Deploy dex on minikube (#1719)

* feat: configure Dex on minikube Signed-off-by: Anatolii Bazko <abazko@redhat.com>
che-incubator · Oct 8, 2021 · af390a5 · af390a5
1 parent dd013e2
commit af390a5
Show file tree

Hide file tree

Showing 32 changed files with 1,133 additions and 287 deletions.
diff --git a/package.json b/package.json
@@ -19,6 +19,7 @@
     "analytics-node": "^5.1.0",
     "ansi-colors": "4.1.1",
     "axios": "^0.21.1",
+    "bcrypt": "^5.0.1",
     "cli-ux": "^5.6.3",
     "command-exists": "^1.2.9",
     "countries-and-timezones": "^3.2.3",
@@ -52,6 +53,7 @@
     "@eclipse-che/api": "latest",
     "@oclif/dev-cli": "^1",
     "@oclif/test": "^1",
+    "@types/bcrypt": "^5.0.0",
     "@types/chai": "^4",
     "@types/command-exists": "^1.2.0",
     "@types/countries-and-timezones": "^3.2.3",
@@ -94,7 +96,7 @@
   "files": [
     "/bin",
     "/lib",
-    "/installers",
+    "/resources",
     "/npm-shrinkwrap.json",
     "/oclif.manifest.json",
     "/prepare-che-operator-templates.js"

diff --git a/installers/cert-manager.yml → resources/cert-manager.yml b/installers/cert-manager.yml → resources/cert-manager.yml
diff --git a/resources/dex/cluster-role-binding.yaml b/resources/dex/cluster-role-binding.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dex
+  labels:
+    app: dex
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dex
+subjects:
+- kind: ServiceAccount
+  name: dex
+  namespace: dex
diff --git a/resources/dex/cluster-role.yaml b/resources/dex/cluster-role.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dex
+  labels:
+    app: dex
+rules:
+- apiGroups: ["dex.coreos.com"]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create"]
diff --git a/resources/dex/configmap.yaml b/resources/dex/configmap.yaml
@@ -0,0 +1,32 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+data:
+  config.yaml: |
+    issuer: https://dex.{{DOMAIN}}
+    storage:
+      type: kubernetes
+      config:
+        inCluster: true
+    web:
+      http: 0.0.0.0:5556
+
+    oauth2:
+      skipApprovalScreen: true
+
+    staticClients:
+    - id: {{CLIENT_ID}}
+      redirectURIs:
+      - 'https://che-{{NAMESPACE}}.{{DOMAIN}}/oauth2/callback'
+      name: 'Eclipse Che'
+      secret: {{CLIENT_SECRET}}
+    enablePasswordDB: true
+    staticPasswords:
+    - email: "che@eclipse.org"
+      hash: "{{DEX_PASSWORD_HASH}}"
+      username: "admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
diff --git a/resources/dex/deployment.yaml b/resources/dex/deployment.yaml
@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dex
+  template:
+    metadata:
+      labels:
+        app: dex
+    spec:
+      serviceAccountName: dex
+      containers:
+      - image: ghcr.io/dexidp/dex:v2.30.0
+        name: dex
+        command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
+        ports:
+        - name: https
+          containerPort: 5556
+        volumeMounts:
+        - name: config
+          mountPath: /etc/dex/cfg
+        - name: tls
+          mountPath: /etc/dex/tls
+        env:
+        - name: KUBERNETES_POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+      volumes:
+      - name: config
+        configMap:
+          name: dex
+          items:
+          - key: config.yaml
+            path: config.yaml
+      - name: tls
+        secret:
+          secretName: dex.tls
diff --git a/resources/dex/ingress.yaml b/resources/dex/ingress.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  rules:
+  - host: dex.{{DOMAIN}}
+    http:
+      paths:
+      - backend:
+          service:
+            name: dex
+            port:
+              number: 5556
+        path: /
+        pathType: ImplementationSpecific
+  tls:
+  - hosts:
+    - dex.{{DOMAIN}}
+    secretName: dex.tls
+
diff --git a/resources/dex/namespace.yaml b/resources/dex/namespace.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dex
+  labels:
+    app: dex
+
diff --git a/resources/dex/service-account.yaml b/resources/dex/service-account.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+
diff --git a/resources/dex/service.yaml b/resources/dex/service.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dex
+  namespace: dex
+  labels:
+    app: dex
+spec:
+  ports:
+  - name: dex
+    port: 5556
+    protocol: TCP
+  selector:
+    app: dex
diff --git a/installers/prometheus-role-binding.yaml → resources/prometheus-role-binding.yaml b/installers/prometheus-role-binding.yaml → resources/prometheus-role-binding.yaml
diff --git a/installers/prometheus-role.yaml → resources/prometheus-role.yaml b/installers/prometheus-role.yaml → resources/prometheus-role.yaml
diff --git a/src/api/che.ts b/src/api/che.ts
@@ -14,7 +14,6 @@ import { che as chetypes } from '@eclipse-che/api'
 import { CoreV1Api, V1Pod, Watch } from '@kubernetes/client-node'
 import axios, { AxiosInstance } from 'axios'
 import * as cp from 'child_process'
-import { cli } from 'cli-ux'
 import * as commandExists from 'command-exists'
 import * as fs from 'fs-extra'
 import * as https from 'https'
@@ -25,7 +24,7 @@ import * as path from 'path'
 import * as rimraf from 'rimraf'
 import * as unzipper from 'unzipper'
 import { OpenShiftHelper } from '../api/openshift'
-import { CHE_ROOT_CA_SECRET_NAME, DEFAULT_CA_CERT_FILE_NAME, DEFAULT_CHE_OLM_PACKAGE_NAME, DEFAULT_OPENSHIFT_OPERATORS_NS_NAME, OPERATOR_TEMPLATE_DIR } from '../constants'
+import { CHE_ROOT_CA_SECRET_NAME, DEFAULT_CHE_OLM_PACKAGE_NAME, DEFAULT_OPENSHIFT_OPERATORS_NS_NAME, OPERATOR_TEMPLATE_DIR } from '../constants'
 import { base64Decode, downloadFile } from '../util'
 import { CheApiClient } from './che-api-client'
 import { Devfile } from './types/devfile'
@@ -186,27 +185,6 @@ export class CheHelper {
     throw new Error(`Secret "${CHE_ROOT_CA_SECRET_NAME}" has invalid format: "ca.crt" key not found in data.`)
   }
 
-  async saveCheCaCert(cheCaCert: string, destination?: string): Promise<string> {
-    const cheCaCertFile = this.getTargetFile(destination)
-    fs.writeFileSync(cheCaCertFile, cheCaCert)
-    return cheCaCertFile
-  }
-
-  /**
-   * Handles certificate target location and returns string which points to the target file.
-   */
-  private getTargetFile(destination: string | undefined): string {
-    if (!destination) {
-      return path.join(os.tmpdir(), DEFAULT_CA_CERT_FILE_NAME)
-    }
-
-    if (fs.existsSync(destination)) {
-      return fs.lstatSync(destination).isDirectory() ? path.join(destination, DEFAULT_CA_CERT_FILE_NAME) : destination
-    }
-
-    throw new Error(`Given path \'${destination}\' doesn't exist.`)
-  }
-
   /**
    * Retrieves Keycloak admin user credentials.
    * Works only with installers which use Che CR (operator, olm).
@@ -240,7 +218,7 @@ export class CheHelper {
   }
 
   async chePluginRegistryK8sURL(namespace = ''): Promise<string> {
-    if (await this.kube.ingressExist('plugin-registry', namespace)) {
+    if (await this.kube.isIngressExist('plugin-registry', namespace)) {
       const protocol = await this.kube.getIngressProtocol('plugin-registry', namespace)
       const hostname = await this.kube.getIngressHost('plugin-registry', namespace)
       return `${protocol}://${hostname}`
@@ -260,7 +238,7 @@ export class CheHelper {
   async cheK8sURL(namespace = ''): Promise<string> {
     const ingress_names = ['che', 'che-ingress']
     for (const ingress_name of ingress_names) {
-      if (await this.kube.ingressExist(ingress_name, namespace)) {
+      if (await this.kube.isIngressExist(ingress_name, namespace)) {
         const protocol = await this.kube.getIngressProtocol(ingress_name, namespace)
         const hostname = await this.kube.getIngressHost(ingress_name, namespace)
         return `${protocol}://${hostname}`
@@ -404,22 +382,6 @@ export class CheHelper {
       () => { })
   }
 
-  /**
-   * Wait until workspace is in 'Active` state.
-   */
-  async waitNamespaceActive(namespaceName: string, intervalMs = 500, timeoutMs = 60000) {
-    const iterations = timeoutMs / intervalMs
-    for (let index = 0; index < iterations; index++) {
-      const namespace = await this.kube.getNamespace(namespaceName)
-      if (namespace && namespace.status && namespace.status.phase && namespace.status.phase === 'Active') {
-        return
-      }
-      await cli.wait(intervalMs)
-    }
-
-    throw new Error(`ERR_TIMEOUT: ${namespaceName} is not 'Active'.`)
-  }
-
   /**
    * Indicates if pod matches given labels.
    */

diff --git a/src/api/context.ts b/src/api/context.ts
@@ -76,3 +76,16 @@ export namespace ChectlContext {
     return ctx
   }
 }
+
+export namespace OIDCContextKeys {
+  export const ISSUER_URL = 'oidc-issuer-url'
+  export const CLIENT_ID = 'oidc-client-id'
+  export const CA_FILE = 'oidc-ca-file'
+}
+
+export namespace DexContextKeys {
+  export const DEX_CA_CRT = 'dex-ca.crt'
+  export const DEX_USERNAME = 'dex-username'
+  export const DEX_PASSWORD = 'dex-password'
+  export const DEX_PASSWORD_HASH = 'dex-password-hash'
+}