mintel/dex-k8s-authenticator

Does redirect_uri has to refer back to cluster name in config file?

bjethwan opened this issue · 1 comments

bjethwan commented

I am going from single k8s to multiple k8s clusters fronted by the same dex-k8s-authenticator deployment.
All these k8s clusters are configured with the same openam client-id/client-secret.

It's not clear in the documentation if redirect_uri has to refer back to the cluster name in the config file.
https://github.com/mintel/dex-k8s-authenticator/blob/master/docs/config.md

Would something like this work fine with multiple clusters?

data:
  config.yaml: |-
    listen: http://0.0.0.0:5555
    web_path_prefix: /
    debug: true
    - name: sandbox
      description: sandbox
      short_description: sandbox
      issuer: https://openam.example.com:443/openam/oauth2/cspprodrealm
      client_id: k8s
      client_secret: super_secret
      redirect_uri: https://dex-k8s-authenticator.example.com/callback/sandbox
      k8s_master_uri: https://a.b.c.d
    clusters:
    - name: devint
      description: devint
      short_description: devint
      issuer: https://openam.example.com:443/openam/oauth2/cspprodrealm
      client_id: k8s
      client_secret: super_secret
      redirect_uri: https://dex-k8s-authenticator.example.com/callback/devint
      k8s_master_uri: https://e.f.g.h
    - name: staging
      description: staging
      short_description: staging
      issuer: https://openam.example.com:443/openam/oauth2/cspprodrealm
      client_id: k8s
      client_secret: super_secret
      redirect_uri: https://dex-k8s-authenticator.example.com/callback/staging
      k8s_master_uri: https://i.j.k.l
    - name: tools
      description: tools
      short_description: tools
      issuer: https://openam.example.com:443/openam/oauth2/cspprodrealm
      client_id: k8s
      client_secret: super_secret
      redirect_uri: https://dex-k8s-authenticator.example.com/callback/tools
      k8s_master_uri: https://m.n.o.p

Is this is how redirect_uri has to be defined for each k8s cluster?

redirect_uri: https://dex-k8s-authenticator.example.com/callback/sandbox
redirect_uri: https://dex-k8s-authenticator.example.com/callback/devint
redirect_uri: https://dex-k8s-authenticator.example.com/callback/staging
redirect_uri: https://dex-k8s-authenticator.example.com/callback/tools
nabadger commented

@bjethwan yes it will use the name attribute for each cluster to generate the callback uri.