Skip to content

OSC DexClient Extension

Introduction

This document describes the basic usage of the OSC DexClient Extension. The extension serve for creating of clients for communication with sso service on a garden cluster.

More information about oauth service you can find in SSO User management

Enabling the Extension for a Shoot Cluster

For enabling this extension for a shoot cluster the extension service name osc-dexclient-service needs to be added to the extensions in the Shoot CR:

apiVersion: core.gardener.cloud/v1beta1
kind: Shoot
metadata:
  ...
spec:
  ...
  extensions:
    - type: osc-dexclient-service
    ...

To check extensions on your shoot you can issue this command:

kubectl get cm -n kube-system shoot-info -o jsonpath={.data.extensions}

Disabling globally enabled extensions

To disable extensions which are enabled by default, add the following snippet to the shoot manifest:

kind: Shoot
...
spec:
  extensions:
  - type: osc-dexclient-service
    disabled: true
...

Create DexClient

For requesting a new DexClient in a shoot cluster the following example DexClient CR can be used:

apiVersion: sso.osc.t-systems.com/v1
kind: DexClient
metadata:
  name: oauth-proxy
spec:
  LogoUrl: https://your-app-domain/logo.png
  allowedOrigins:
  - https://your-app-domain
  name: ""
  redirectUris:
  - https://your-app-domain/oauth2/callback
  - https://your-app-domain

Note: In this example the default namespace is used and therefore the namespace is omitted in the further steps.

After the DexClient CR was created, its status can be checked in the status of the CR. If the bucket was created successfully and can be consumed, the status of the DexClient CR will be set to Ready (.status.Ready) and the credential of DexClient for the sso service can be fetched from the secret reference in the status of the DexClient CR (.status.secretRf):

 kubectl get dexclients.sso.osc.t-systems.com -o yaml
apiVersion: v1
items:
- apiVersion: sso.osc.t-systems.com/v1
  kind: DexClient
  metadata:
    generation: 1
    name: oauth-proxy
    namespace: default
    ...
  spec:
    allowedOrigins:
    - https://your-app-domain
    name: ""
    redirectUris:
    - https://your-app-domain/oauth2/callback
    - https://your-app-domain
  status:
    allowedOrigins:
    - https://your-app-domain
    conditions:
    - lastTransitionTime: "2023-05-17T11:24:39Z"
      message: Reconciliation succeeded
      observedGeneration: 1
      reason: ReconciliationSucceeded
      status: "True"
      type: Ready
    id: default-oauth-proxy
    ready: true
    secretRef:
      name: dex-client-oauth-proxy
      namespace: default
kind: List
metadata:
  resourceVersion: ""

The secret name is created adding prefix dex-client- before name of CR DexClient in same namespace and contains the following information:

  • CLIENT_ID: The client ID for the SSO service ("user identity")
  • CLIENT_SECRET: The client access secret for the SSO service ("user password")
  • DEX_CA: The CA bundle used by the SSO service (Or proxy to SSO service) API (used to sign the server certificates of the SSO service and needed for validating the provided certificates)
  • DEX_URL: URL of the SSO service (Or proxy to SSO service)

The secret can be directly consumed by workloads running in the same Kubernetes namespace. E.g. mounting the secret into the workload container or using the content as environment variables (see the Kubernetes docs for more details).

If the workload is running in another namespace than the secret, the workload needs to fetch the secret via the Kubernetes API or the credentials must be provided manually.

This secret has strict format and cannot be changed.

Templated secrets

CR DexClient supports templated secrets for easier integration of third party services. Customer can with this functionality define own addtional secrets with custom format.

Templated secrets are based to go template, where we provide same values which are in standard secret and they are available as:

  • {{ .Dex.ClientID }}
  • {{ .Dex.ClientSecret }}
  • {{ .Dex.URL }}
  • {{ .Dex.CACert }}

Secrets based on templates are in same namespace as CR DexClient and names of secrets have format:

dex-client-NameOfDexClient-NameOfTemplate

The secret references to templated secrets you can found in the status .status.templatedSecretsRef of CR DexClient.

apiVersion: sso.osc.t-systems.com/v1
kind: DexClient
metadata:
  name: oauth-proxy
spec:
  allowedOrigins:
  - https://your-app-domain
  name: ""
  redirectUris:
  - https://your-app-domain/oauth2/callback
  - https://your-app-domain
  secretTemplates:
    custom: # Name of Template
      template: # Contain go template of secret
        yourKey: {{ .Dex.ClientID }}
        secret: {{ .Dex.ClientSecret }}
        ca: {{ .Dex.CACert }}
        url: {{ .Dex.URL }}
        yourCustomKey: yourCustomData
        yourAdditionalData: yourAdditionalData
        ...
status:
  ...
  templatedSecretsRef:
    - name: dex-client-oauth-proxy-custom
      namespace: default

Delete DexClient

To delete DexClient simply issue:

kubectl delete dexclients.sso.osc.t-systems.com -n default oauth-proxy