This hack works on Openshift using openshift-install CLI tool with custom install config
You can skip certificate creation if you already have a valid certificate for your dex route.
In order to use DEX, you will need a valid trusted SSL certificat.
If you are using openshift-install
cli on aws you can use acme.sh
Clone acms.sh repository:
git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh
Register your account:
./acme.sh --register-account -m myemail@example.com --server zerossl
Create certificates for your current instance:
export API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././')
export WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')
AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key) AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id) ./acme.sh --issue --dns dns_aws -d ${API} -d *.${WILDCARD}
You will get a list of certificates with path at the end of this bash. Replace /path/to/fullchain.cer
and /path/to/api.key
in the next commands.
Update ingress default certificate:
oc create secret tls router-certs --cert=/path/to/fullchain.cer --key=/path/to/api.key -n openshift-ingress
oc patch ingresscontroller default -n openshift-ingress-operator --type=merge --patch='{"spec": { "defaultCertificate": { "name": "router-certs" } } }'
Update api certificate:
oc create secret tls api-certs --cert=/path/to/fullchain.cer --key=/path/to/api.key -n openshift-config
oc patch apiserver cluster \
--type=merge -p \
"{\"spec\":{\"servingCerts\": {\"namedCertificates\": [{\"names\": [\"${API}\"], \"servingCertificate\": {\"name\": \"api-certs\"}}]}}}"
Replace all <MY_CLUSTER_URL>
occurences in examples/dex.yaml
.
By default, routes will use your API cert for reencrypt
.
You can change them by adding the following options in the tls sections if needed:
certificate: |-
-----BEGIN CERTIFICATE-----
<MY_TRUSTED_CA_CERT>
-----END CERTIFICATE-----
key: |-
-----BEGIN ENCRYPTED PRIVATE KEY-----
<MY_TRUSTED_CA_KEY>
-----END ENCRYPTED PRIVATE KEY-----
caCertificate: |-
-----BEGIN CERTIFICATE-----
<MY_CA_CERT>
-----END CERTIFICATE-----
Create dex instance in openshift-logging namespace:
oc create namespace openshift-logging
oc apply -f examples/dex.yaml
Check openid-configuration and certificate at your DEX route URL:
https://dex-openshift-logging.apps.<MY_CLUSTER_URL>/dex/.well-known/openid-configuration
You will now be able to login as dex users using the following credentials:
admin@example.com
:password
foo@example.com
:password