Skip to content

feat: dexop - operator to manage Oauth2 clients in Dex #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
skrobul merged 37 commits into from
May 7, 2025
Merged

feat: dexop - operator to manage Oauth2 clients in Dex #876

skrobul merged 37 commits into from
May 7, 2025

Conversation

@skrobul
Copy link
Collaborator

@skrobul skrobul commented Apr 28, 2025
edited
Loading

This pull request introduces a new operator that enables dynamic management of OAuth2 clients in Dex using standard Kubernetes objects.

Currently, creating a Client involves several manual steps:

  • Generating a password locally on the developer's machine
  • Storing the password in a compatible Kubernetes YAML Secret manifest
  • Sealing the Secret on the running cluster, committing it to the repository
  • Updating Dex's deployment to read the secret and export it as an environment variable
  • Configuring Dex to reference the new environment variable

This process is not ideal, as it imposes a significant administrative burden and security risks due to the use of environment variables. Moreover, updating passwords becomes challenging.

By deploying the operator from this pull request, we can simplify this process significantly. The operator will handle generating secrets and updating Dex configurations for the listed Clients, eliminating the need for manual intervention. Additionally, it leverages dynamic configuration of Dex, allowing us to make changes without requiring a restart. As an added security benefit, the actual password values will never leave the cluster, reducing the risk of exposure and improving overall security.

Key benefits of this change include reduced administrative burden, improved security, and easier password updates.

Note

To the reviewer:
Part of this PR is boiler plate that is automatically generated by operator-sdk. This can be ignored or skimmed through:

  • Stuff in config/ folder is automatically generated with exception of config/samples
  • dist/ contains an autogenerated YAML for non-helm installs
  • Makefile is autogenerated with adjustments to the IMAGE_TAG_BASE only

@skrobul skrobul requested a review from a team April 28, 2025 15:41
@skrobul skrobul changed the title dexop - operator to manage Oauth2 clients in Dex feat: dexop - operator to manage Oauth2 clients in Dex Apr 28, 2025
@skrobul skrobul force-pushed the dexop branch 17 times, most recently from 2f506f3 to a239090 Compare April 29, 2025 06:48
@skrobul skrobul mentioned this pull request Apr 29, 2025
Merged
abhimanyu003
abhimanyu003 requested changes Apr 29, 2025
View reviewed changes
go/dexop/internal/controller/secret_manager.go
type SecretManager struct {
}

func (s SecretManager) readSecret(r *ClientReconciler, ctx context.Context, name, namespace string) (string, error) {
Copy link
Contributor

@abhimanyu003 abhimanyu003 Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any specific reasons for not using pointer here func (s *SecretManager)

Copy link
Collaborator Author

@skrobul skrobul Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The methods in SecretManager do not alter the struct's state, and because SecretManager is currently an empty struct, there's no need for a pointer receiver. A value receiver suffices for stateless behavior and avoids unnecessary complexity of pointer management.

go/dexop/go.mod

toolchain go1.23.6

require (
Copy link
Contributor

@abhimanyu003 abhimanyu003 Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to run go mod tidy
current go.mod is missing some packages that are used.
Like: github.com/sethvargo/go-password

Copy link
Collaborator Author

@skrobul skrobul Apr 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch,thanks! fixed in rebase

@skrobul skrobul requested a review from abhimanyu003 April 29, 2025 13:40
cardoe
cardoe reviewed Apr 29, 2025
View reviewed changes
Copy link
Contributor

@cardoe cardoe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall seems like what we're aiming to achieve.

abhimanyu003
abhimanyu003 requested changes May 7, 2025
View reviewed changes
skrobul added 19 commits May 7, 2025 14:48
@skrobul
dexop: update rbac
060c53f
@skrobul
dexop: ability to configure certs
39a04fa
@skrobul
dexop: use dedicated instance of Dex for testing
bbe9171 
Up till now all tests required the Dex server to be already running on
the developer's machine. It was also assumed that the server will be
preconfigured for the gRPC communication. This required the appropriate
certificates to be generated, configured in Dex and copied over to the
project directory.

This commit removes that requirement altogether by automatically
starting "dex serve" with appropriate configuration and shutting it down
when the tests complete.
@skrobul
dexop: fix most linting issues
b8f7509 
grpc.Dial deprecation will be done in separate commit in case w need to
revert.
@skrobul
dexop: migrate from deprecated grpc.Dial
8317aa2
@skrobul
dexop: build container with go 1.23
eff30b6
@skrobul
dexop: add github container builds workflow
1983fc0
@skrobul
dexop: update the README
a85c764
@skrobul
dexop: add autogenerated install
18e9cd3
@skrobul
dexop: add Helm chart
6fe521f 
This deploys basic version of the operator.
@skrobul
dexop: refactor deletion
1a45cc6
@skrobul
dexop: refactor adding finalizer
a312acf
@skrobul
dexop: refactor secret handling
6429441
@skrobul
dexop: refactor adding/updating client
e245b5b
@skrobul
dexop: refactor secret handling further
95b9ed8
@skrobul
dexop: don't build images on PR
ddf8f53
@skrobul
dexop: migrate to new golangci
9b699c2
@skrobul
dexop: make Secrets compatible with Understack
fd741d7 
This changes how the automatically generated Kubernetes Secret looks
like:

- the `secret` key was renamed to `client-secret`
- the `client-id` key is now populated
- the `issuer` is populated

Caveat: The Issuer information can be obtained from Dex dynamically only
starting from newest version (2.42) of Dex. To avoid triggering failed
discovery, the same information can be provided as a command line
argument.
@skrobul
dexop: remove unnecessary TypeMeta
2ea0d15
@skrobul skrobul requested a review from abhimanyu003 May 7, 2025 13:49
abhimanyu003
abhimanyu003 approved these changes May 7, 2025
View reviewed changes
Copy link
Contributor

@abhimanyu003 abhimanyu003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@skrobul skrobul added this pull request to the merge queue May 7, 2025
Merged via the queue into main with commit 0d9d868 May 7, 2025
18 checks passed
@skrobul skrobul deleted the dexop branch May 7, 2025 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cardoe cardoe cardoe left review comments

@abhimanyu003 abhimanyu003 abhimanyu003 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@skrobul @cardoe @abhimanyu003