dex
dex copied to clipboard
dexidp
Helm charts for 'dex' and 'dex-k8s-authenticator' available
I've made Helm charts for both dex and dex-k8s-authenticator. You can deploy just dex, or deploy it together with the dex-k8s-authenticator helper UI. dex can be deployed into kube-system or into its own namespace with appropriate RBAC.
https://github.com/mintel/dex-k8s-authenticator/tree/master/charts
The chart settings support multiple connectors, including multiple of the same type. The helper app supports multiple clusters using dex.
These charts make install and using dex with Kubernetes very easy. Can we add references to these charts in the Kubernetes page?
Installing dex with web UI for configuring 'kubectl'
git clone [email protected]:mintel/dex-k8s-authenticator.git
helm inspect values charts/dex > dex.yaml
helm inspect values charts/dex-k8s-authenticator > dex-k8s-authenticator.yaml
Edit the values files for your environment and requirements (dex.yaml and dex-k8s-authenticator.yaml).
Create the DNS names for your dex (e.g. 'dex.example.com') and dex-k8s-authenticator (e.g. 'login.example.com') pointed at the ingress controller you are using. Be sure to enable HTTPS. You can install cert-manager to automatically issue Lets Encrypt certificates.
You also need to configure each Kubernetes cluster to use dex at e.g. 'dex.example.com' by setting the OIDC parameters for the Kubernetes API server.
helm install --namespace dex --values dex.yaml charts/dex
helm install --namespace dex --values dex-k8s-authenticator charts/dex-k8s-authenticator
Navigate to https://login.example.com and follow the instructions to authenticate using dex and configure kubectl.
Why does it include both a RoleBinding and a ClusterRoleBinding for the ServiceAccount?
Hi @colemickens the RoleBinding and a ClusterRoleBinding are binding different permissions (check the roleRef). dex need minimal permissions across the whole cluster, but more permissions in the namespace where it is running.
There is a ClusterRole and ClusterRoleBinding for the minimal whole cluster permissions, and the Role and Rolebinding for the extra permission needed just in the namespace where dex is actually running.
Does that make sense?
Any chance we can we merge your dex chart into the official helm/charts for dex? https://github.com/helm/charts/tree/master/stable/dex
Adding your dex-k8s-authenticator chart to helm/charts would also be awesome.
I am happy to assist with that.
Ok awesome. I will see what's different in your chart and see about getting the changes added.
@whereisaaron @rendhalver Any update on getting these charts merged into the official helm charts?
@rendhalver I'm currently maintaining dex-k8s-authenticator.
I'd like to help out with this - essentially we should remove the existing mintel dex helm chart that is currently here and contribute to the official one.
Some differences I've spotted in the charts are:
- Support for nodeSelector/toleration/affinity (could just raise a case on the official dex chart repo to support this if not already).
- Some differences in how we manage tls certs (end result should be the same though).
I've created a case for this here: https://github.com/mintel/dex-k8s-authenticator/issues/73
I can spend time (after next week) to progress this.
Regarding getting dex-k8s-authenticator into the official helm-charts, I'll take a look at the contributing guide and make sure we're following the guidelines. :+1:
@rendhalver great will do - I'll be away for a week, so will get in touch soon. Thanks again
Cheers people. I haven't done much more with the helm charts I made because I have been using EKS more and they block the use of OIDC, you have to use AWS IAM 😢. Though there is a request to try and allow OIDC on EKS so I can use dex+dex-k8s-authenticator again. 🙏
Hello everyone,
I'm doing a project to administer a kubernetes cluster from scratch using kubeadm. I would like to use dex and dex_k8s_autheticator for authentication on my api server. Can this documentation still be implemented in a kubernetes cluster?
