Merge pull request mintel#67 from mintel/feat-idp-ca-inline

Added IDPCaPem option to support idp-ca via pem file
pgagnon · Aug 30, 2018 · 4d00f80 · 4d00f80
2 parents 45a609b + ddc421d
commit 4d00f80
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 6 deletions.
diff --git a/charts/dex-k8s-authenticator/templates/configmap.yaml b/charts/dex-k8s-authenticator/templates/configmap.yaml
@@ -20,6 +20,9 @@ data:
     {{- if .idpCaURI }}
     idp_ca_uri: {{ .idpCaURI }}
     {{- end }}
+    {{- if .idpCaPem }}
+    idp_ca_pem: {{ .idpCaPem }}
+    {{- end }}
     {{- if and .tlsCert .tlsKey }} 
     tls_cert: "{{ .tlsCert }}"
     tls_key: "{{ .tlsKey }}"

diff --git a/dex-auth.go b/dex-auth.go
@@ -108,6 +108,7 @@ func (cluster *Cluster) handleCallback(w http.ResponseWriter, r *http.Request) {
 
 	cluster.renderToken(w, rawIDToken, token.RefreshToken,
 		cluster.Config.IDP_Ca_URI,
+		cluster.Config.IDP_Ca_Pem,
 		cluster.Config.Logo_Uri,
 		cluster.Config.Web_Path_Prefix,
 		viper.GetString("kubectl_version"),

diff --git a/docs/config.md b/docs/config.md
@@ -8,8 +8,8 @@ An example configuration is available [here](../examples/config.yaml)
 | Name              | Required | Context | Description                                                                           |
 |-------------------|----------|---------|---------------------------------------------------------------------------------------|
 | name              | yes      | cluster | Internal id of cluster                                                                |
-| short_description | yes      | cluster | Short description of cluster                                                |
-| description       | yes      | cluster | Extended description of cluster                                             |
+| short_description | yes      | cluster | Short description of cluster                                                          |
+| description       | yes      | cluster | Extended description of cluster                                                       |
 | client_secret     | yes      | cluster | OAuth2 client-secret (shared between dex-k8s-auth and dex)                            |
 | client_id         | yes      | cluster | OAuth2 client-id public identifier (shared between dex-k8s-auth and dex)              |
 | issuer            | yes      | cluster | Dex issuer url                                                                        |
@@ -20,8 +20,9 @@ An example configuration is available [here](../examples/config.yaml)
 | tls_cert          | no       | root    | Path to TLS cert if SSL enabled                                                       |
 | tls_key           | no       | root    | Path to TLS key if SSL enabled                                                        |
 | idp_ca_uri        | no       | root    | A url pointing to the CA for generating 'idp-certificate-authority' in the kubeconfig |
+| idp_ca_pem        | no       | root    | The CA for generating 'idp-certificate-authority' in the kubeconfig                   |
 | trusted_root_ca   | no       | root    | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime                   |
-| listen            | yes      | root    | The listen address/port                                                                    |
+| listen            | yes      | root    | The listen address/port                                                               |
 | web_path_prefix   | no       | root    | A path-prefix to serve dex-k8s-auth at (defaults to '/')                              |
 | kubectl_version   | no       | root    | A kubectl-version string that is used to provided a download path                     |
 | logo_uri          | no       | root    | A url pointing to a logo image that is displayed in the header                        |
@@ -69,4 +70,4 @@ Don't forget to update the Dex `staticClients.redirectURIs` value to include the
 
 The `dex-k8s-authenticator` helm charts support this via the `dexK8sAuthenticator.web_path_prefix` and `ingress.path` options. You typically set these to the same value.
 
-Note that the health-checks are configured automatically.
+Note that the health-checks are configured automatically.
diff --git a/examples/config.yaml b/examples/config.yaml
@@ -49,6 +49,21 @@ clusters:
 # tls_cert: /path/to/dex-client.crt
 # tls_key: /path/to/dex-client.key
 
+# CA for your IDP - used in WebUI instructions for generating
+# kubeconfig
+# Both idp_ca_uri and idp_ca_pem are optional - you typically specifiy
+# one or the other if required
+#
+# Provides a link to the CA from a hosted site
+# idp_ca_uri: http://url-to-your-ca.crt
+#
+# Provides abililty to specify CA inline
+# idp_ca_pem: |
+#   -----BEGIN CERTIFICATE-----
+#   ...
+#   -----END CERTIFICATE-----
+
+
 # Which address to listen on (set to https if tls configured)
 listen: http://127.0.0.1:5555
 

diff --git a/main.go b/main.go
@@ -81,6 +81,7 @@ type Config struct {
 	TLS_Cert        string
 	TLS_Key         string
 	IDP_Ca_URI      string
+	IDP_Ca_Pem      string
 	Logo_Uri        string
 	Trusted_Root_Ca []string
 }

diff --git a/templates.go b/templates.go
@@ -37,6 +37,7 @@ type templateData struct {
 	K8sCaURI         string
 	K8sCaPem         string
 	IDPCaURI         string
+	IDPCaPem         string
 	LogoURI          string
 	Web_Path_Prefix  string
 	KubectlVersion   string
@@ -46,6 +47,7 @@ func (cluster *Cluster) renderToken(w http.ResponseWriter,
 	idToken,
 	refreshToken string,
 	idpCaURI string,
+	idpCaPem string,
 	logoURI string,
 	webPathPrefix string,
 	kubectlVersion string,
@@ -75,6 +77,7 @@ func (cluster *Cluster) renderToken(w http.ResponseWriter,
 		K8sCaURI:         cluster.K8s_Ca_URI,
 		K8sCaPem:         cluster.K8s_Ca_Pem,
 		IDPCaURI:         idpCaURI,
+		IDPCaPem:         idpCaPem,
 		LogoURI:          logoURI,
 		Web_Path_Prefix:  webPathPrefix,
 		KubectlVersion:   kubectlVersion}

diff --git a/templates/linux-mac-common.html b/templates/linux-mac-common.html
@@ -1,6 +1,6 @@
 {{ define "linux-mac-common" }}
   {{ if .IDPCaURI }}
-    <h3>Copy IDP CA Certificate</h3>
+    <h3>Copy IDP CA Certificate From URL</h3>
 
     <p>Copy this CA Certificate and download it to your .kube directory</p>
     <div class="command">
@@ -12,6 +12,23 @@ <h3>Copy IDP CA Certificate</h3>
     </div>
   {{ end }}
 
+  {{ if .IDPCaPem }}
+    <h3>Copy IDP CA Certificate From PEM</h3>
+
+    <p>Put the CA Certificate into your .kube directory</p>
+
+    <div class="command">
+
+      <button class="btn" style="float:right" data-clipboard-snippet="">
+        <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
+      </button>
+      <pre><code>mkdir -p ${HOME}/.kube/certs/{{ .ClusterName }}/ &amp;&amp; cat &lt;&lt; EOF &gt; ${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
+{{ .IDPCaPem }}
+EOF</code></pre>
+    </div>
+  {{ end }}
+
+
   {{ if .K8sCaURI }}
     <h3>Copy Kubernetes CA Certificate From URL</h3>
 

diff --git a/templates/windows-tab.html b/templates/windows-tab.html
@@ -17,7 +17,7 @@ <h3>Install and Set Up kubectl</h3>
   </div>
 
   {{ if .IDPCaURI }}
-    <h3>Copy IDP CA Certificate</h3>
+    <h3>Copy IDP CA Certificate From URL</h3>
 
     <p>Copy this CA Certificate and download it to your .kube directory</p>
     <div class="command">
@@ -30,6 +30,23 @@ <h3>Copy IDP CA Certificate</h3>
     </div>
   {{ end }}
 
+  {{ if .IDPCaPem }}
+    <h3>Copy IDP CA From Pem</h3>
+
+    <p>Put the CA Certificate into your .kube directory</p>
+    <div class="command">
+
+      <button class="btn" style="float:right" data-clipboard-snippet="">
+        <img class="clippy" width="13" src="{{ .Web_Path_Prefix }}static/clippy.svg" alt=""/>
+      </button>
+
+      <pre><code>mkdir -p ${HOME}/.kube/certs/{{ .ClusterName }}/ &amp;&amp; cat &lt;&lt; EOF &gt; ${HOME}/.kube/certs/{{ .ClusterName }}/idp-ca.crt
+{{ .IDPCaPem}}
+EOF</code></pre>
+    </div>
+  {{ end }}
+
+
   {{ if .K8sCaURI }}
     <h3>Copy Kubernetes CA Certificate From URL</h3>