search

canonical / dex-auth-operator

Operator for Dex Auth
Apache License 2.0
3 stars 14 forks source link

Add `dex-issuer-url` and remove `public-url` configuration options #204

Closed DnPlas closed 2 months ago

DnPlas commented 3 months ago

Context

Because the issuer URL in Dex's configuration could be either the application's Kubernetes Service DNS name + the dex endpoint (e.g. http://<dex-auth-app-name>.<namespace>.svc:5556/dex.) or a publicly accessible IP/DNS name (e.g. http://foo.com/dex), this charm should be configurable for the latter case.

This task also requires the removal of the public-url configuration option as it has been considered misleading and should not be used. Please refer to https://github.com/canonical/bundle-kubeflow/issues/608 for more information.

For details about the design, please refer to this spec (internal only).

What needs to get done

  1. Remove the public-url configuration option
  2. Add the following configuration:
# dex-auth config.yaml 
 dex-issuer-url:
    type: string
    default: ""
    description: |
      Format: http(s)://<publicly-accessible-dns-name>/dex
          (Also referred to as issuer) This is the canonical URL that OIDC clients MUST use to refer to dex. If not specified, it defaults to dex-auth's local endpoint constructed from dex-auth's Kubernetes Service DNS name, the Service port and Dex's endpoint, that is http://<dex-auth-app-name>.<namespace>.svc:5556/dex.
          The default is set by the charm code, not the configuration option.
          This configuration must be set when using a Dex connector that will try to reach Dex from outside the cluster, thus it should be a publicly accessible endpoint, for example:
          https://my-instance.in-my-cloud.some-cloud.com/dex
  1. Remove any traces of the "public_url" value from the charm code
  2. The issuer value will be set to either the default http://<dex-auth-app-name>.<namespace>.svc:5556/dex or model.config["dex-issuer-url"]
  3. Add/modify tests appropriately

Definition of Done

The charm now gets the issuer value from either the configuration option or defaults to http://<dex-auth-app-name>.<namespace>.svc:5556/dex. This can be confirmed by checking the .well-known endpoint.

syncronize-issues-to-jira[bot] commented 3 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5967.

This message was autogenerated

DnPlas commented 2 months ago

Fixed by #209