From f945f6a916055e749cebf9ce48360fe553515d4c Mon Sep 17 00:00:00 2001
From: "Shiba, Sidney" <sidney.shiba@ericsson.com>
Date: Wed, 30 Jun 2021 15:17:48 +0000
Subject: [PATCH] dex-aio - missing idp-ca.crt for refresh token

Once the id_token expires, kubectl uses the refresh token to obtain new
id_token and refresh token. This process requires the attribute
idp-certificate-authority under users.user.auth-provider.config in the
kubeconfig file, which was missing when this file was generated.

This patchset adds the attribute in values.yaml that will be used to
generate the config.yaml file for the authenticator container, which
will include the instructions for including the missing
idp-certificate-authority and associated certificate in the kubeconfig
file.

Also, added the namespace for the templates as dex needs to be deployed
in the same namespace as the target-cluster management resources, e.g.,
target-infra.

Relates-to: #6

Change-Id: Ie871d1d47f160da035fdfa80016699c519d4c2dd
---
 charts/dex-aio/templates/Certificate-dex.yaml        | 1 +
 charts/dex-aio/templates/ClusterRoleBinding-dex.yaml | 2 +-
 charts/dex-aio/templates/ConfigMap-dex.yaml          | 1 +
 charts/dex-aio/templates/Deployment-dex.yaml         | 1 +
 charts/dex-aio/templates/Role-dex.yaml               | 1 +
 charts/dex-aio/templates/RoleBinding-dex.yaml        | 4 ++--
 charts/dex-aio/templates/Secret-dex.yaml             | 1 +
 charts/dex-aio/templates/Service-dex.yaml            | 1 +
 charts/dex-aio/templates/ServiceAccount-dex.yaml     | 1 +
 charts/dex-aio/values.yaml                           | 2 +-
 10 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/charts/dex-aio/templates/Certificate-dex.yaml b/charts/dex-aio/templates/Certificate-dex.yaml
index da55d135..268d0e2d 100644
--- a/charts/dex-aio/templates/Certificate-dex.yaml
+++ b/charts/dex-aio/templates/Certificate-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: cert-manager.io/v1alpha2
 kind: Certificate
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 spec:
   secretName: {{ template "helpers.labels.fullname" . }}-tls
diff --git a/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml b/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml
index d1d619bf..850dbbdc 100644
--- a/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml
+++ b/charts/dex-aio/templates/ClusterRoleBinding-dex.yaml
@@ -12,7 +12,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "helpers.labels.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 ...
 {{- end -}}
 {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "ClusterRoleBinding-dex" ) }}
\ No newline at end of file
diff --git a/charts/dex-aio/templates/ConfigMap-dex.yaml b/charts/dex-aio/templates/ConfigMap-dex.yaml
index b5f00bf0..95c1db7a 100644
--- a/charts/dex-aio/templates/ConfigMap-dex.yaml
+++ b/charts/dex-aio/templates/ConfigMap-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 data:
 {{- range $key, $value := .Values.config }}
diff --git a/charts/dex-aio/templates/Deployment-dex.yaml b/charts/dex-aio/templates/Deployment-dex.yaml
index adbcca76..fcf504be 100644
--- a/charts/dex-aio/templates/Deployment-dex.yaml
+++ b/charts/dex-aio/templates/Deployment-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
   annotations:
     scheduler.alpha.kubernetes.io/critical-pod: ''
diff --git a/charts/dex-aio/templates/Role-dex.yaml b/charts/dex-aio/templates/Role-dex.yaml
index d343b133..48e86d8e 100644
--- a/charts/dex-aio/templates/Role-dex.yaml
+++ b/charts/dex-aio/templates/Role-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 rules:
 - apiGroups:
diff --git a/charts/dex-aio/templates/RoleBinding-dex.yaml b/charts/dex-aio/templates/RoleBinding-dex.yaml
index 561ffb46..b6610b38 100644
--- a/charts/dex-aio/templates/RoleBinding-dex.yaml
+++ b/charts/dex-aio/templates/RoleBinding-dex.yaml
@@ -5,7 +5,7 @@ kind: RoleBinding
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -13,7 +13,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ template "helpers.labels.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
 ...
 {{- end -}}
 {{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "RoleBinding-dex" ) }}
\ No newline at end of file
diff --git a/charts/dex-aio/templates/Secret-dex.yaml b/charts/dex-aio/templates/Secret-dex.yaml
index 5b777121..10f8ca6e 100644
--- a/charts/dex-aio/templates/Secret-dex.yaml
+++ b/charts/dex-aio/templates/Secret-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 data:
   ldap-bindpw: "{{ b64enc ( .Values.params.ldap.bind_password ) }}"
diff --git a/charts/dex-aio/templates/Service-dex.yaml b/charts/dex-aio/templates/Service-dex.yaml
index 4cc7ca89..5c359c72 100644
--- a/charts/dex-aio/templates/Service-dex.yaml
+++ b/charts/dex-aio/templates/Service-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 spec:
   type: NodePort
diff --git a/charts/dex-aio/templates/ServiceAccount-dex.yaml b/charts/dex-aio/templates/ServiceAccount-dex.yaml
index 931a6da7..bf21923a 100644
--- a/charts/dex-aio/templates/ServiceAccount-dex.yaml
+++ b/charts/dex-aio/templates/ServiceAccount-dex.yaml
@@ -4,6 +4,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "helpers.labels.fullname" . }}
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
   labels: {{- include "helpers.labels.labels" . | nindent 4 }}
 ...
 {{- end -}}
diff --git a/charts/dex-aio/values.yaml b/charts/dex-aio/values.yaml
index 01a16e23..2b352b6f 100644
--- a/charts/dex-aio/values.yaml
+++ b/charts/dex-aio/values.yaml
@@ -28,7 +28,6 @@ node_labels:
     key: node-role.kubernetes.io/master
     value: ""
 
-
 params:
   site:
     name: PDL1
@@ -165,6 +164,7 @@ config:
     web_path_prefix: "/ui"
     tls_cert: "/var/run/secrets/airshipit.org/tls/crt/tls.crt"
     tls_key: "/var/run/secrets/airshipit.org/tls/key/tls.key"
+    idp_ca_uri: "http://{{ .Values.params.endpoints.hostname }}:{{ .Values.params.endpoints.port.http }}/ca.crt"
     debug: true
     clusters:
     - client_id: "{{ .Values.params.oidc.client_id }}"