Merge pull request #6 from ccojocar/dex_grpc_client

feat:(dex grpc) add gRPC client for dex server

Author: Cosmin Cojocar

Gopkg.lock

@@ -63,6 +63,9 @@ codegen:
 	@echo "GENERATING KUBERNETES CRDs"
 	hack/update-codegen.sh
 
+linux:
+	CGO_ENABLED=$(CGO_ENABLED) GOOS=linux GOARCH=amd64 $(GO) build -ldflags $(BUILDFLAGS) -o bin/$(NAME) $(MAIN_GO)
+
 watch:
 	reflex -r "\.go$" -R "vendor.*" make skaffold-run
 

Makefile

@@ -22,9 +22,20 @@ spec:
       - name: {{ .Chart.Name }}
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/sso-operator"]
+        args:
+        - "--dex-grpc-host-port={{ .Values.dex.grpcHostAndPort }}"
+        - "--dex-grpc-ca=/etc/dex/ca/ca.crt"
+        - "--dex-grpc-client-crt=/etc/dex/tls/tls.crt"
+        - "--dex-grpc-client-key=/etc/dex/tls/tls.key"
         env:
           - name: OPERATOR_NAMESPACE
             value: {{ .Release.Namespace }}
+        volumeMounts:
+          - name: dex-grpc-ca
+            mountPath: /etc/dex/ca
+          - name: dex-grpc-client-tls
+            mountPath: /etc/dex/tls
         ports:
         - containerPort: {{ .Values.service.internalPort }}
         livenessProbe:
@@ -44,4 +55,13 @@ spec:
           timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
         resources:
 {{ toYaml .Values.resources | indent 12 }}
+      volumes:
+      - name: dex-grpc-ca
+        configMap:
+          name: {{ .Values.dex.certs.grpcCA }} 
+      - name: dex-grpc-client-tls
+        secret:
+          defaultMode: 420
+          secretName: {{ .Values.dex.certs.grpcClientTls }}
+
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}

charts/sso-operator/templates/deployment.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.dex.certs.install.create }}
+{{ $caName := .Values.dex.certs.grpcCA }}
+{{ $clientTlsSecretName := .Values.dex.certs.grpcClientTls }}
+{{ $sourceNamespace := .Values.dex.certs.install.sourceNamespace }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "4"
+    "helm.sh/hook-delete-policy": hook-succeeded
+  name: job-install-grpc-secrets
+  labels:
+    draft: {{ default "draft-app" .Values.draft }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+spec:
+  activeDeadlineSeconds: {{ .Values.dex.certs.install.activeDeadlineSeconds }}
+  template:
+    metadata:
+      labels:
+        release: "{{ .Release.Name }}"
+        component: "job"
+    spec:
+      serviceAccountName: {{ template "fullname" . }}-install-certs
+      restartPolicy: OnFailure
+      containers:
+      - name: main
+        image: "{{ .Values.dex.certs.install.image }}:{{ .Values.dex.certs.install.imageTag }}"
+        imagePullPolicy: {{ .Values.dex.certs.install.imagePullPolicy }}
+        command:
+        - /bin/bash
+        - -exc
+        - |
+          # Cleanup the existing config map and secrets
+          kubectl delete configmap {{ $caName }} --namespace {{ .Release.Namespace }} || true
+          kubectl delete secret {{ $clientTlsSecretName }} --namespace {{ .Release.Namespace }} || true
+
+          # Copy the secrts from source namespace
+          kubectl get secret {{ $clientTlsSecretName }} --namespace={{ $sourceNamespace }} --export -o yaml |\
+          kubectl apply --namespace={{ .Release.Namespace }} -f -
+          kubectl get cm {{ $caName }} --namespace={{ $sourceNamespace }} --export -o yaml |\
+          kubectl apply --namespace={{ .Release.Namespace }} -f -
+{{- end }}

charts/sso-operator/templates/job-install-grpc-secrets.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.dex.certs.install.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "2"
+    "helm.sh/hook-delete-policy": hook-succeeded
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+  name: {{ template "fullname" . }}-install-certs
+rules:
+- apiGroups: [""]
+  resources: ["secrets", "configmaps"]
+  verbs: ["*"]
+{{- end }}

charts/sso-operator/templates/role-install.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.dex.certs.install.create }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "3"
+    "helm.sh/hook-delete-policy": hook-succeeded
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+  name: {{ template "fullname" . }}-install-certs
+  namespace: {{ .Values.dex.certs.install.sourceNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "fullname" . }}-install-certs
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "fullname" . }}-install-certs
+    namespace: {{ .Release.Namespace }}
+
+{{- end }}

charts/sso-operator/templates/rolebinding-install.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.dex.certs.install.create }}
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "1"
+    "helm.sh/hook-delete-policy": hook-succeeded
+  name: {{ template "fullname" . }}-install-certs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+{{- end }}
+

charts/sso-operator/templates/sa-install.yaml

@@ -32,3 +32,16 @@ readinessProbe:
   successThreshold: 1
   timeoutSeconds: 1
 terminationGracePeriodSeconds: 10
+
+dex:
+  grpcHostAndPort: dex:5000 
+  certs:
+    grpcCA: dex-grpc-ca
+    grpcClientTls: dex-grpc-client-tls
+    install:
+      create: true
+      image: gcr.io/google_containers/kubernetes-dashboard-init-amd64
+      imageTag: "v1.0.0"
+      imagePullPolicy: "IfNotPresent"
+      sourceNamespace: jx
+      activeDeadlineSeconds: 300