From d0920b0572fffea46d31fe769602ec75b6c97973 Mon Sep 17 00:00:00 2001 From: Maik Date: Wed, 10 Nov 2021 09:24:56 +0100 Subject: [PATCH 1/3] Added function to encode client_secret in base64 + alpine update --- Dockerfile | 4 ++-- dex-auth.go | 6 +++++- docs/config.md | 5 +++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 99d7a11..8467eba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.16.4-alpine3.13 +FROM golang:1.17.3-alpine3.14 RUN apk add --no-cache --update alpine-sdk bash @@ -15,7 +15,7 @@ COPY . . RUN make build -FROM alpine:3.13.5 +FROM alpine:3.14 # Dex connectors, such as GitHub and Google logins require root certificates. # Proper installations should manage those certificates, but it's a bad user diff --git a/dex-auth.go b/dex-auth.go index b7b9e1b..9688aef 100644 --- a/dex-auth.go +++ b/dex-auth.go @@ -2,12 +2,14 @@ package main import ( "bytes" + "encoding/base64" "encoding/json" "fmt" "io/ioutil" "log" "net/http" "path" + "strings" "time" "github.com/coreos/go-oidc" @@ -19,9 +21,11 @@ const exampleAppState = "Vgn2lp5QnymFtLntKX5dM8k773PwcM87T4hQtiESC1q8wkUBgw5D3kH func (cluster *Cluster) oauth2Config() *oauth2.Config { + Dsec, _ := base64.StdEncoding.DecodeString(cluster.Client_Secret) + return &oauth2.Config{ ClientID: cluster.Client_ID, - ClientSecret: cluster.Client_Secret, + ClientSecret: strings.TrimRight((string(Dsec)), "\n"), Endpoint: cluster.Provider.Endpoint(), Scopes: cluster.Scopes, RedirectURL: cluster.Redirect_URI, diff --git a/docs/config.md b/docs/config.md index c57ec37..b1ab596 100644 --- a/docs/config.md +++ b/docs/config.md @@ -73,8 +73,9 @@ clusters: # A path-prefix from which to serve requests and assets web_path_prefix: /dex-auth ``` - -Don't forget to update the Dex `staticClients.redirectURIs` value to include the prefix as well. +IMPORTANT: + - Don't forget to update the Dex `staticClients.redirectURIs` value to include the prefix as well. + - Please make sure that you Encode the `client_secret` with base64. ### Helm From f7e9498deb70865f896a4e67a718ddae418a3ac8 Mon Sep 17 00:00:00 2001 From: Maik Date: Wed, 12 Jan 2022 12:20:01 +0100 Subject: [PATCH 2/3] Adapted option to handle dex client secrets via k8s-secret. --- charts/dex-k8s-authenticator/Chart.yaml | 4 ++-- charts/dex-k8s-authenticator/templates/secrets.yaml | 12 ++++++++++++ charts/dex-k8s-authenticator/values.yaml | 7 +++++++ dex-auth.go | 6 +----- docs/config.md | 5 ++--- entrypoint.sh | 9 ++++++++- 6 files changed, 32 insertions(+), 11 deletions(-) create mode 100644 charts/dex-k8s-authenticator/templates/secrets.yaml diff --git a/charts/dex-k8s-authenticator/Chart.yaml b/charts/dex-k8s-authenticator/Chart.yaml index 4f96065..7747659 100644 --- a/charts/dex-k8s-authenticator/Chart.yaml +++ b/charts/dex-k8s-authenticator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: "v1.4.0" +appVersion: "v1.4.1" description: "Authenticator for using Dex with Kubernetes" name: dex-k8s-authenticator -version: 1.4.0 +version: 1.4.1 sources: - https://github.com/mintel/dex-k8s-authenticator maintainers: diff --git a/charts/dex-k8s-authenticator/templates/secrets.yaml b/charts/dex-k8s-authenticator/templates/secrets.yaml new file mode 100644 index 0000000..6a30f0a --- /dev/null +++ b/charts/dex-k8s-authenticator/templates/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "dex-k8s-authenticator.fullname" . }} + labels: + app: {{ template "dex-k8s-authenticator.fullname" . }} + env: {{ default "dev" .Values.global.deployEnv }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + credentials: {{ default "" .Values.dex-core.client_secret | b64enc }} \ No newline at end of file diff --git a/charts/dex-k8s-authenticator/values.yaml b/charts/dex-k8s-authenticator/values.yaml index 14b3045..c9e0b11 100644 --- a/charts/dex-k8s-authenticator/values.yaml +++ b/charts/dex-k8s-authenticator/values.yaml @@ -24,6 +24,9 @@ dexK8sAuthenticator: - name: my-cluster short_description: "My Cluster" description: "Example Cluster Long Description..." + #"client_secret" can be shifted to secrets. + #In order to use the secrets the value of client_secret needs to be replaced + #with the following: client_secret: ${client_secret} client_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok issuer: https://dex.example.com k8s_master_uri: https://my-cluster.example.com @@ -31,6 +34,10 @@ dexK8sAuthenticator: redirect_uri: https://login.example.com/callback/my-cluster k8s_ca_uri: https://url-to-your-ca.crt +#Will create a secret which then can be used for the "dexK8sAuthenticator->client_secret" +#dex-core: +# client_secret: my-secret-value-plain + service: annotations: {} type: ClusterIP diff --git a/dex-auth.go b/dex-auth.go index 9688aef..b7b9e1b 100644 --- a/dex-auth.go +++ b/dex-auth.go @@ -2,14 +2,12 @@ package main import ( "bytes" - "encoding/base64" "encoding/json" "fmt" "io/ioutil" "log" "net/http" "path" - "strings" "time" "github.com/coreos/go-oidc" @@ -21,11 +19,9 @@ const exampleAppState = "Vgn2lp5QnymFtLntKX5dM8k773PwcM87T4hQtiESC1q8wkUBgw5D3kH func (cluster *Cluster) oauth2Config() *oauth2.Config { - Dsec, _ := base64.StdEncoding.DecodeString(cluster.Client_Secret) - return &oauth2.Config{ ClientID: cluster.Client_ID, - ClientSecret: strings.TrimRight((string(Dsec)), "\n"), + ClientSecret: cluster.Client_Secret, Endpoint: cluster.Provider.Endpoint(), Scopes: cluster.Scopes, RedirectURL: cluster.Redirect_URI, diff --git a/docs/config.md b/docs/config.md index b1ab596..db72d83 100644 --- a/docs/config.md +++ b/docs/config.md @@ -73,9 +73,8 @@ clusters: # A path-prefix from which to serve requests and assets web_path_prefix: /dex-auth ``` -IMPORTANT: - - Don't forget to update the Dex `staticClients.redirectURIs` value to include the prefix as well. - - Please make sure that you Encode the `client_secret` with base64. +- +Don't forget to update the Dex `staticClients.redirectURIs` value to include the prefix as well. ### Helm diff --git a/entrypoint.sh b/entrypoint.sh index 14bec45..57551a4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,5 +5,12 @@ if [ ! -z "$(ls -A /certs)" ]; then update-ca-certificates fi +credentials_file=/var/run/secrets/dex-k8s-authenticator/credentials/credentials +if [ -e $credentials_file ] +then + echo "export client_secret" `cat $credentials_file` > /var/tmp/credential_export + source /var/tmp/credential_export +fi + # Execute dex-k8s-authenticator with any argument passed to docker run -/app/bin/dex-k8s-authenticator $@ +/app/bin/dex-k8s-authenticator $@ \ No newline at end of file From cba90e96327ca45559f98326d7cd1881efe9f143 Mon Sep 17 00:00:00 2001 From: Maik Date: Wed, 12 Jan 2022 12:20:01 +0100 Subject: [PATCH 3/3] Adapted option to handle dex client secrets via k8s-secret. --- charts/dex-k8s-authenticator/Chart.yaml | 4 ++-- charts/dex-k8s-authenticator/templates/ingress.yaml | 2 +- charts/dex-k8s-authenticator/templates/secrets.yaml | 12 ++++++++++++ charts/dex-k8s-authenticator/values.yaml | 7 +++++++ dex-auth.go | 6 +----- docs/config.md | 5 ++--- entrypoint.sh | 9 ++++++++- 7 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 charts/dex-k8s-authenticator/templates/secrets.yaml diff --git a/charts/dex-k8s-authenticator/Chart.yaml b/charts/dex-k8s-authenticator/Chart.yaml index 4f96065..7747659 100644 --- a/charts/dex-k8s-authenticator/Chart.yaml +++ b/charts/dex-k8s-authenticator/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: "v1.4.0" +appVersion: "v1.4.1" description: "Authenticator for using Dex with Kubernetes" name: dex-k8s-authenticator -version: 1.4.0 +version: 1.4.1 sources: - https://github.com/mintel/dex-k8s-authenticator maintainers: diff --git a/charts/dex-k8s-authenticator/templates/ingress.yaml b/charts/dex-k8s-authenticator/templates/ingress.yaml index 54c0fa9..6b977ba 100644 --- a/charts/dex-k8s-authenticator/templates/ingress.yaml +++ b/charts/dex-k8s-authenticator/templates/ingress.yaml @@ -2,7 +2,7 @@ {{- $fullName := include "dex-k8s-authenticator.fullname" . -}} {{- $servicePort := .Values.service.port -}} {{- $ingressPath := .Values.ingress.path -}} -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ $fullName }} diff --git a/charts/dex-k8s-authenticator/templates/secrets.yaml b/charts/dex-k8s-authenticator/templates/secrets.yaml new file mode 100644 index 0000000..6a30f0a --- /dev/null +++ b/charts/dex-k8s-authenticator/templates/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "dex-k8s-authenticator.fullname" . }} + labels: + app: {{ template "dex-k8s-authenticator.fullname" . }} + env: {{ default "dev" .Values.global.deployEnv }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +data: + credentials: {{ default "" .Values.dex-core.client_secret | b64enc }} \ No newline at end of file diff --git a/charts/dex-k8s-authenticator/values.yaml b/charts/dex-k8s-authenticator/values.yaml index 14b3045..c9e0b11 100644 --- a/charts/dex-k8s-authenticator/values.yaml +++ b/charts/dex-k8s-authenticator/values.yaml @@ -24,6 +24,9 @@ dexK8sAuthenticator: - name: my-cluster short_description: "My Cluster" description: "Example Cluster Long Description..." + #"client_secret" can be shifted to secrets. + #In order to use the secrets the value of client_secret needs to be replaced + #with the following: client_secret: ${client_secret} client_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok issuer: https://dex.example.com k8s_master_uri: https://my-cluster.example.com @@ -31,6 +34,10 @@ dexK8sAuthenticator: redirect_uri: https://login.example.com/callback/my-cluster k8s_ca_uri: https://url-to-your-ca.crt +#Will create a secret which then can be used for the "dexK8sAuthenticator->client_secret" +#dex-core: +# client_secret: my-secret-value-plain + service: annotations: {} type: ClusterIP diff --git a/dex-auth.go b/dex-auth.go index 9688aef..b7b9e1b 100644 --- a/dex-auth.go +++ b/dex-auth.go @@ -2,14 +2,12 @@ package main import ( "bytes" - "encoding/base64" "encoding/json" "fmt" "io/ioutil" "log" "net/http" "path" - "strings" "time" "github.com/coreos/go-oidc" @@ -21,11 +19,9 @@ const exampleAppState = "Vgn2lp5QnymFtLntKX5dM8k773PwcM87T4hQtiESC1q8wkUBgw5D3kH func (cluster *Cluster) oauth2Config() *oauth2.Config { - Dsec, _ := base64.StdEncoding.DecodeString(cluster.Client_Secret) - return &oauth2.Config{ ClientID: cluster.Client_ID, - ClientSecret: strings.TrimRight((string(Dsec)), "\n"), + ClientSecret: cluster.Client_Secret, Endpoint: cluster.Provider.Endpoint(), Scopes: cluster.Scopes, RedirectURL: cluster.Redirect_URI, diff --git a/docs/config.md b/docs/config.md index b1ab596..db72d83 100644 --- a/docs/config.md +++ b/docs/config.md @@ -73,9 +73,8 @@ clusters: # A path-prefix from which to serve requests and assets web_path_prefix: /dex-auth ``` -IMPORTANT: - - Don't forget to update the Dex `staticClients.redirectURIs` value to include the prefix as well. - - Please make sure that you Encode the `client_secret` with base64. +- +Don't forget to update the Dex `staticClients.redirectURIs` value to include the prefix as well. ### Helm diff --git a/entrypoint.sh b/entrypoint.sh index 14bec45..57551a4 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,5 +5,12 @@ if [ ! -z "$(ls -A /certs)" ]; then update-ca-certificates fi +credentials_file=/var/run/secrets/dex-k8s-authenticator/credentials/credentials +if [ -e $credentials_file ] +then + echo "export client_secret" `cat $credentials_file` > /var/tmp/credential_export + source /var/tmp/credential_export +fi + # Execute dex-k8s-authenticator with any argument passed to docker run -/app/bin/dex-k8s-authenticator $@ +/app/bin/dex-k8s-authenticator $@ \ No newline at end of file