use ENV vars in config file

[AlexMorreale]

I'd love to be able use ENV vars from a kubernetes secret in the config file.
Right now we have to make the whole config secret instead of configmap.

I saw this in the change log:

Added envar substitutions. Can now generate a config based on values in the environment (useful for the client_secret).

would this unreleased feature allow me drop client_secret: <redacted> from my configmap and just use an ENV var to specifiy the client_secret.

Also love the tool. It makes it so much easy for our developers gain kubectl access. Thanks for writing this tool!.

[AlexMorreale]

Looks like the code in the PR for that change only happens when you dont specify and a config file?

Correct me if i am wrong here.

[nabadger]

@AlexMorreale thanks for feedback :)

The latest image should support this but there's a limitation in the Helm template at the moment as it doesn't let you pass in env to the podspec (I'll create an issue to track/add this as it's simple enough).

If you're rolling your own manifests, here's how you can do it.

dex-k8s-authenticator config:

listen: http://0.0.0.0:5555
debug: false
clusters:
- client_id: my-cluster
  client_secret: ${CLIENT_SECRET}
  description: minikube
  issuer: http://dex.minikube.test
  k8s_ca_uri: http://ca.example.com
  k8s_master_uri: http://my-cluster.example.com
  name: my-cluster
  redirect_uri: http://auth.minikube.test/callback/my-cluster

kubernetes secret:

apiVersion: v1
data:
  client_secret: <base64 encoded secret>
kind: Secret
metadata:
  name: dex-auth-secrets
  namespace: default
type: Opaque

pod-spec

  ...
  spec:
      containers:
      - args:
        - --config
        - config.yaml
        env:
        - name: CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              key: client_secret
              name: dex-auth-secrets
...

So basically, just use ${SOME_VAR} in your configmap for any setting, and the application will perform a lookup at runtime to see if that value exists in your environ, if it does it will use it - the environ can just be populated by k8s secrets.

[AlexMorreale]

luckily i am rolling my own manifests(gives us more flexibility and allows us to use traefik as our ingress infront of them)

I actually tried something exactly this and im getting:

Failed to get token: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client","error_description":"Invalid client credentials."}

when i return from dex to dex-k8s-authenticator

[AlexMorreale]

nvm i figured it out it was kubernetes secret issue when base64 encoding for env vars the kubernetes docs recommand echo -n over echo for piping into base64.

bad:

alex@omega :: ~/ezcater/ ➜  echo "alex-testing" | base64            
YWxleC10ZXN0aW5nCg==

good:

alex@omega :: ~/ezcater/ ➜  echo -n "alex-testing" | base64            
YWxleC10ZXN0aW5n

Really sorry for the hassle. Left the long comment to help others in the future.

[nabadger]

Yep, ran into the same thing when I was checking this earlier ;)