Use in-cluster storage option for dex in embedded cluster

pkg/identity/deploy.go

@@ -13,6 +13,7 @@ import (
 	kotsadmtypes "github.com/replicatedhq/kots/pkg/kotsadm/types"
 	kotsadmversion "github.com/replicatedhq/kots/pkg/kotsadm/version"
 	"github.com/replicatedhq/kots/pkg/kotsutil"
+	"github.com/replicatedhq/kots/pkg/persistence"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 )
@@ -41,13 +42,15 @@ func Deploy(ctx context.Context, clientset kubernetes.Interface, namespace strin
 		return errors.Wrap(err, "failed to migrate client secret")
 	}
 
-	postgresConfig := kotsv1beta1.IdentityPostgresConfig{
-		Host:     "kotsadm-postgres",
-		Database: "dex",
-		User:     "dex",
-	}
-	if err := identitydeploy.EnsurePostgresSecret(context.TODO(), clientset, namespace, KotsadmNamePrefix, nil, postgresConfig, nil); err != nil {
-		return errors.Wrap(err, "failed to ensure postgres secret")
+	if persistence.IsPostgres() {
+		postgresConfig := kotsv1beta1.IdentityPostgresConfig{
+			Host:     "kotsadm-postgres",
+			Database: "dex",
+			User:     "dex",
+		}
+		if err := identitydeploy.EnsurePostgresSecret(context.TODO(), clientset, namespace, KotsadmNamePrefix, nil, postgresConfig, nil); err != nil {
+			return errors.Wrap(err, "failed to ensure postgres secret")
+		}
 	}
 
 	if err := identitydeploy.EnsureClientSecret(ctx, clientset, namespace, KotsadmNamePrefix, nil); err != nil {

pkg/identity/deploy/deploy.go

@@ -204,6 +204,7 @@ var (
 )
 
 func deploymentResource(issuerURL, configChecksum string, options Options) (*appsv1.Deployment, error) {
+	// TODO: use GetAdminConsoleImage function
 	image := "kotsadm/dex:v2.28.1"
 	imagePullSecrets := []corev1.LocalObjectReference{}
 	if options.ImageRewriteFn != nil {

pkg/identity/deploy/dex.go

@@ -13,6 +13,7 @@ import (
 	"github.com/pkg/errors"
 	kotsv1beta1 "github.com/replicatedhq/kots/kotskinds/apis/kots/v1beta1"
 	dextypes "github.com/replicatedhq/kots/pkg/identity/types/dex"
+	"github.com/replicatedhq/kots/pkg/persistence"
 	"github.com/replicatedhq/kots/pkg/template"
 )
 
@@ -43,16 +44,27 @@ func getDexConfig(ctx context.Context, issuerURL string, options Options) ([]byt
 		}
 	}
 
-	config := dextypes.Config{
-		Issuer: issuerURL,
-		Storage: dextypes.Storage{
+	var storage dextypes.Storage
+	if persistence.IsPostgres() {
+		storage = dextypes.Storage{
 			Type: "postgres",
 			Config: dextypes.Postgres{
 				SSL: dextypes.SSL{
 					Mode: "disable", // TODO ssl
 				},
 			},
-		},
+		}
+	} else {
+		storage = dextypes.Storage{
+			Type: "kubernetes",
+			Config: dextypes.Kubernetes{
+				InCluster: true,
+			},
+		}
+	}
+	config := dextypes.Config{
+		Issuer:  issuerURL,
+		Storage: storage,
 		Web: dextypes.Web{
 			HTTP: "0.0.0.0:5556",
 		},

pkg/identity/types/dex/config.go

@@ -163,8 +163,8 @@ type GRPC struct {
 
 // Storage holds app's storage configuration.
 type Storage struct {
-	Type   string   `json:"type"`
-	Config Postgres `json:"config"`
+	Type   string      `json:"type"`
+	Config interface{} `json:"config"`
 }
 
 // Connector is a magical type that can unmarshal YAML dynamically. The

pkg/identity/types/dex/sql.go

@@ -38,3 +38,8 @@ type Postgres struct {
 
 	SSL SSL `json:"ssl" yaml:"ssl"`
 }
+
+// In cluster options when not using a SQL db.
+type Kubernetes struct {
+	InCluster bool `json:"inCluster" yaml:"inCluster"`
+}

pkg/kotsadm/objects/images.go

@@ -14,22 +14,27 @@ func GetAdminConsoleImage(deployOptions types.DeployOptions, imageKey string) st
 func GetAdminConsoleImages(deployOptions types.DeployOptions) map[string]string {
 	minioTag := "RELEASE.2021-07-27T02-40-15Z"
 	postgresTag := getPostgresTag(deployOptions)
+	dexTag := "v2.28.1"
 
 	if deployOptions.KotsadmOptions.OverrideVersion != "" {
 		minioTag = deployOptions.KotsadmOptions.OverrideVersion
 		postgresTag = deployOptions.KotsadmOptions.OverrideVersion
+		dexTag = deployOptions.KotsadmOptions.OverrideVersion
 	}
 
 	minioImage := fmt.Sprintf("minio/minio:%s", minioTag)
 	postgresImage := fmt.Sprintf("postgres:%s", postgresTag)
+	dexImage := fmt.Sprintf("kotsadm/dex:%s", dexTag)
 
 	if s := kotsadmversion.KotsadmPullSecret(deployOptions.Namespace, deployOptions.KotsadmOptions); s != nil {
 		minioImage = fmt.Sprintf("%s/minio:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), minioTag)
 		postgresImage = fmt.Sprintf("%s/postgres:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), postgresTag)
+		dexImage = fmt.Sprintf("%s/dex:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), dexTag)
 	} else if deployOptions.KotsadmOptions.OverrideRegistry != "" {
 		// if there is a registry specified, use images there and not the ones from docker hub - even though there's not a username/password specified
 		minioImage = fmt.Sprintf("%s/minio:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), minioTag)
 		postgresImage = fmt.Sprintf("%s/postgres:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), postgresTag)
+		dexImage = fmt.Sprintf("%s/dex:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), dexTag)
 	}
 
 	return map[string]string{
@@ -38,5 +43,6 @@ func GetAdminConsoleImages(deployOptions types.DeployOptions) map[string]string
 		"kotsadm":            fmt.Sprintf("%s/kotsadm:%s", kotsadmversion.KotsadmRegistry(deployOptions.KotsadmOptions), kotsadmversion.KotsadmTag(deployOptions.KotsadmOptions)),
 		"minio":              minioImage,
 		"postgres":           postgresImage,
+		"dex":                dexImage,
 	}
 }

pkg/kotsadm/secrets.go

@@ -13,6 +13,7 @@ import (
 	identitydeploy "github.com/replicatedhq/kots/pkg/identity/deploy"
 	kotsadmobjects "github.com/replicatedhq/kots/pkg/kotsadm/objects"
 	"github.com/replicatedhq/kots/pkg/kotsadm/types"
+	"github.com/replicatedhq/kots/pkg/persistence"
 	"golang.org/x/crypto/bcrypt"
 	corev1 "k8s.io/api/core/v1"
 	kuberneteserrors "k8s.io/apimachinery/pkg/api/errors"
@@ -105,14 +106,16 @@ func ensureSecrets(deployOptions *types.DeployOptions, clientset *kubernetes.Cli
 		return errors.Wrap(err, "failed to ensure postgres secret")
 	}
 
-	// this secret is used by one of kotsadm init containers to ensure dex db/user
-	postgresConfig := kotsv1beta1.IdentityPostgresConfig{
-		Host:     "kotsadm-postgres",
-		Database: "dex",
-		User:     "dex",
-	}
-	if err := identitydeploy.EnsurePostgresSecret(context.TODO(), clientset, deployOptions.Namespace, "kotsadm", nil, postgresConfig, nil); err != nil {
-		return errors.Wrap(err, "failed to ensure postgres secret for identity")
+	if persistence.IsPostgres() {
+		// this secret is used by one of kotsadm init containers to ensure dex db/user
+		postgresConfig := kotsv1beta1.IdentityPostgresConfig{
+			Host:     "kotsadm-postgres",
+			Database: "dex",
+			User:     "dex",
+		}
+		if err := identitydeploy.EnsurePostgresSecret(context.TODO(), clientset, deployOptions.Namespace, "kotsadm", nil, postgresConfig, nil); err != nil {
+			return errors.Wrap(err, "failed to ensure postgres secret for identity")
+		}
 	}
 
 	if deployOptions.SharedPasswordBcrypt == "" {

pkg/kotsadmidentity/store/k8s.go

@@ -0,0 +1,12 @@
+package store
+
+type K8sStore struct {
+}
+
+func (s *K8sStore) DatabaseUserExists(user string) (bool, error) {
+	return true, nil
+}
+
+func (s *K8sStore) CreateDexDatabase(database string, user string, password string) error {
+	return nil
+}

pkg/kotsadmidentity/store/store.go

@@ -1,8 +1,6 @@
 package store
 
 import (
-	"path/filepath"
-
 	"github.com/replicatedhq/kots/pkg/persistence"
 )
 
@@ -12,7 +10,7 @@ var (
 )
 
 var _ DexStore = (*PostgresStore)(nil)
-var _ DexStore = (*SQLiteStore)(nil)
+var _ DexStore = (*K8sStore)(nil)
 
 func GetStore() DexStore {
 	if hasStore {
@@ -21,9 +19,7 @@ func GetStore() DexStore {
 
 	hasStore = true
 	if persistence.IsSQlite() {
-		globalStore = &SQLiteStore{
-			dbFilename: filepath.Join(filepath.Dir(persistence.SQLiteURI), "dex.db"),
-		}
+		globalStore = &K8sStore{}
 	} else {
 		globalStore = &PostgresStore{}
 	}

pkg/persistence/persistence.go

@@ -20,3 +20,7 @@ func MustGetDBSession() *sql.DB {
 func IsSQlite() bool {
 	return SQLiteURI != ""
 }
+
+func IsPostgres() bool {
+	return PostgresURI != ""
+}