Merge pull request #3201 from mjudeikis/mjudeikis/kcp.dex.readme

📖  add dex quickstart

.gitignore

@@ -37,3 +37,8 @@ docs/generators/cli-doc/cli-doc
 # Ignore UNIX sockets and delve binaries
 *.sock
 __debug_*
+
+dex/
+*.crt
+*.key
+*.pem

contrib/kcp-dex/README.md

@@ -0,0 +1,75 @@
+# KCP Dex
+
+How to run local kcp with dex.
+
+## Step by step guide
+
+### Dex
+
+Run dex outside of kcp
+We use dex to manage OIDC, following the steps below you can run a local OIDC issuer using dex:
+
+* First, clone the dex repo: `git clone https://github.com/mjudeikis/dex.git -b mjudeikis/groups.support`
+  * Important: We use fork to allow local group support k8s relies on: https://github.com/dexidp/dex/issues/1080
+* `cd dex` and then build the dex binary `make build`
+* The binary will be created in `bin/dex`
+* Adjust the config file(`examples/config-dev.yaml`) for dex by specifying the server callback method:
+* Generate certificates for dex:
+```bash
+GOBIN=$(pwd)/bin go install github.com/mjudeikis/genkey
+./bin/genkey 127.0.0.1
+```
+
+* Run dex: `./bin/dex serve ../contrib/kcp-dex/kcp-config.yaml `
+
+
+### KCP
+
+Start kcp with oidc enabled:
+
+```bash
+go run ./cmd/kcp start \
+--oidc-issuer-url=https://127.0.0.1:5556/dex \
+--oidc-client-id=kcp-dev \
+--oidc-groups-claim=groups \
+--oidc-ca-file=127.0.0.1.pem
+```
+
+### Login
+
+Use oidc plugin:
+
+```bash
+kubectl krew install oidc-login
+
+# to test
+kubectl oidc-login get-token \
+--oidc-issuer-url=https://127.0.0.1:5556/dex \
+--oidc-client-id=kcp-dev \
+--oidc-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+--insecure-skip-tls-verify \
+--oidc-extra-scope=groups,email
+
+# to configure kubectl to use this plugin
+export KUBECONFIG=.kcp/admin.kubeconfig
+
+# create a new user with oidc
+kubectl config set-credentials oidc \
+  --exec-api-version=client.authentication.k8s.io/v1beta1 \
+  --exec-command=kubectl \
+  --exec-arg=oidc-login \
+  --exec-arg=get-token \
+  --exec-arg=--oidc-issuer-url=https://127.0.0.1:5556/dex  \
+  --exec-arg=--oidc-client-id=kcp-dev \
+  --exec-arg=--oidc-client-secret=Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg== \
+  --exec-arg=--oidc-extra-scope=groups \
+  --exec-arg=--oidc-extra-scope=email \
+  --exec-arg=--insecure-skip-tls-verify
+
+# set current context to use oidc
+kubectl config set-context --current --user=oidc
+
+# test
+# password is admin:password
+kubectl get ws
+kubectl create workspace bob

contrib/kcp-dex/kcp-config.yaml

@@ -0,0 +1,32 @@
+
+issuer: https://127.0.0.1:5556/dex
+web:
+  https: 127.0.0.1:5556
+  tlsCert: ../127.0.0.1.pem
+  tlsKey: ../127.0.0.1.pem
+storage:
+  type: sqlite3
+  config:
+    file: examples/dex.db
+staticClients:
+  - id: kcp-dev
+    public: true
+    redirectURIs:
+    - http://localhost:8000
+    name: 'KCP App'
+    secret: Z2Fyc2lha2FsYmlzdmFuZGVuekWplCg==
+
+# Let dex keep a list of passwords which can be used to login to dex.
+enablePasswordDB: true
+
+# A static list of passwords to login the end user. By identifying here, dex
+# won't look in its underlying storage for passwords.
+#
+# If this option isn't chosen users may be added through the gRPC API.
+staticPasswords:
+- email: "admin"
+  # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
+  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+  username: "admin"
+  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+  groups: ["system:kcp:admin", "system:admin"]