Skip to content

Latest commit

 

History

History
executable file
·
73 lines (62 loc) · 3.01 KB

hack_dex.md

File metadata and controls

executable file
·
73 lines (62 loc) · 3.01 KB
Raw

Hacks on Dex

This hack works on Openshift using openshift-install CLI tool with custom install config

You can skip certificate creation if you already have a valid certificate for your dex route.

ZeroSSL.com CA with acme.sh

In order to use DEX, you will need a valid trusted SSL certificat. If you are using openshift-install cli on aws you can use acme.sh

Clone acms.sh repository:

git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh

Register your account:

./acme.sh  --register-account  -m myemail@example.com --server zerossl

Create certificates for your current instance:

export API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')
export WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')
AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key) AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id) ./acme.sh  --issue   --dns dns_aws -d ${API} -d *.${WILDCARD}

You will get a list of certificates with path at the end of this bash. Replace /path/to/fullchain.cer and /path/to/api.key in the next commands.

Update ingress default certificate:

oc create secret tls router-certs --cert=/path/to/fullchain.cer --key=/path/to/api.key -n openshift-ingress
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" } } }'

Update api certificate:

oc create secret tls api-certs --cert=/path/to/fullchain.cer --key=/path/to/api.key -n openshift-config
oc patch apiserver cluster \
     --type=merge -p \
     "{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names\": [\"${API}\"], \"servingCertificate\": {\"name\": \"api-certs\"}}]}}}"

Create dex instance

Replace all <MY_CLUSTER_URL> occurences in examples/dex.yaml.

By default, routes will use your API cert for reencrypt. You can change them by adding the following options in the tls sections if needed:

    certificate: |-
      -----BEGIN CERTIFICATE-----
      <MY_TRUSTED_CA_CERT>
      -----END CERTIFICATE-----
    key: |-
      -----BEGIN ENCRYPTED PRIVATE KEY-----
      <MY_TRUSTED_CA_KEY>
      -----END ENCRYPTED PRIVATE KEY-----
    caCertificate: |-
      -----BEGIN CERTIFICATE-----
      <MY_CA_CERT>
      -----END CERTIFICATE-----

Create dex instance in openshift-logging namespace:

oc create namespace openshift-logging
oc apply -f examples/dex.yaml

Check openid-configuration and certificate at your DEX route URL: https://dex-openshift-logging.apps.<MY_CLUSTER_URL>/dex/.well-known/openid-configuration

You will now be able to login as dex users using the following credentials:

  • admin@example.com:password
  • foo@example.com:password