Commit 57aa3256 authored by Filip's avatar Filip

Updated documentation for dex on k8s when RBAC authorization is used

parent e609de50
...@@ -60,6 +60,7 @@ To run dex on Kubernetes perform the following steps: ...@@ -60,6 +60,7 @@ To run dex on Kubernetes perform the following steps:
2. Spin up a Kubernetes cluster with the appropriate flags and CA volume mount. 2. Spin up a Kubernetes cluster with the appropriate flags and CA volume mount.
3. Create a secret containing your [GitHub OAuth2 client credentials][github-oauth2]. 3. Create a secret containing your [GitHub OAuth2 client credentials][github-oauth2].
4. Deploy dex. 4. Deploy dex.
5. Create and assign 'dex' cluster role to dex service account (if RBAC authorization is used).
The TLS assets can be created using the following command: The TLS assets can be created using the following command:
...@@ -83,17 +84,19 @@ $ kubectl create secret \ ...@@ -83,17 +84,19 @@ $ kubectl create secret \
--from-literal=client-secret=$GITHUB_CLIENT_SECRET --from-literal=client-secret=$GITHUB_CLIENT_SECRET
``` ```
Finally, create the dex deployment, configmap, and node port service. Create the dex deployment, configmap, and node port service.
``` ```
$ kubectl create -f dex.yaml $ kubectl create -f dex.yaml
``` ```
Assign cluster role to dex service account so it can create third party resources [Kubernetes third party resources](storage.md).
__Caveats:__ No health checking is configured because dex does its own TLS termination complicating the setup. This is a known issue and can be tracked [here][dex-healthz]. __Caveats:__ No health checking is configured because dex does its own TLS termination complicating the setup. This is a known issue and can be tracked [here][dex-healthz].
## Logging into the cluster ## Logging into the cluster
The `example-app` can be used to log into the cluster and get an ID Token. To build the app, you can run `make` in the root of the repo and it will build the `example-app` binary in the repo's `bin` directory. To build the `example-app` requires at least a 1.7 version of Go. The `example-app` can be used to log into the cluster and get an ID Token. To build the app, you can run `make` in the root of the repo and it will build the `example-app` binary in the repo's `bin` directory. To build the `example-app` requires at least a 1.7 version of Go.
``` ```
$ ./bin/example-app --issuer https://dex.example.com:32000 --issuer-root-ca examples/k8s/ssl/ca.pem $ ./bin/example-app --issuer https://dex.example.com:32000 --issuer-root-ca examples/k8s/ssl/ca.pem
...@@ -119,6 +122,6 @@ $ curl -H "Authorization: Bearer $token" -k https://( API server host ):443/api/ ...@@ -119,6 +122,6 @@ $ curl -H "Authorization: Bearer $token" -k https://( API server host ):443/api/
[coreos-baremetal]: https://github.com/coreos/coreos-baremetal/ [coreos-baremetal]: https://github.com/coreos/coreos-baremetal/
[dex-healthz]: https://github.com/coreos/dex/issues/682 [dex-healthz]: https://github.com/coreos/dex/issues/682
[github-oauth2]: https://github.com/settings/applications/new [github-oauth2]: https://github.com/settings/applications/new
[node-port]: http://kubernetes.io/docs/user-guide/services/#type-nodeport [node-port]: http://kubernetes.io/docs/user-guide/services/#type-nodeport
[coreos-kubernetes]: https://github.com/coreos/coreos-kubernetes [coreos-kubernetes]: https://github.com/coreos/coreos-kubernetes
[coreos-baremetal]: https://github.com/coreos/coreos-baremetal [coreos-baremetal]: https://github.com/coreos/coreos-baremetal
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment