build(deps): bump github.com/lib/pq from 1.10.4 to 1.10.9

.envrc

@@ -0,0 +1,6 @@
+if ! has nix_direnv_version || ! nix_direnv_version 1.5.0; then
+  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/1.5.0/direnvrc" "sha256-carKk9aUFHMuHt+IWh74hFj58nY4K3uywpZbwXX0BTI="
+fi
+use flake
+
+dotenv_if_exists

.github/dependabot.yml → .github/dependabot.yaml

@@ -8,6 +8,13 @@ updates:
     schedule:
       interval: "daily"
 
+  - package-ecosystem: "gomod"
+    directory: "/api/v2"
+    labels:
+      - "area/dependencies"
+    schedule:
+      interval: "daily"
+
   - package-ecosystem: "docker"
     directory: "/"
     labels:

.github/workflows/build.yml

@@ -0,0 +1,51 @@
+name: Build A Branch
+
+on:
+    workflow_run:
+        workflows: ['Run Tests']
+        branches: ['master']
+        types: [completed]
+
+    workflow_dispatch:
+        inputs:
+            img_tag:
+                description: Docker Image Tag
+            ref:
+                description: Revision or Branch to build
+                default: master
+            push_latest:
+                description: Set True if the build is for the latest version
+                type: boolean
+                required: false
+                default: false
+            platforms:
+                description: Platforms to build for
+                type: choice
+                default: linux/amd64,linux/arm64
+                options:
+                - linux/amd64,linux/arm64
+                - linux/amd64
+                - linux/arm64
+            rebuild:
+                description: Rebuild this image?
+                type: boolean
+                default: false
+
+jobs:
+    build-image:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            packages: write
+
+        steps:
+            - name: Build Image
+              uses: hathitrust/github_actions/build@v1.4.0
+              with:
+                image: ghcr.io/${{ github.repository }}-unstable
+                dockerfile: Dockerfile
+                img_tag: ${{ inputs.img_tag }}
+                tag: ${{ inputs.ref }}
+                push_latest: ${{ inputs.push_latest}}
+                registry_token: ${{ github.token }}
+                rebuild: ${{ inputs.rebuild }}

.github/workflows/tag-release.yml

@@ -0,0 +1,16 @@
+name: Docker Tag Latest Release
+
+on:
+  release:
+    types: [released]
+
+jobs:
+  tag-release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hathitrust/github_actions/tag-release@v1
+        with:
+          registry_token: ${{ github.token }}
+          existing_tag: ghcr.io/${{ github.repository }}-unstable:${{ github.sha }}
+          image: ghcr.io/${{ github.repository }}
+          new_tag: ${{ github.event.release.tag_name }}

.github/workflows/ci.yaml → .github/workflows/tests.yml

@@ -1,4 +1,4 @@
-name: CI
+name: Run Tests
 
 on:
   push:
@@ -35,6 +35,15 @@ jobs:
           - 3306
         options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5
 
+      mysql-ent:
+        image: mysql:5.7
+        env:
+          MYSQL_ROOT_PASSWORD: root
+          MYSQL_DATABASE: dex
+        ports:
+          - 3306
+        options: --health-cmd "mysql -proot -e \"show databases;\"" --health-interval 10s --health-timeout 5s --health-retries 5
+
       etcd:
         image: gcr.io/etcd-development/etcd:v3.5.0
         ports:
@@ -53,9 +62,9 @@ jobs:
 
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v1
         with:
-          go-version: 1.16
+          go-version: 1.17
 
       - name: Checkout code
         uses: actions/checkout@v2
@@ -69,35 +78,51 @@ jobs:
           version: v0.11.1
           node_image: kindest/node:v1.19.11@sha256:07db187ae84b4b7de440a73886f008cf903fcf5764ba8106a9fd5243d6f32729
 
+      - name: Download tool dependencies
+        run: make deps
+
       - name: Test
         run: make testall
         env:
+          DEX_FOO_USER_PASSWORD: $2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy
           DEX_MYSQL_DATABASE: dex
           DEX_MYSQL_USER: root
           DEX_MYSQL_PASSWORD: root
           DEX_MYSQL_HOST: 127.0.0.1
           DEX_MYSQL_PORT: ${{ job.services.mysql.ports[3306] }}
+
+          DEX_MYSQL_ENT_DATABASE: dex
+          DEX_MYSQL_ENT_USER: root
+          DEX_MYSQL_ENT_PASSWORD: root
+          DEX_MYSQL_ENT_HOST: 127.0.0.1
+          DEX_MYSQL_ENT_PORT: ${{ job.services.mysql-ent.ports[3306] }}
+
           DEX_POSTGRES_DATABASE: postgres
           DEX_POSTGRES_USER: postgres
           DEX_POSTGRES_PASSWORD: postgres
           DEX_POSTGRES_HOST: localhost
           DEX_POSTGRES_PORT: ${{ job.services.postgres.ports[5432] }}
+
           DEX_POSTGRES_ENT_DATABASE: postgres
           DEX_POSTGRES_ENT_USER: postgres
           DEX_POSTGRES_ENT_PASSWORD: postgres
           DEX_POSTGRES_ENT_HOST: localhost
           DEX_POSTGRES_ENT_PORT: ${{ job.services.postgres-ent.ports[5432] }}
+
           DEX_ETCD_ENDPOINTS: http://localhost:${{ job.services.etcd.ports[2379] }}
+
           DEX_LDAP_HOST: localhost
           DEX_LDAP_PORT: 389
           DEX_LDAP_TLS_PORT: 636
+
           DEX_KEYSTONE_URL: http://localhost:${{ job.services.keystone.ports[5000] }}
           DEX_KEYSTONE_ADMIN_URL: http://localhost:${{ job.services.keystone.ports[35357] }}
           DEX_KEYSTONE_ADMIN_USER: demo
           DEX_KEYSTONE_ADMIN_PASS: DEMO_PASS
+
           DEX_KUBERNETES_CONFIG_PATH: ~/.kube/config
 
-      - name: Lint
+      - name: Run linter
         run: make lint
 
       # Ensure proto generation doesn't depend on external packages.

.gitignore

@@ -1,3 +1,4 @@
+/.direnv/
 /.idea/
 /bin/
 /docker-compose.override.yaml

.golangci.yml

@@ -2,6 +2,13 @@ run:
     timeout: 2m
 
 linters-settings:
+    depguard:
+        list-type: blacklist
+        include-go-root: true
+        packages:
+            - io/ioutil
+        packages-with-error-message:
+            - io/ioutil: "The 'io/ioutil' package is deprecated. Use corresponding 'os' or 'io' functions instead."
     gci:
         local-prefixes: github.com/dexidp/dex
     goimports:
@@ -13,6 +20,7 @@ linters:
     enable:
         - bodyclose
         - deadcode
+        - depguard
         - dogsled
         - exhaustive
         - exportloopref
@@ -64,7 +72,6 @@ linters:
         # - scopelint
 
         # unused
-        # - depguard
         # - goheader
         # - gomodguard
 

ADOPTERS.md

@@ -12,3 +12,4 @@ This is a list of production adopters of Dex (in alphabetical order):
 - [Kyma](https://kyma-project.io) is using Dex to authenticate access to Kubernetes API server (even for managed Kubernetes like Google Kubernetes Engine or Azure Kubernetes Service) and for protecting web UI of [Kyma Console](https://github.com/kyma-project/console) and other UIs integrated in Kyma ([Grafana](https://github.com/grafana/grafana), [Loki](https://github.com/grafana/loki), and [Jaeger](https://github.com/jaegertracing/jaeger)). Kyma is an open-source project ([`github.com/kyma-project`](https://github.com/kyma-project/kyma)) designed natively on Kubernetes, that allows you to extend and customize your applications in a quick and modern way, using serverless computing or microservice architecture. 
 - [Pusher](https://pusher.com) uses Dex for authenticating users across their Kubernetes infrastructure (using Kubernetes OIDC support) in conjunction with the [OAuth2 Proxy](https://github.com/pusher/oauth2_proxy) for protecting web UIs.
 - [Pydio](https://pydio.com/) Pydio Cells is an open source sync & share platform written in Go. Cells is using Dex as an OIDC service for authentication and authorizations. Check out [Pydio Cells repository](https://github.com/pydio/cells) for more information and/or to contribute.
+- [sigstore](https://sigstore.dev) uses Dex for authentication in their public Fulcio instance, which is a certificate authority for code signing certificates bound to OIDC-based identities.