Generate CA on the fly

Author: NickCao

action.yml

@@ -27,23 +27,42 @@ runs:
         repository: jumpstarter-dev/jumpstarter
         ref: ${{ inputs.jumpstarter-ref }}
         path: jumpstarter
-    - name: Deploy jumpstarter controller
+    - name: Deploy dex
       shell: bash
       run: |
-        cp "$GITHUB_ACTION_PATH"/values.kind.yaml ./controller/deploy/helm/jumpstarter/values.kind.yaml
+        sudo apt-get update
+        sudo apt-get install -y easy-rsa
+
+        export EASYRSA_BATCH=1
+        export EASYRSA_PKI=pki
+        /usr/share/easy-rsa/easyrsa init-pki
+        /usr/share/easy-rsa/easyrsa --no-pass build-ca
+        /usr/share/easy-rsa/easyrsa --no-pass build-server-full dex.dex.svc.cluster.local
+
         cp "$GITHUB_ACTION_PATH"/kind_cluster.yaml ./controller/hack/kind_cluster.yaml
-        make -C controller deploy
+        make -C controller cluster
+
+        kubectl create namespace dex
+        kubectl -n dex create secret tls dex-tls \
+          --cert=pki/issued/dex.dex.svc.cluster.local.crt \
+          --key=pki/private/dex.dex.svc.cluster.local.key
+
+        go run github.com/mikefarah/yq/v4@latest -i \
+          '.jumpstarter-controller.authenticationConfig = (.jumpstarter-controller.authenticationConfig | from_yaml | .jwt[0].issuer.certificateAuthority = load_str("pki/ca.crt") | to_yaml)' \
+          "$GITHUB_ACTION_PATH"/values.kind.yaml
+
         # important!
         kubectl create clusterrolebinding oidc-reviewer  \
          --clusterrole=system:service-account-issuer-discovery \
          --group=system:unauthenticated
-    - name: Deploy dex
-      shell: bash
-      run: |
-        kubectl create namespace dex
-        kubectl apply -f "$GITHUB_ACTION_PATH"/dex.yaml
+
         helm repo add dex https://charts.dexidp.io
         helm install --namespace dex --wait -f "$GITHUB_ACTION_PATH"/dex.values.yaml dex dex/dex
+    - name: Deploy jumpstarter controller
+      shell: bash
+      run: |
+        cp "$GITHUB_ACTION_PATH"/values.kind.yaml ./controller/deploy/helm/jumpstarter/values.kind.yaml
+        make -C controller deploy
     - name: Install jumpstarter
       shell: bash
       run: |
@@ -56,7 +75,7 @@ runs:
     - name: Run jumpstarter
       shell: bash
       run: |
-        sudo cp "$GITHUB_ACTION_PATH"/minica.pem /usr/local/share/ca-certificates/minica.crt
+        sudo cp pki/ca.crt /usr/local/share/ca-certificates/ca.crt
         sudo update-ca-certificates
 
         echo "127.0.0.1 dex.dex.svc.cluster.local" | sudo tee -a /etc/hosts

dex.yaml

@@ -10,34 +10,12 @@ jumpstarter-controller:
     apiVersion: jumpstarter.dev/v1alpha1
     kind: AuthenticationConfiguration
     jwt:
-    - issuer:
-        url: https://kubernetes.default.svc.cluster.local
-        audiences:
-        - https://kubernetes.default.svc.cluster.local
-        audienceMatchPolicy: MatchAny
-      claimMappings:
-        username:
-          claim: "sub"
-          prefix: "kubernetes:"
     - issuer:
         url: https://dex.dex.svc.cluster.local:5556
         audiences:
         - jumpstarter-cli
         audienceMatchPolicy: MatchAny
-        certificateAuthority: |
-          -----BEGIN CERTIFICATE-----
-          MIIB/DCCAYKgAwIBAgIIcpC2uS+SjEIwCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
-          bWluaWNhIHJvb3QgY2EgNzI5MGI2MCAXDTI1MDIwMzE5MzMyNVoYDzIxMjUwMjAz
-          MTkzMzI1WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3MjkwYjYwdjAQBgcq
-          hkjOPQIBBgUrgQQAIgNiAAQzezKJ4My35HPeoJvvzTjhS2uJMBYrYfrs5csxZjiy
-          q8ORrHM539XhWlA6sVZODhzcF2KL4mC9xKz/yIrsws+LKsIWNHGGmIPEKFYnHBGw
-          VBGeARvhpzZP/9frJXAN/8ejgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQW
-          MBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
-          DgQWBBSZRBCUuP3ta2xsfjnWIjvgvz4fojAfBgNVHSMEGDAWgBSZRBCUuP3ta2xs
-          fjnWIjvgvz4fojAKBggqhkjOPQQDAwNoADBlAjADql5Ks5wh181iUa1ZBnx4XOVe
-          l0l7I+mwlwJSPmkZHxruWZTx7gQU4tfDCr+UuzUCMQC2aDXRb17cphipK4gzbExv
-          EDLExjhHAqMPrKDmT0jHIi7Bbos38/1tyZ/IoKjLnv0=
-          -----END CERTIFICATE-----
+        certificateAuthority: placeholder
       claimMappings:
         username:
           claim: "name"