-
-
Save bcbroussard/1d45d7a8fd5c0a03457a to your computer and use it in GitHub Desktop.
Revisions
-
yifan-gu revised this gist
Aug 31, 2015 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -93,3 +93,6 @@ cluster/kubectl.sh get pods Note: If you run into `Error from server: error when creating "examples/pod": Pod "nginx" is forbidden: service account default/default was not found, retry after the service account is created`, please just disable the admission control for the apiserver, which is done by removing `--admission-control="${ADMISSION_CONTROL}` in `local-up-cluster.sh` #TODO: Add simple examples that uses authorization as well. Disable apiserver's normal http connection. -
Aug 31, 2015 . 1 changed file with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,10 +58,12 @@ hack/local-up-cluster.sh Set cluster config in kube config: ```shell cluster/kubectl.sh config set-cluster local --server=https://127.0.0.1:8001 --certificate-authority=PATH_TO_CA_FILE cluster/kubectl.sh config set-context local --cluster=local --user=cluster-tester cluster/kubectl.sh config use-context local ``` Note that the `--user` in `set-context` can be differnt from `[email protected]`. The kube-apiserver will authenticate and get the real user name(`[email protected]`) from the returned ID token. #Get token Next, we need to get some token so that the api server can authenticate us as `[email protected]`, we will use the `example-app` in dex to do this: ```shell @@ -77,7 +79,7 @@ Then goto http://127.0.0.1:5555 and login as `email: [email protected], passwd Next save that token in kubeconfig: ```shell cluster/kubectl.sh config set-credentials cluster-tester --token=$TOKEN ``` #Ready to go! -
Aug 31, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Create CA cert/key files In order to enable oidc authenticator in `kube-apiserver`, we need to have TLS enabled between `kubectl` and `kube-apiserver`, as well as between `kube-apiserver` and OpenID Provider(`dex-worker` here) @@ -66,7 +66,7 @@ cluster/kubectl.sh config use-context local Next, we need to get some token so that the api server can authenticate us as `[email protected]`, we will use the `example-app` in dex to do this: ```shell ./bin/example-app \ --trusted-ca-file=examples/tls-setup/dex-certs/ca.pem \ --client-id="XXX" \ --client-secret="secrete" \ --redirect-url="http://127.0.0.1:5555/callback" \ -
Aug 31, 2015 . No changes.There are no files selected for viewing
-
Aug 31, 2015 . 1 changed file with 7 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,13 +42,13 @@ Start dex-worker we will use the `hack/local-up-cluster.sh` to launch the cluster. But we need to add following flags to the `kube-apiserver`: `--secure-port=8001` This will enable tls connection between kube-apiserver and kubectl <br/> `--tls-cert-file=PATH_TO_APISERVER_CERT_FILE` Path to the tls cert file <br/> `--tls-private-key-file=PATH_TO_APISERVER_KEY_FILE` Path to the tls key file <br/> `--oidc-issuer-url=https://127.0.0.1:5556` OIDC issuer's address, MUST use 'https' <br/> `--oidc-client-id=OIDC_CLIENT_ID` The client ID that is shared between kube-apiserver and example app below. kube-apiserver will use the client-id to verify the token's [audience](http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) <br/> `--oidc-ca-file=PATH_TO_DEX_CA_FILE` trusted CA file for verifying the certs from the OIDC provider <br/> `--oidc-username-claim="email"` This specify which claim in the response ID token that we want to use as the user's name <br/> Then we can launch the cluster: ```shell -
Aug 31, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,8 +27,8 @@ mv certs apiserver-certs Start dex-worker ```shell ./bin/dex-worker \ --tls-cert-file=examples/tls-setup/dex-certs/dex.pem \ --tls-key-file=examples/tls-setup/dex-certs/dex-key.pem \ --listen="https://127.0.0.1:5556" \ --issuer="https://127.0.0.1:5556" \ --clients=./static/fixtures/clients.json \ -
Aug 31, 2015 . 1 changed file with 5 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -7,13 +7,10 @@ For simplicity, we will use [cfssl](https://github.com/yifan-gu/dex/tree/ssl/exa # Start dex worker Checkout and build dex ```shell git clone [email protected]:coreos/dex.git cd dex ./build ``` @@ -22,12 +19,12 @@ Create certs cd examples/tls-setup make mv certs dex-certs (edit the req-csr.json, change the 'CN' to kube-apiserver) make (or you can run commands manually to sign the certs for the kube-apiserver using the previously generated CA file) mv certs apiserver-certs ``` Start dex-worker ```shell ./bin/dex-worker \ --cert-file=examples/tls-setup/dex-certs/dex.pem \ -
Aug 29, 2015 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,7 +41,9 @@ Start dex-worker (as a reminder, check the users.json.sample, make sure it has e --no-db ``` #Start k8s cluster we will use the `hack/local-up-cluster.sh` to launch the cluster. But we need to add following flags to the `kube-apiserver`: `--secure-port=8001` <br/> `--tls-cert-file=PATH_TO_APISERVER_CERT_FILE` <br/> @@ -63,6 +65,7 @@ cluster/kubectl.sh config set-context local --cluster=local --user=elroy77@examp cluster/kubectl.sh config use-context local ``` #Get token Next, we need to get some token so that the api server can authenticate us as `[email protected]`, we will use the `example-app` in dex to do this: ```shell ./bin/example-app \ @@ -80,6 +83,8 @@ Next save that token in kubeconfig: cluster/kubectl.sh config set-credentials [email protected] --token=$TOKEN ``` #Ready to go! Congratulations! You should be able to be authenticated and launch pod now! ```shell cluster/kubectl.sh create -f examples/pod -
Aug 29, 2015 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -27,7 +27,7 @@ make mv certs apiserver-certs ``` Start dex-worker (as a reminder, check the users.json.sample, make sure it has email fields) ```shell ./bin/dex-worker \ --cert-file=examples/tls-setup/dex-certs/dex.pem \ -
Aug 29, 2015 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -86,4 +86,6 @@ cluster/kubectl.sh create -f examples/pod cluster/kubectl.sh get pods ``` Note: If you run into `Error from server: error when creating "examples/pod": Pod "nginx" is forbidden: service account default/default was not found, retry after the service account is created`, please just disable the admission control for the apiserver, which is done by removing `--admission-control="${ADMISSION_CONTROL}` in `local-up-cluster.sh` -
Aug 29, 2015 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,7 +58,7 @@ hack/local-up-cluster.sh Set cluster config in kube config: ```shell cluster/kubectl.sh config set-cluster local --server=https://127.0.0.1:8001 --certificate-authority=PATH_TO_CA_FILE cluster/kubectl.sh config set-context local --cluster=local [email protected] cluster/kubectl.sh config use-context local ``` @@ -77,7 +77,7 @@ Then goto http://127.0.0.1:5555 and login as `email: [email protected], passwd Next save that token in kubeconfig: ```shell cluster/kubectl.sh config set-credentials [email protected] --token=$TOKEN ``` Congratulations! You should be able to be authenticated and launch pod now! -
Aug 29, 2015 . 1 changed file with 26 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,7 +59,31 @@ hack/local-up-cluster.sh Set cluster config in kube config: ```shell cluster/kubectl.sh config set-cluster local --server=https://127.0.0.1:8001 cluster/kubectl.sh config set-context local --cluster=local --user[email protected] cluster/kubectl.sh config use-context local ``` Next, we need to get some token so that the api server can authenticate us as `[email protected]`, we will use the `example-app` in dex to do this: ```shell ./bin/example-app \ --ca-file=examples/tls-setup/dex-certs/ca.pem \ --client-id="XXX" \ --client-secret="secrete" \ --redirect-url="http://127.0.0.1:5555/callback" \ --discovery="https://127.0.0.1:5556" \ --listen="http://127.0.0.1:5555" ``` Then goto http://127.0.0.1:5555 and login as `email: [email protected], passwd: bones`. You should get an token returned. Next save that token in kubeconfig: ```shell cluster/kubectl.sh config set-credentials [email protected] --token=$TOKEN ``` Congratulations! You should be able to be authenticated and launch pod now! ```shell cluster/kubectl.sh create -f examples/pod cluster/kubectl.sh get pods ``` -
Aug 29, 2015 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,6 +59,7 @@ hack/local-up-cluster.sh Set cluster config in kube config: ```shell cluster/kubectl.sh config set-cluster local --server=https://127.0.0.1:8001 cluster/kubectl.sh config set-context local --cluster=local [email protected] cluster/kubectl.sh config use-context local cluster/kubectl.sh config ``` -
Aug 29, 2015 . 1 changed file with 15 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,10 +42,23 @@ Start dex-worker ``` Start k8s cluster, we will use the `hack/local-up-cluster.sh` to launch the cluster. But we need to add following flags to the `kube-apiserver`: `--secure-port=8001` <br/> `--tls-cert-file=PATH_TO_APISERVER_CERT_FILE` <br/> `--tls-private-key-file=PATH_TO_APISERVER_KEY_FILE` <br/> `--oidc-issuer-url=OPENID_ISSER_ADDRESS` <br/> `--oidc-client-id=OIDC_CLIENT_ID` <br/> `--oidc-ca-file=PATH_TO_DEX_CA_FILE` <br/> `--oidc-username-claim="email"` <br/> Then we can launch the cluster: ```shell hack/local-up-cluster.sh ``` Set cluster config in kube config: ```shell cluster/kubectl.sh config set-cluster local --server=https://127.0.0.1:8001 cluster/kubectl.sh config set-context local --cluster=local cluster/kubectl.sh config use-context local ``` -
Aug 29, 2015 . 1 changed file with 6 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -42,10 +42,10 @@ Start dex-worker ``` Start k8s cluster, we will use the `hack/local-up-cluster.sh` to launch the cluster. But we need to add following flags to the `kube-apiserver`: `--tls-cert-file=PATH_TO_APISERVER_CERT_FILE` <br/> `--tls-private-key-file=PATH_TO_APISERVER_KEY_FILE` <br/> `--oidc-issuer-url="https://localhost:5556"` <br/> `--oidc-client-id="XXX"` <br/> `--oidc-ca-file=PATH_TO_DEX_CA_FILE` <br/> `--oidc-username-claim="email"` <br/> -
Aug 29, 2015 . 1 changed file with 36 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -6,10 +6,46 @@ we need to have TLS enabled between `kubectl` and `kube-apiserver`, as well as b For simplicity, we will use [cfssl](https://github.com/yifan-gu/dex/tree/ssl/examples/tls-setup) to create the bundles. # Start dex worker Checkout and build from the ssl branch, (which should be merged soon) ```shell git clone [email protected]:yifan-gu/dex.git cd dex git checkout -b ssl git pull origin ssl ./build ``` Create certs ```shell cd examples/tls-setup make mv certs dex-certs (edit the config maybe) make mv certs apiserver-certs ``` Start dex-worker ```shell ./bin/dex-worker \ --cert-file=examples/tls-setup/dex-certs/dex.pem \ --key-file=examples/tls-setup/dex-certs/dex-key.pem \ --listen="https://127.0.0.1:5556" \ --issuer="https://127.0.0.1:5556" \ --clients=./static/fixtures/clients.json \ --connectors=./static/fixtures/connectors.json.sample \ --email-cfg=./static/fixtures/emailer.json.sample \ --users=./static/fixtures/users.json.sample \ --no-db ``` Start k8s cluster, we will use the `hack/local-up-cluster.sh` to launch the cluster. But we need to add following flags to the `kube-apiserver`: `--tls-cert-file=PATH_TO_APISERVER_CERT_FILE` `--tls-private-key-file=PATH_TO_APISERVER_KEY_FILE` `--oidc-issuer-url="https://localhost:5556"` `--oidc-client-id="XXX"` `--oidc-ca-file=PATH_TO_DEX_CA_FILE` `--oidc-username-claim="email"` -
Aug 29, 2015 . 1 changed file with 11 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,3 +2,14 @@ In order to enable oidc authenticator in `kube-apiserver`, we need to have TLS enabled between `kubectl` and `kube-apiserver`, as well as between `kube-apiserver` and OpenID Provider(`dex-worker` here) For simplicity, we will use [cfssl](https://github.com/yifan-gu/dex/tree/ssl/examples/tls-setup) to create the bundles. # Start dex worker ```shell git clone [email protected]:yifan-gu/dex.git cd dex git checkout -b ssl git pull origin ssl ``` -
Aug 29, 2015 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,4 @@ # Create ca cert/key files In order to enable oidc authenticator in `kube-apiserver`, we need to have TLS enabled between `kubectl` and `kube-apiserver`, as well as between `kube-apiserver` and OpenID Provider(`dex-worker` here)