dexop: make Secrets compatible with Understack

This changes how the automatically generated Kubernetes Secret looks
like:

- the `secret` key was renamed to `client-secret`
- the `client-id` key is now populated
- the `issuer` is populated

Caveat: The Issuer information can be obtained from Dex dynamically only
starting from newest version (2.42) of Dex. To avoid triggering failed
discovery, the same information can be provided as a command line
argument.

Author: skrobul

go/dexop/api/v1alpha1/client_types.go

@@ -29,6 +29,7 @@ type ClientSpec struct {
 	SecretName      string   `json:"secretName,omitempty"`
 	SecretNamespace string   `json:"secretNamespace,omitempty"`
 	SecretValue     string   `json:"-"`
+	Issuer          string   `json:"-"`
 	GenerateSecret  bool     `json:"generateSecret,omitempty"`
 	RedirectURIs    []string `json:"redirectURIs"`
 	LogoUrl         string   `json:"logoURL,omitempty"`

go/dexop/cmd/main.go

@@ -79,6 +79,7 @@ func main() {
 		"Path to the client certificate for Dex API")
 	flag.StringVar(&dexConf.ClientKeyPath, "dex-key-path", "./grpc_client.key",
 		"Path to the client key for Dex API")
+	flag.StringVar(&dexConf.Issuer, "dex-issuer", "", "force dex Issuer value to be inserted into created secrets.")
 	opts := zap.Options{
 		Development: true,
 	}
@@ -191,10 +192,11 @@ type DexConfig struct {
 	CAPath         string
 	ClientKeyPath  string
 	ClientCertPath string
+	Issuer         string
 }
 
-func newDexManager(config *DexConfig) (*dexmgr.DexManager, error) {
-	mgr, err := dexmgr.NewDexManager(config.Address, config.CAPath, config.ClientKeyPath, config.ClientCertPath)
+func newDexManager(cfg *DexConfig) (*dexmgr.DexManager, error) {
+	mgr, err := dexmgr.NewDexManager(cfg.Address, cfg.CAPath, cfg.ClientKeyPath, cfg.ClientCertPath, cfg.Issuer)
 	if err != nil {
 		setupLog.Error(err, "While getting the DexManager")
 	}

go/dexop/dex/client.go

@@ -16,6 +16,7 @@ import (
 
 type DexManager struct {
 	Client dexapi.DexClient
+	Issuer string
 }
 
 // Creates new Oauth2 client in Dex
@@ -86,6 +87,19 @@ func (d *DexManager) UpdateOauth2Client(clientSpec *dexv1alpha1.Client) error {
 	return err
 }
 
+func (d *DexManager) GetIssuer() (string, error) {
+	// fallback for dex versions that don't support Discovery over GRPC
+	if d.Issuer != "" {
+		return d.Issuer, nil
+	}
+
+	result, err := d.Client.GetDiscovery(context.TODO(), &dexapi.DiscoveryReq{})
+	if err != nil {
+		return "", err
+	}
+	return result.GetIssuer(), nil
+}
+
 func newDexClient(hostAndPort, caPath, clientKey, clientCrt string) (dexapi.DexClient, error) {
 	cPool := x509.NewCertPool()
 	caCert, err := os.ReadFile(caPath)
@@ -120,13 +134,13 @@ func NewInsecureTestManager(grpcAddr string) (*DexManager, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &DexManager{Client: dexapi.NewDexClient(grpcConn)}, nil
+	return &DexManager{Client: dexapi.NewDexClient(grpcConn), Issuer: "http://127.0.0.1:15556/dex"}, nil
 }
 
-func NewDexManager(host, caCert, clientKey, clientCert string) (*DexManager, error) {
+func NewDexManager(host, caCert, clientKey, clientCert, issuer string) (*DexManager, error) {
 	client, err := newDexClient(host, caCert, clientKey, clientCert)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating dex client: %w", err)
 	}
-	return &DexManager{Client: client}, nil
+	return &DexManager{Client: client, Issuer: issuer}, nil
 }

go/dexop/helm/templates/deployment.yaml.tpl

@@ -40,6 +40,9 @@ spec:
           - --dex-cert-path=/run/secrets/dex/tls.crt
           - --dex-key-path=/run/secrets/dex/tls.key
           - --dex-host={{ .Values.dex.address }}
+          {{ with .Values.dex.issuer }}
+          - --dex-issuer={{ . }}
+          {{- end }}
           command:
           - /manager
           securityContext:

go/dexop/helm/values.yaml

@@ -104,3 +104,6 @@ volumeMounts: []
 dex:
   address: dex-api.dex.cluster.local:5557
   secret: dexop-dex-client
+  # 'issuer' must be set explicitly if using dex version older than 2.42
+  #
+  # issuer: http://dex.instance.local/dex

go/dexop/internal/controller/client_controller.go

@@ -110,6 +110,12 @@ func (r *ClientReconciler) getClientSpec(ctx context.Context, namespacedName typ
 		}
 		return nil, err
 	}
+	// populate issuer
+	issuer, err := r.DexManager.GetIssuer()
+	if err != nil {
+		return nil, err
+	}
+	clientSpec.Spec.Issuer = issuer
 	return clientSpec, nil
 }
 
@@ -190,7 +196,7 @@ func (r *ClientReconciler) readOrGenerateSecret(ctx context.Context, secretmgr *
 
 // generateSecret creates a Kubernetes secret with randomly generated password.
 func (r *ClientReconciler) generateSecret(ctx context.Context, secretmgr *SecretManager, clientSpec *dexv1alpha1.Client, reqLogger logr.Logger) (string, error) {
-	secret, err := secretmgr.generateSecret(r, ctx, clientSpec.Spec.SecretName, clientSpec.Spec.SecretNamespace)
+	secret, err := secretmgr.generateSecret(r, ctx, clientSpec)
 	if err != nil {
 		reqLogger.Error(err, "Unable to write secret", "secretName", clientSpec.Spec.SecretName)
 		return "", err

go/dexop/internal/controller/client_controller_test.go

@@ -110,7 +110,7 @@ var _ = Describe("Client Controller", func() {
 
 			secretObj := &v1.Secret{}
 			err = k8sClient.Get(ctx, types.NamespacedName{Namespace: typeNamespacedName.Namespace, Name: secretName}, secretObj)
-			Expect(len(secretObj.Data["secret"])).To(Equal(48))
+			Expect(len(secretObj.Data["client-secret"])).To(Equal(48))
 			Expect(err).NotTo(HaveOccurred())
 		})
 		It("should successfully reconcile the resource", func() {
@@ -140,7 +140,7 @@ var _ = Describe("Client Controller", func() {
 			Expect(err).NotTo(HaveOccurred())
 			secretObj := &v1.Secret{}
 			Expect(k8sClient.Get(ctx, typesNamespacedSecretName, secretObj)).To(Succeed())
-			secretObj.Data["secret"] = []byte("newSecret")
+			secretObj.Data["client-secret"] = []byte("newSecret")
 
 			By("reconcile after changing the secret")
 			Expect(k8sClient.Update(ctx, secretObj)).To(Succeed())
@@ -208,7 +208,39 @@ var _ = Describe("Client Controller", func() {
 
 			By("checking if the Secret has been recreated")
 			newSecret := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: typesNamespacedSecretName.Name, Namespace: typesNamespacedSecretName.Namespace}}
-			Expect(k8sClient.Get(ctx, typesNamespacedSecretName, newSecret))
+			Expect(k8sClient.Get(ctx, typesNamespacedSecretName, newSecret)).To(Succeed())
+		})
+
+		It("populates the issuer in Secret", func() {
+			By("reconciling the first time")
+			controllerReconciler := &ClientReconciler{
+				Client:     k8sClient,
+				Scheme:     k8sClient.Scheme(),
+				DexManager: dex,
+			}
+			_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
+				NamespacedName: typeNamespacedName,
+			})
+			Expect(err).NotTo(HaveOccurred())
+			secret := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: typesNamespacedSecretName.Name, Namespace: typesNamespacedSecretName.Namespace}}
+			Expect(k8sClient.Get(ctx, typesNamespacedSecretName, secret)).To(Succeed())
+			Expect(string(secret.Data["issuer"])).To(Equal("http://127.0.0.1:15556/dex"))
+		})
+
+		It("populates the client-id in Secret", func() {
+			By("reconciling the first time")
+			controllerReconciler := &ClientReconciler{
+				Client:     k8sClient,
+				Scheme:     k8sClient.Scheme(),
+				DexManager: dex,
+			}
+			_, err := controllerReconciler.Reconcile(ctx, reconcile.Request{
+				NamespacedName: typeNamespacedName,
+			})
+			Expect(err).NotTo(HaveOccurred())
+			secret := &v1.Secret{ObjectMeta: metav1.ObjectMeta{Name: typesNamespacedSecretName.Name, Namespace: typesNamespacedSecretName.Namespace}}
+			Expect(k8sClient.Get(ctx, typesNamespacedSecretName, secret)).To(Succeed())
+			Expect(string(secret.Data["client-id"])).To(Equal("fred-client"))
 		})
 	})
 
@@ -239,7 +271,7 @@ var _ = Describe("Client Controller", func() {
 			By("creating secret")
 			secret := &v1.Secret{
 				ObjectMeta: metav1.ObjectMeta{Name: testSecretName, Namespace: "default"},
-				Data:       map[string][]byte{"secret": []byte("abc")},
+				Data:       map[string][]byte{"client-secret": []byte("abc")},
 			}
 			Expect(k8sClient.Create(ctx, secret)).To(Succeed())
 

go/dexop/internal/controller/secret_manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	dexv1alpha1 "github.com/rackerlabs/understack/go/dexop/api/v1alpha1"
 	"github.com/sethvargo/go-password/password"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -21,20 +22,20 @@ func (s SecretManager) readSecret(r *ClientReconciler, ctx context.Context, name
 		return "", err
 	}
 
-	if value, ok := secret.Data["secret"]; ok {
+	if value, ok := secret.Data["client-secret"]; ok {
 		return string(value), nil
 	}
-	return "", fmt.Errorf("secret key not found")
+	return "", fmt.Errorf("client-secret key not found")
 }
 
-func (s SecretManager) writeSecret(r *ClientReconciler, ctx context.Context, name, namespace, value string) (*v1.Secret, error) {
+func (s SecretManager) writeSecret(r *ClientReconciler, ctx context.Context, clientSpec *dexv1alpha1.Client, value string) (*v1.Secret, error) {
 	secret := &v1.Secret{
 		TypeMeta: metav1.TypeMeta{},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: namespace,
+			Name:      clientSpec.Spec.SecretName,
+			Namespace: clientSpec.Spec.SecretNamespace,
 		},
-		Data: map[string][]byte{"secret": []byte(value)},
+		Data: map[string][]byte{"client-secret": []byte(value), "issuer": []byte(clientSpec.Spec.Issuer), "client-id": []byte(clientSpec.Spec.Name)},
 		Type: "Opaque",
 	}
 
@@ -45,10 +46,10 @@ func (s SecretManager) writeSecret(r *ClientReconciler, ctx context.Context, nam
 	return secret, nil
 }
 
-func (s SecretManager) generateSecret(r *ClientReconciler, ctx context.Context, name, namespace string) (*v1.Secret, error) {
+func (s SecretManager) generateSecret(r *ClientReconciler, ctx context.Context, clientSpec *dexv1alpha1.Client) (*v1.Secret, error) {
 	res, err := password.Generate(48, 10, 10, false, false)
 	if err != nil {
 		return nil, err
 	}
-	return s.writeSecret(r, ctx, name, namespace, res)
+	return s.writeSecret(r, ctx, clientSpec, res)
 }