddr is the address to the Dex gRPC API server for managing dex. This is assumed to run
// locally (as a sidecar)
DexgRPCAPIAddr = "localhost:5557"
DexgRPCAPIAddr = "dex-server:5557"
)

var messageRe = regexp.MustCompile(`<p>(.*)([\s\S]*?)<\/p>`)
Expand Down Expand Up @@ -187,23 +189,34 @@ func (a *ClientApp) oauth2Config(scopes []string) (*oauth2.Config, error) {
}, nil
}

var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
// RandString generates, from a given charset, a cryptographically-secure pseudo-random string of a given length.
// If the random number reader is unable to gather enough entropy to generate a secure random number, an error will be returned.
func randString(n int, charset string) (string, error) {
var b strings.Builder
rr := []rune(charset)
m := big.NewInt(int64(len(rr)))

func randString(n int) string {
b := make([]rune, n)
for i := range b {
b[i] = letters[rand.Intn(len(letters))]
for i := 0; i < n; i++ {
pos, err := rand.Int(rand.Reader, m)
if err != nil {
return b.String(), err
}
_, _ = b.WriteRune(rr[pos.Int64()])
}
return string(b)
return b.String(), nil
}

// generateAppState creates an app state nonce
func (a *ClientApp) generateAppState(returnURL string) string {
randStr := randString(10)
const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
randStr, err := randString(10, letters)
if err != nil {
log.Fatalf("Could not generate entropy: %v", err)
}
if returnURL == "" {
returnURL = "/"
}
err := a.states.Set(&cache.Item{
err = a.states.Set(&cache.Item{
Key: randStr,
Object: &appState{
ReturnURL: returnURL,
Expand Down
26 changes: 26 additions & 0 deletions util/dex/dex_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package dex

import (
"testing"
)

func TestRandString(t *testing.T) {
var ss string
var err error

ss, err = randString(10, "A")
if err != nil {
t.Fatalf("Could not generate entropy: %v", err)
}
if ss != "AAAAAAAAAA" {
t.Errorf("Expected 10 As, but got %q", ss)
}

ss, err = randString(5, "ABC123")
if err != nil {
t.Fatalf("Could not generate entropy: %v", err)
}
if len(ss) != 5 {
t.Errorf("Expected random string of length 10, but got %q", ss)
}
}
18 changes: 0 additions & 18 deletions util/test/test.go
View file
Open in desktop

This file was deleted.