Merge pull request #909 from AirHelp/master

Dex on Kubernetes with RBAC authorization - documentation updated
This commit is contained in:
rithu leena john 2017-04-21 11:03:16 -07:00 committed by GitHub
commit 5c56fb76df

View File

@ -60,6 +60,7 @@ To run dex on Kubernetes perform the following steps:
2. Spin up a Kubernetes cluster with the appropriate flags and CA volume mount. 2. Spin up a Kubernetes cluster with the appropriate flags and CA volume mount.
3. Create a secret containing your [GitHub OAuth2 client credentials][github-oauth2]. 3. Create a secret containing your [GitHub OAuth2 client credentials][github-oauth2].
4. Deploy dex. 4. Deploy dex.
5. Create and assign 'dex' cluster role to dex service account (if RBAC authorization is used).
The TLS assets can be created using the following command: The TLS assets can be created using the following command:
@ -83,17 +84,19 @@ $ kubectl create secret \
--from-literal=client-secret=$GITHUB_CLIENT_SECRET --from-literal=client-secret=$GITHUB_CLIENT_SECRET
``` ```
Finally, create the dex deployment, configmap, and node port service. Create the dex deployment, configmap, and node port service.
``` ```
$ kubectl create -f dex.yaml $ kubectl create -f dex.yaml
``` ```
Assign cluster role to dex service account so it can create third party resources [Kubernetes third party resources](storage.md).
__Caveats:__ No health checking is configured because dex does its own TLS termination complicating the setup. This is a known issue and can be tracked [here][dex-healthz]. __Caveats:__ No health checking is configured because dex does its own TLS termination complicating the setup. This is a known issue and can be tracked [here][dex-healthz].
## Logging into the cluster ## Logging into the cluster
The `example-app` can be used to log into the cluster and get an ID Token. To build the app, you can run `make` in the root of the repo and it will build the `example-app` binary in the repo's `bin` directory. To build the `example-app` requires at least a 1.7 version of Go. The `example-app` can be used to log into the cluster and get an ID Token. To build the app, you can run `make` in the root of the repo and it will build the `example-app` binary in the repo's `bin` directory. To build the `example-app` requires at least a 1.7 version of Go.
``` ```
$ ./bin/example-app --issuer https://dex.example.com:32000 --issuer-root-ca examples/k8s/ssl/ca.pem $ ./bin/example-app --issuer https://dex.example.com:32000 --issuer-root-ca examples/k8s/ssl/ca.pem
@ -119,6 +122,6 @@ $ curl -H "Authorization: Bearer $token" -k https://( API server host ):443/api/
[coreos-baremetal]: https://github.com/coreos/coreos-baremetal/ [coreos-baremetal]: https://github.com/coreos/coreos-baremetal/
[dex-healthz]: https://github.com/coreos/dex/issues/682 [dex-healthz]: https://github.com/coreos/dex/issues/682
[github-oauth2]: https://github.com/settings/applications/new [github-oauth2]: https://github.com/settings/applications/new
[node-port]: http://kubernetes.io/docs/user-guide/services/#type-nodeport [node-port]: http://kubernetes.io/docs/user-guide/services/#type-nodeport
[coreos-kubernetes]: https://github.com/coreos/coreos-kubernetes [coreos-kubernetes]: https://github.com/coreos/coreos-kubernetes
[coreos-baremetal]: https://github.com/coreos/coreos-baremetal [coreos-baremetal]: https://github.com/coreos/coreos-baremetal