dex-aio - missing idp-ca.crt for refresh token

Once the id_token expires, kubectl uses the refresh token to obtain new id_token and refresh token. This process requires the attribute idp-certificate-authority under users.user.auth-provider.config in the kubeconfig file, which was missing when this file was generated. This patchset adds the attribute in values.yaml that will be used to generate the config.yaml file for the authenticator container, which will include the instructions for including the missing idp-certificate-authority and associated certificate in the kubeconfig file. Also, added the namespace for the templates as dex needs to be deployed in the same namespace as the target-cluster management resources, e.g., target-infra. Relates-to: #6 Change-Id: Ie871d1d47f160da035fdfa80016699c519d4c2dd
2021-06-30 15:17:48 +00:00 · 2021-06-30 15:17:48 +00:00 · f945f6a916
commit f945f6a916
parent 874c60e4ce
10 changed files with 11 additions and 4 deletions
--- a/charts/dex-aio/templates/Certificate-dex.yaml
+++ b/charts/dex-aio/templates/Certificate-dex.yaml
@ -4,6 +4,7 @@ apiVersion: cert-manager.io/v1alpha2
 kind: Certificate
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 spec:
  secretName: {{ template "helpers.labels.fullname" . }}-tls
--- a/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml
+++ b/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml
@ -12,7 +12,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ template "helpers.labels.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 ...
 {{- end -}}
 {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "ClusterRoleBinding-dex" ) }}
--- a/charts/dex-aio/templates/ConfigMap-dex.yaml
+++ b/charts/dex-aio/templates/ConfigMap-dex.yaml
@ -4,6 +4,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 data:
 {{- range $key, $value := .Values.config }}
--- a/charts/dex-aio/templates/Deployment-dex.yaml
+++ b/charts/dex-aio/templates/Deployment-dex.yaml
@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
  annotations:
    scheduler.alpha.kubernetes.io/critical-pod: ''
--- a/charts/dex-aio/templates/Role-dex.yaml
+++ b/charts/dex-aio/templates/Role-dex.yaml
@ -4,6 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 rules:
 - apiGroups:
--- a/charts/dex-aio/templates/RoleBinding-dex.yaml
+++ b/charts/dex-aio/templates/RoleBinding-dex.yaml
@ -5,7 +5,7 @@ kind: RoleBinding
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
@ -13,7 +13,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
  name: {{ template "helpers.labels.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 ...
 {{- end -}}
 {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "RoleBinding-dex" ) }}
--- a/charts/dex-aio/templates/Secret-dex.yaml
+++ b/charts/dex-aio/templates/Secret-dex.yaml
@ -4,6 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 data:
  ldap-bindpw: "{{ b64enc ( .Values.params.ldap.bind_password ) }}"
--- a/charts/dex-aio/templates/Service-dex.yaml
+++ b/charts/dex-aio/templates/Service-dex.yaml
@ -4,6 +4,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 spec:
  type: NodePort
--- a/charts/dex-aio/templates/ServiceAccount-dex.yaml
+++ b/charts/dex-aio/templates/ServiceAccount-dex.yaml
@ -4,6 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ template "helpers.labels.fullname" . }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 ...
 {{- end -}}
--- a/charts/dex-aio/values.yaml
+++ b/charts/dex-aio/values.yaml
@ -28,7 +28,6 @@ node_labels:
    key: node-role.kubernetes.io/master
    value: ""
 params:
  site:
    name: PDL1
@ -165,6 +164,7 @@ config:
    web_path_prefix: "/ui"
    tls_cert: "/var/run/secrets/airshipit.org/tls/crt/tls.crt"
    tls_key: "/var/run/secrets/airshipit.org/tls/key/tls.key"
    idp_ca_uri: "http://{{ .Values.params.endpoints.hostname }}:{{ .Values.params.endpoints.port.http }}/ca.crt"
    debug: true
    clusters:
    - client_id: "{{ .Values.params.oidc.client_id }}"