Skip to content

OIDC via Dex

Jump to bottom
Alessandro Cabbia edited this page Jul 23, 2024 · 2 revisions

To be able to setup the whole dev environment without relying on external components we could try to exploit Dex like we did in the iam-bundle

to get this up and running we need to deploy the following manifests and then patch it up accordingly with our networking

# Taken from https://github.com/dexidp/dex/blob/master/examples/k8s/dex.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: dex
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: dex
  name: dex
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dex
  template:
    metadata:
      labels:
        app: dex
    spec:
      containers:
      - image: ghcr.io/dexidp/dex:v2.32.0
        name: dex
        command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]

        ports:
        - name: http
          containerPort: 5556

        volumeMounts:
        - name: config
          mountPath: /etc/dex/cfg

        readinessProbe:
          httpGet:
            path: /healthz
            port: 5556
            scheme: HTTP
      volumes:
      - name: config
        configMap:
          name: dex
          items:
          - key: config.yaml
            path: config.yaml
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
data:
  config.yaml: |
    issuer: "http://10.64.140.0:5556"
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556
    oauth2:
      skipApprovalScreen: true

    staticClients:
    - id: "08a8684b-db88-4b73-90a9-3cd1661f5466"
      redirectURIs:
      - 'http://localhost:8000/api/v0/auth/callback'
      name: 'Admin Service'
      secret: "ZXhhbXBsZS1hcHAtc2VjcmV0"
    enablePasswordDB: true
    staticPasswords:
    - email: "admin@example.com"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      username: "admin"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
---
apiVersion: v1
kind: Service
metadata:
  name: dex
spec:
  type: LoadBalancer
  ports:
  - name: dex
    port: 5556
    protocol: TCP
    targetPort: 5556
  selector:
    app: dex

Dex will use a k8s service of the LoadBalancer type, this combined with the usage of metallb will make sure it will get assigned an IP that is reachable both by the internal k8s network and also from your host machine (see metallb docs for more information).

image

once we have the IP assigned we will need to:

  • change the following in the dex configmap
data:
  config.yaml: |
    issuer: "http://<IP assigned>:5556"
  • change the admin service configmap
data:
  OAUTH2_CLIENT_ID: 08a8684b-db88-4b73-90a9-3cd1661f5466 # value defined in the dex config
  OAUTH2_CLIENT_SECRET: ZXhhbXBsZS1hcHAtc2VjcmV0 # value defined in the dex config
  OIDC_ISSUER: "http://<IP assigned>:5556"

reboot both admin service and dex pods and then simply proceed with the usual process of using the ui login credentials to use are those defined in the dex configmap under the config.staticPasswords section

    staticPasswords:
    - email: "admin@example.com"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)

Due to the new email admin@example.com which is used as the authorization identifier, the seeding for OpenFGA needs to include a new tuple

- object: privileged:superuser
  user: user:admin@example.com
  relation: admin
Clone this wiki locally