Skip to content

Commit

Permalink
allow for base64 encoded k8s ca (#171)
Browse files Browse the repository at this point in the history 
* allow for base64 encoded k8s ca

* only use encoded ca if no other ca was provided

* update config docs
  • Loading branch information
@jbonzo
jbonzo authored Jun 15, 2021
1 parent f5b822e commit 98a3d45
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 41 deletions.
55 changes: 28 additions & 27 deletions docs/config.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,33 +5,34 @@ An example configuration is available [here](../examples/config.yaml)
## Configuration options


| Name | Required | Context | Description |
|------------------------|----------|---------|---------------------------------------------------------------------------------------|
| name | yes | cluster | Internal id of cluster |
| short_description | yes | cluster | Short description of cluster |
| description | yes | cluster | Extended description of cluster |
| client_secret | yes | cluster | OAuth2 client-secret (shared between dex-k8s-auth and dex) |
| client_id | yes | cluster | OAuth2 client-id public identifier (shared between dex-k8s-auth and dex) |
| connector_id | no | cluster | Dex connector ID to use by default omitting other available connectors |
| issuer | yes | cluster | Dex issuer url |
| redirect_uri | yes | cluster | Redirect uri called by dex (defines a callback on dex-k8s-auth) |
| k8s_master_uri | no | cluster | Kubernetes api-server endpoint (used in kubeconfig) |
| k8s_ca_uri | no | cluster | A url pointing to the CA for generating 'certificate-authority' option in kubeconfig |
| k8s_ca_pem | no | cluster | The CA for your k8s server (used in generating instructions) |
| k8s_ca_pem_file | no | cluster | The CA file for your k8s server (used in generating instructions) |
| scopes | no | cluster | A list OpenID scopes to request |
| tls_cert | no | root | Path to TLS cert if SSL enabled |
| tls_key | no | root | Path to TLS key if SSL enabled |
| idp_ca_uri | no | root | A url pointing to the CA for generating 'idp-certificate-authority' in the kubeconfig |
| idp_ca_pem | no | root | The CA for generating 'idp-certificate-authority' in the kubeconfig |
| idp_ca_pem_file | no | root | The CA for generating 'idp-certificate-authority' in the kubeconfig - load from file |
| trusted_root_ca | no | root | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime |
| trusted_root_ca_file | no | root | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime - load from file |
| listen | yes | root | The listen address/port |
| web_path_prefix | no | root | A path-prefix to serve dex-k8s-auth at (defaults to '/') |
| kubectl_version | no | root | A kubectl-version string that is used to provided a download path |
| logo_uri | no | root | A url pointing to a logo image that is displayed in the header |
| debug | no | root | Enable more debug by setting to true |
| Name | Required | Context | Description |
|---------------------------|----------|---------|---------------------------------------------------------------------------------------|
| name | yes | cluster | Internal id of cluster |
| short_description | yes | cluster | Short description of cluster |
| description | yes | cluster | Extended description of cluster |
| client_secret | yes | cluster | OAuth2 client-secret (shared between dex-k8s-auth and dex) |
| client_id | yes | cluster | OAuth2 client-id public identifier (shared between dex-k8s-auth and dex) |
| connector_id | no | cluster | Dex connector ID to use by default omitting other available connectors |
| issuer | yes | cluster | Dex issuer url |
| redirect_uri | yes | cluster | Redirect uri called by dex (defines a callback on dex-k8s-auth) |
| k8s_master_uri | no | cluster | Kubernetes api-server endpoint (used in kubeconfig) |
| k8s_ca_uri | no | cluster | A url pointing to the CA for generating 'certificate-authority' option in kubeconfig |
| k8s_ca_pem | no | cluster | The CA for your k8s server (used in generating instructions) |
| k8s_ca_pem_base64_encoded | no | cluster | The Base64 encoded CA for your k8s server (used in generating instructions) |
| k8s_ca_pem_file | no | cluster | The CA file for your k8s server (used in generating instructions) |
| scopes | no | cluster | A list OpenID scopes to request |
| tls_cert | no | root | Path to TLS cert if SSL enabled |
| tls_key | no | root | Path to TLS key if SSL enabled |
| idp_ca_uri | no | root | A url pointing to the CA for generating 'idp-certificate-authority' in the kubeconfig |
| idp_ca_pem | no | root | The CA for generating 'idp-certificate-authority' in the kubeconfig |
| idp_ca_pem_file | no | root | The CA for generating 'idp-certificate-authority' in the kubeconfig - load from file |
| trusted_root_ca | no | root | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime |
| trusted_root_ca_file | no | root | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime - load from file |
| listen | yes | root | The listen address/port |
| web_path_prefix | no | root | A path-prefix to serve dex-k8s-auth at (defaults to '/') |
| kubectl_version | no | root | A kubectl-version string that is used to provided a download path |
| logo_uri | no | root | A url pointing to a logo image that is displayed in the header |
| debug | no | root | Enable more debug by setting to true |

## Environment Variable Support

Expand Down
39 changes: 25 additions & 14 deletions main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"fmt"
"io/ioutil"
"log"
Expand Down Expand Up @@ -56,20 +57,21 @@ func (d debugTransport) RoundTrip(req *http.Request) (*http.Response, error) {

// Define each cluster
type Cluster struct {
Name string
Namespace string
Short_Description string
Description string
Issuer string
Client_Secret string
Client_ID string
Connector_ID string
K8s_Master_URI string
K8s_Ca_URI string
K8s_Ca_Pem string
K8s_Ca_Pem_File string
Static_Context_Name bool
Scopes []string
Name string
Namespace string
Short_Description string
Description string
Issuer string
Client_Secret string
Client_ID string
Connector_ID string
K8s_Master_URI string
K8s_Ca_URI string
K8s_Ca_Pem string
K8s_Ca_Pem_File string
K8s_Ca_Pem_Base64_Encoded string
Static_Context_Name bool
Scopes []string

Verifier *oidc.IDTokenVerifier
Provider *oidc.Provider
Expand Down Expand Up @@ -231,6 +233,15 @@ func start_app(config Config) {
cluster.K8s_Ca_Pem = cast.ToString(content)
}

if cluster.K8s_Ca_Pem == "" && cluster.K8s_Ca_Pem_Base64_Encoded != "" {
p, err := base64.StdEncoding.DecodeString(cluster.K8s_Ca_Pem_Base64_Encoded)
if err != nil {
log.Fatalf("Failed to base64 decode ca pem: %s", err.Error())
}

cluster.K8s_Ca_Pem = string(p)
}

cluster.Config = config

base_redirect_uri, err := url.Parse(cluster.Redirect_URI)
Expand Down

0 comments on commit 98a3d45

Please sign in to comment.