- 
                Notifications
    You must be signed in to change notification settings 
- Fork 7
OIDC via Dex
To be able to setup the whole dev environment without relying on external components we could try to exploit Dex like we did in the iam-bundle
to get this up and running we need to deploy the following manifests and then patch it up accordingly with our networking
# Taken from https://github.com/dexidp/dex/blob/master/examples/k8s/dex.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: dex
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: dex
  name: dex
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dex
  template:
    metadata:
      labels:
        app: dex
    spec:
      containers:
      - image: ghcr.io/dexidp/dex:v2.32.0
        name: dex
        command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
        ports:
        - name: http
          containerPort: 5556
        volumeMounts:
        - name: config
          mountPath: /etc/dex/cfg
        readinessProbe:
          httpGet:
            path: /healthz
            port: 5556
            scheme: HTTP
      volumes:
      - name: config
        configMap:
          name: dex
          items:
          - key: config.yaml
            path: config.yaml
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: dex
data:
  config.yaml: |
    issuer: "http://10.64.140.0:5556"
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      http: 0.0.0.0:5556
    oauth2:
      skipApprovalScreen: true
    staticClients:
    - id: "08a8684b-db88-4b73-90a9-3cd1661f5466"
      redirectURIs:
      - 'http://localhost:8000/api/v0/auth/callback'
      name: 'Admin Service'
      secret: "ZXhhbXBsZS1hcHAtc2VjcmV0"
    enablePasswordDB: true
    staticPasswords:
    - email: "[email protected]"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      username: "admin"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
---
apiVersion: v1
kind: Service
metadata:
  name: dex
spec:
  type: LoadBalancer
  ports:
  - name: dex
    port: 5556
    protocol: TCP
    targetPort: 5556
  selector:
    app: dex
Dex will use a k8s service of the LoadBalancer type, this combined with the usage of metallb will make sure it will get assigned an IP that is reachable both by the internal k8s network and also from your host machine (see metallb docs for more information).

once we have the IP assigned we will need to:
- change the following in the dex configmap
data:
  config.yaml: |
    issuer: "http://<IP assigned>:5556"- change the admin service configmap
data:
  OAUTH2_CLIENT_ID: 08a8684b-db88-4b73-90a9-3cd1661f5466 # value defined in the dex config
  OAUTH2_CLIENT_SECRET: ZXhhbXBsZS1hcHAtc2VjcmV0 # value defined in the dex config
  OIDC_ISSUER: "http://<IP assigned>:5556"reboot both admin service and dex pods and then simply proceed with the usual process of using the ui
login credentials to use are those defined in the dex configmap under the config.staticPasswords section
    staticPasswords:
    - email: "[email protected]"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)Due to the new email [email protected] which is used as the authorization identifier, the seeding for OpenFGA needs to include a new tuple
- object: privileged:superuser
  user: user:[email protected]
  relation: admin