Because the issuer URL in Dex's configuration could be either the application's Kubernetes Service DNS name + the dex endpoint (e.g. http://<dex-auth-app-name>.<namespace>.svc:5556/dex.) or a publicly accessible IP/DNS name (e.g. http://foo.com/dex), this charm should be configurable for the latter case.
This task also requires the removal of the public-url configuration option as it has been considered misleading and should not be used. Please refer to https://github.com/canonical/bundle-kubeflow/issues/608 for more information.
For details about the design, please refer to this spec (internal only).
# dex-auth config.yaml
dex-issuer-url:
type: string
default: ""
description: |
Format: http(s)://<publicly-accessible-dns-name>/dex
(Also referred to as issuer) This is the canonical URL that OIDC clients MUST use to refer to dex. If not specified, it defaults to dex-auth's local endpoint constructed from dex-auth's Kubernetes Service DNS name, the Service port and Dex's endpoint, that is http://<dex-auth-app-name>.<namespace>.svc:5556/dex.
The default is set by the charm code, not the configuration option.
This configuration must be set when using a Dex connector that will try to reach Dex from outside the cluster, thus it should be a publicly accessible endpoint, for example:
https://my-instance.in-my-cloud.some-cloud.com/dex
Remove any traces of the "public_url" value from the charm code
The issuer value will be set to either the default http://<dex-auth-app-name>.<namespace>.svc:5556/dex or model.config["dex-issuer-url"]
Add/modify tests appropriately
Definition of Done
The charm now gets the issuer value from either the configuration option or defaults to http://<dex-auth-app-name>.<namespace>.svc:5556/dex. This can be confirmed by checking the .well-known endpoint.
Context
Because the
issuer
URL in Dex's configuration could be either the application's Kubernetes Service DNS name + thedex
endpoint (e.g.http://<dex-auth-app-name>.<namespace>.svc:5556/dex.
) or a publicly accessible IP/DNS name (e.g.http://foo.com/dex
), this charm should be configurable for the latter case.This task also requires the removal of the
public-url
configuration option as it has been considered misleading and should not be used. Please refer to https://github.com/canonical/bundle-kubeflow/issues/608 for more information.For details about the design, please refer to this spec (internal only).
What needs to get done
public-url
configuration optionhttp://<dex-auth-app-name>.<namespace>.svc:5556/dex
ormodel.config["dex-issuer-url"]
Definition of Done
The charm now gets the
issuer
value from either the configuration option or defaults tohttp://<dex-auth-app-name>.<namespace>.svc:5556/dex
. This can be confirmed by checking the.well-known
endpoint.