Skip to content

ttab/elsinod

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github
.github
 
 
assets
assets
 
 
chart
chart
 
 
cmd/elsinod
cmd/elsinod
 
 
howdah
howdah
 
 
internal
internal
 
 
locales
locales
 
 
magefiles
magefiles
 
 
migrations
migrations
 
 
postgres
postgres
 
 
schema
schema
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
editorial-repository.minikube.yaml
editorial-repository.minikube.yaml
 
 
elephant-chrome.minikube.yaml
elephant-chrome.minikube.yaml
 
 
elephant-index.minikube.yaml
elephant-index.minikube.yaml
 
 
elephant-spell.minikube.yaml
elephant-spell.minikube.yaml
 
 
elephant-user.minikube.yaml
elephant-user.minikube.yaml
 
 
elsinod.minikube.yaml
elsinod.minikube.yaml
 
 
embed.go
embed.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
sqlc.yaml
sqlc.yaml
 
 

Repository files navigation

Elsinod - Elephant single node helper

Elsinod is a helper service that acts as a dummy OIDC provider for a minikube environment built using elephant Helm charts. It also bootstraps Postgres with service databases and schemas and creates buckets in Minio.

Minikube

Build custom images into minikube by:

eval $(minikube docker-env)
docker build . -t ghcr.io/ttab/elsinod:v0.0.0

ghcr.io credentials

Create secret for pulling images from ghcr.io:

kubectl create secret docker-registry ghcr-pull-secret --docker-server https://ghcr.io/ \
    --docker-username hugowetterberg --docker-password $(pass ghcr.io)

pass is just a utility I use for storing credentials for command line use. Substitute with actual token or your password tool.

DNS

For local testing i configured ingress DNS by following this guide (all the way to step 4): https://minikube.sigs.k8s.io/docs/handbook/addons/ingress-dns/

We need to do step 4 "Configure in-cluster DNS server to resolve local DNS names inside cluster" otherwise applications won't be able to resolve the host of the endpoints specified in the elsinod OIDC configuration:

{
  "issuer": "https://elsinod.demo.ecms.test",
  "authorization_endpoint": "https://elsinod.demo.ecms.test/protocol/openid-connect/auth",
  "token_endpoint": "https://elsinod.demo.ecms.test/token",

TLS

Set up TLS https://minikube.sigs.k8s.io/docs/tutorials/custom_cert_ingress/:

mkcert demo.ecms.test "*.demo.ecms.test" "*.api.demo.ecms.test"
kubectl -n kube-system create secret tls mkcert --key demo.ecms.test+2-key.pem --cert demo.ecms.test+2.pem

Create a secret for the mkcert CA so that we can mount it in containers:

kubectl create secret generic mkcert-ca --from-file=$HOME/.local/share/mkcert/rootCA.pem

This is needed for containers to communicate with elsinod without SSL errors.

Bruno

To be able to use bruno with self signed certificates, configure the $HOME/.local/share/mkcert/rootCA.pem in the Bruno settings panel.

The access token renewal script uses the standard node fetch implementation rather than the one that Bruno uses for requests. Start bruno with NODE_EXTRA_CA_CERTS to get node to trust elsinod:

$ export NODE_EXTRA_CA_CERTS=$HOME/.local/share/mkcert/rootCA.pem
$ bruno

You can, of course, set this for your shell so that both Bruno and other node apps trust your local mkcert from now on.

About

Elephant single node helper

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

 
 
 

Contributors

Languages