charts: import stable/dex 2.19.0

```
$ helm fetch -d charts --untar stable/dex
```

Closes: #2007

charts/dex/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj

charts/dex/Chart.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+appVersion: 2.19.0
+description: CoreOS Dex
+home: https://github.com/dexidp/dex/
+icon: https://github.com/dexidp/dex/raw/master/Documentation/logos/dex-glyph-color.png
+keywords:
+- dex
+- oidc
+maintainers:
+- email: [email protected]
+  name: kfox1111
+- email: [email protected]
+  name: sstarcher
+- email: [email protected]
+  name: rendhalver
+- email: [email protected]
+  name: vi7
+name: dex
+version: 2.4.0

charts/dex/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- desaintmartin
+- vi7
+reviewers:
+- desaintmartin
+- vi7

charts/dex/README.md

@@ -0,0 +1,102 @@
+# dex
+
+[Dex][dex] is an identity service that uses OpenID Connect to drive authentication for other apps.
+
+## Introduction
+
+Dex acts as a portal to other identity providers through "connectors." This lets dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory. Clients write their authentication logic once to talk to dex, then dex handles the protocols for a given backend.
+
+**Kubernetes authentication note**
+
+If you plan to use dex as a [Kubernetes OpenID Connect token authenticator plugin](http://kubernetes.io/docs/admin/authentication/#openid-connect-tokens) you'll need to additionally deploy some helper app which will provide authentication UI for users and talk to dex.
+
+Several helper apps are listed below:
+  - https://github.com/mintel/dex-k8s-authenticator
+  - https://github.com/heptiolabs/gangway
+  - https://github.com/micahhausler/k8s-oidc-helper
+  - https://github.com/negz/kuberos
+  - https://github.com/negz/kubehook
+  - https://github.com/fydrah/loginapp
+  - https://github.com/keycloak/keycloak
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```sh
+$ helm install --name my-release stable/dex
+```
+
+It'll install chart with the default parameters. However most probably it won't work for you as-is, thus before installing the chart you need to consult to the [values.yaml](values.yaml) notes as well as [dex documentation][dex].
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```sh
+$ helm delete --purge my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Upgrading an existing release to a new major version
+
+A major chart version change (like v1.5.1 -> v2.0.0) indicates that there is an incompatible breaking change which requires manual actions.
+
+### Upgrade to v2.0.0
+
+Breaking changes which should be considered and require manual actions during release upgrade:
+
+- ability to switch grpc and https on and off via dedicated chart parameters
+- port definition for Pod, Service and dex config re-written from scratch
+- dex config is _not_ taken from `.Values.config` as-is anymore, pay attention!
+
+See the [Configuration](#configuration) section for the details on the parameters introduced in version 2.0.0.
+
+Moreover, this release updates all the labels to the new [recommended labels](https://github.com/helm/charts/blob/master/REVIEW_GUIDELINES.md#names-and-labels), most of them being immutable.
+
+In order to upgrade, please update your values file and uninstall/reinstall the chart.
+
+## Configuration
+
+Parameters introduced starting from v2
+
+| Parameter | Description | Default |
+| --------- | ----------- | ------- |
+| `certs.grpc.pod.annotations` | Annotations for the pod created by the `grpc-certs` job | `{}` |
+| `certs.web.pod.annotations` | Annotations for the pod created by the `web-certs` job | `{}` |
+| `config.connectors` | Maps to the dex config `connectors` dict param | `{}` |
+| `config.enablePasswordDB` | Maps to the dex config `enablePasswordDB` param | `true` |
+| `config.frontend` | Maps to the dex config `frontend` dict param | `""` |
+| `config.grpc.address` | dex grpc listen address | `127.0.0.1` |
+| `config.grpc.tlsCert` | Maps to the dex config `grpc.tlsCert` param | `/etc/dex/tls/grpc/server/tls.crt` |
+| `config.grpc.tlsClientCA` | Maps to the dex config `grpc.tlsClientCA` param | `/etc/dex/tls/grpc/ca/tls.crt` |
+| `config.grpc.tlsKey` | Maps to the dex config `grpc.tlsKey` param | `/etc/dex/tls/grpc/server/tls.key` |
+| `config.issuer` | Maps to the dex config `issuer` param | `http://dex.io:8080` |
+| `config.logger` | Maps to the dex config `logger` dict param | `{"level": "debug"}` |
+| `config.oauth2.alwaysShowLoginScreen` | Maps to the dex config `oauth2.alwaysShowLoginScreen` param | `false` |
+| `config.oauth2.skipApprovalScreen` | Maps to the dex config `oauth2.skipApprovalScreen` param | `true` |
+| `config.staticClients` | Maps to the dex config `staticClients` list param | `""` |
+| `config.staticPasswords` | Maps to the dex config `staticPasswords` list param | `""` |
+| `config.storage` | Maps to the dex config `storage` dict param | `{"type": "kubernetes", "config": {"inCluster": true}}` |
+| `config.web.address` | dex http/https listen address | `0.0.0.0` |
+| `config.web.tlsCert` | Maps to the dex config `web.tlsCert` param | `/etc/dex/tls/https/server/tls.crt` |
+| `config.web.tlsKey` | Maps to the dex config `web.tlsKey` param | `/etc/dex/tls/https/server/tls.key` |
+| `config.expiry.signingKeys` | Maps to the dex config `expiry.signingKeys` param | `6h` |
+| `config.expiry.idTokens` | Maps to the dex config `expiry.idTokens` param | `24h` |
+| `grpc` | Enable dex grpc endpoint | `true` |
+| `https` | Enable TLS termination for the dex http endpoint | `false` |
+| `ports.grpc.containerPort` | grpc port listened by the dex | `5000` |
+| `ports.grpc.nodePort` | K8S Service node port for the dex grpc listener | `35000` |
+| `ports.grpc.servicePort` | K8S Service port for the dex grpc listener | `35000` |
+| `ports.web.containerPort` | http/https port listened by the dex | `5556` |
+| `ports.web.nodePort` | K8S Service node port for the dex http/https listener | `32000` |
+| `ports.web.servicePort` | K8S Service port for the dex http/https listener | `32000` |
+| `service.loadBalancerIP` | IP override for K8S LoadBalancer Service | `""` |
+
+
+
+Check [values.yaml](values.yaml) notes together with [dex documentation][dex] and [config examples](https://github.com/dexidp/dex/tree/master/examples) for all the possible configuration options.
+
+
+[dex]: https://github.com/dexidp/dex

charts/dex/config/openssl.conf

@@ -0,0 +1,82 @@
+# OpenSSL configuration file.
+# Adapted from https://github.com/coreos/matchbox/blob/master/examples/etc/matchbox/openssl.conf
+
+# default environment variable values
+SAN =
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+# certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/intermediate-ca.crl
+crl_extensions    = crl_ext
+default_crl_days  = 30
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 375
+preserve          = no
+policy            = policy_loose
+
+[ policy_loose ]
+# Allow the CA to sign a range of certificates.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# `man req`
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+default_md          = sha256
+
+[ req_distinguished_name ]
+countryName                    = Country Name (2 letter code)
+stateOrProvinceName            = State or Province Name
+localityName                   = Locality Name
+0.organizationName             = Organization Name
+organizationalUnitName         = Organizational Unit Name
+commonName                     = Common Name
+
+# Certificate extensions (`man x509v3_config`)
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+basicConstraints = CA:FALSE
+nsCertType = client
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth
+
+[ server_cert ]
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = $ENV::SAN

charts/dex/templates/NOTES.txt

@@ -0,0 +1,20 @@
+1. Get the application URL by running these commands:
+
+{{- if .Values.ingress.enabled }}
+{{- range .Values.ingress.hosts }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "dex.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo https://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get svc -w {{ template "dex.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "dex.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo https://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "dex.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit https://127.0.0.1:8080/.well-known/openid-configuration to use your application"
+  kubectl port-forward $POD_NAME 8080:5556
+{{- end }}

charts/dex/templates/_helpers.tpl

@@ -0,0 +1,56 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dex.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dex.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dex.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "dex.labels" -}}
+app.kubernetes.io/name: {{ include "dex.name" . }}
+helm.sh/chart: {{ include "dex.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dex.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "dex.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/dex/templates/clusterrole.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+{{ include "dex.labels" . | indent 4 }}
+  name: {{ template "dex.fullname" . }}
+rules:
+- apiGroups: ["dex.coreos.com"] # API group created by dex
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions
+{{- end -}}

charts/dex/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+{{ include "dex.labels" . | indent 4 }}
+  name: {{ template "dex.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "dex.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "dex.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

charts/dex/templates/config-openssl.yaml

@@ -0,0 +1,11 @@
+{{- if and .Values.grpc .Values.certs.grpc.create }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+{{ include "dex.labels" . | indent 4 }}
+  name: {{ template "dex.fullname" . }}-openssl-config
+data:
+  openssl.conf: |
+{{ .Files.Get "config/openssl.conf" | indent 4 }}
+{{- end }}