mirror of https://git.rancher.io/charts
101 lines
2.6 KiB
YAML
101 lines
2.6 KiB
YAML
{{- if .Values.dex.enabled -}}
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
annotations:
|
|
name: dex-config
|
|
namespace: {{ .Release.Namespace }}
|
|
stringData:
|
|
issuer: "https://auth.{{ .Values.global.domain }}"
|
|
endpoint: {{ printf "http://%s.%s.svc.cluster.local:5556" .Values.dex.fullnameOverride .Release.Namespace }}
|
|
config.yaml: |-
|
|
issuer: "https://auth.{{ .Values.global.domain }}"
|
|
storage:
|
|
type: kubernetes
|
|
config:
|
|
inCluster: true
|
|
enablePasswordDB: true
|
|
staticPasswords:
|
|
- email: "admin@epinio.io"
|
|
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
|
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
|
username: "admin"
|
|
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
|
|
- email: "epinio@epinio.io"
|
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
|
|
userID: "08a8684b-db88-4b73-90a9-3cd1661f5467"
|
|
|
|
staticClients:
|
|
- id: epinio-api
|
|
name: 'Epinio API'
|
|
public: true
|
|
# The 'Epinio API' lets the 'Epinio cli' issue ID tokens on its behalf.
|
|
# https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party
|
|
trustedPeers:
|
|
- epinio-cli
|
|
|
|
- id: epinio-cli
|
|
name: 'Epinio cli'
|
|
public: true
|
|
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
labels:
|
|
epinio.io/api-user-credentials: "true"
|
|
epinio.io/role: "admin"
|
|
name: {{ include "epinio-truncate" (print "user-" "admin@epinio.io") }}
|
|
namespace: {{ .Release.Namespace }}
|
|
stringData:
|
|
username: "admin@epinio.io"
|
|
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: dex
|
|
namespace: "{{ .Release.Namespace }}"
|
|
spec:
|
|
dnsNames:
|
|
- "auth.{{ .Values.global.domain }}"
|
|
issuerRef:
|
|
kind: ClusterIssuer
|
|
name: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
|
|
secretName: dex-tls
|
|
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: dex
|
|
namespace: {{ .Release.Namespace }}
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
spec:
|
|
rules:
|
|
- host: "auth.{{ .Values.global.domain }}"
|
|
http:
|
|
paths:
|
|
- backend:
|
|
service:
|
|
name: dex
|
|
port:
|
|
number: 5556
|
|
path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- hosts:
|
|
- "auth.{{ .Values.global.domain }}"
|
|
secretName: dex-tls
|
|
|
|
{{- end }}
|