OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
Homepage: https://dexidp.io/
helm repo add dex https://charts.dexidp.io
helm install --generate-name --wait dex/dexDex requires a minimal configuration in order to work. You can pass configuration to Dex using Helm values:
config:
# Set it to a valid URL
issuer: http://my-issuer-url.com
# See https://dexidp.io/docs/storage/ for more options
storage:
type: memory
# Enable at least one connector
# See https://dexidp.io/docs/connectors/ for more options
enablePasswordDB: trueThe above configuration won't make Dex automatically available on the configured URL. One (and probably the easiest) way to achieve that is configuring ingress:
ingress:
enabled: true
hosts:
- host: my-issuer-url.com
paths:
- path: /HTTPS is basically mandatory these days, especially for authentication and authorization services. There are several solutions for protecting services with TlS in Kubernetes, but by far the most popular and portable is undoubtedly Cert Manager.
Cert Manager can be installed with a few steps:
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl create namespace cert-manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--set installCRDs=trueThe next step is setting up an issuer (eg. Let's Encrypt):
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acme
spec:
acme:
email: YOUR@EMAIL_ADDRESS
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: acme-account-key
solvers:
- http01:
ingress:
class: YOUR_INGRESS_CLASS
EOFFinally, change the ingress config to use TLS:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: acme
hosts:
- host: my-issuer-url.com
paths:
- path: /
tls:
- hosts:
- my-issuer-url.com
secretName: dex-cert| Key | Type | Default | Description |
|---|---|---|---|
| replicaCount | int | 1 |
Number of replicas (pods) to launch. |
| commonLabels | object | {} |
Labels to apply to all resources and selectors. |
| image.repository | string | "ghcr.io/dexidp/dex" |
Name of the image repository to pull the container image from. |
| image.pullPolicy | string | "IfNotPresent" |
Image pull policy for updating already existing images on a node. |
| image.tag | string | "" |
Image tag override for the default value (chart appVersion). |
| imagePullSecrets | list | [] |
Reference to one or more secrets to be used when pulling images (from private registries). |
| nameOverride | string | "" |
A name in place of the chart name for app: labels. |
| fullnameOverride | string | "" |
A name to substitute for the full names of resources. |
| hostAliases | list | [] |
A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the API reference |
| https.enabled | bool | false |
Enable the HTTPS endpoint. |
| grpc.enabled | bool | false |
Enable the gRPC endpoint. Read more in the documentation. |
| configSecret.create | bool | true |
Enable creating a secret from the values passed to config. If set to false, name must point to an existing secret. |
| configSecret.name | string | "" |
The name of the secret to mount as configuration in the pod. If not set and create is true, a name is generated using the fullname template. Must point to secret that contains at least a config.yaml key. |
| config | object | {} |
Application configuration. See the official documentation. |
| volumes | list | [] |
Additional storage volumes. See the API reference for details. |
| volumeMounts | list | [] |
Additional volume mounts. See the API reference for details. |
| envFrom | list | [] |
Additional environment variables mounted from secrets or config maps. See the API reference for details. |
| env | object | {} |
Additional environment variables passed directly to containers. See the API reference for details. |
| envVars | list | [] |
Similar to env but with support for all possible configurations. See the API reference for details. |
| serviceAccount.create | bool | true |
Enable service account creation. |
| serviceAccount.annotations | object | {} |
Annotations to be added to the service account. |
| serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| rbac.create | bool | true |
Specifies whether RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources based on the templates. |
| rbac.createClusterScoped | bool | true |
Specifies which RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's) |
| deploymentAnnotations | object | {} |
Annotations to be added to deployment. |
| deploymentLabels | object | {} |
Labels to be added to deployment. |
| podAnnotations | object | {} |
Annotations to be added to pods. |
| podLabels | object | {} |
Labels to be added to pods. |
| podDisruptionBudget.enabled | bool | false |
Enable a pod distruption budget to help dealing with disruptions. It is highly recommended for webhooks as disruptions can prevent launching new pods. |
| podDisruptionBudget.minAvailable | int/percentage | nil |
Number or percentage of pods that must remain available. |
| podDisruptionBudget.maxUnavailable | int/percentage | nil |
Number or percentage of pods that can be unavailable. |
| priorityClassName | string | "" |
Specify a priority class name to set pod priority. |
| podSecurityContext | object | {} |
Pod security context. See the API reference for details. |
| revisionHistoryLimit | int | 10 |
Define the count of deployment revisions to be kept. May be set to 0 in case of GitOps deployment approach. |
| securityContext | object | {} |
Container security context. See the API reference for details. |
| service.annotations | object | {} |
Annotations to be added to the service. |
| service.type | string | "ClusterIP" |
Kubernetes service type. |
| service.clusterIP | string | "" |
Internal cluster service IP (when applicable) |
| service.ports.http.port | int | 5556 |
HTTP service port |
| service.ports.http.nodePort | int | nil |
HTTP node port (when applicable) |
| service.ports.https.port | int | 5554 |
HTTPS service port |
| service.ports.https.nodePort | int | nil |
HTTPS node port (when applicable) |
| service.ports.grpc.port | int | 5557 |
gRPC service port |
| service.ports.grpc.nodePort | int | nil |
gRPC node port (when applicable) |
| ingress.enabled | bool | false |
Enable ingress. |
| ingress.className | string | "" |
Ingress class name. |
| ingress.annotations | object | {} |
Annotations to be added to the ingress. |
| ingress.hosts | list | See values.yaml. | Ingress host configuration. |
| ingress.tls | list | See values.yaml. | Ingress TLS configuration. |
| serviceMonitor.enabled | bool | false |
Enable Prometheus ServiceMonitor. See the documentation and the API reference for details. |
| serviceMonitor.namespace | string | Release namespace. | Namespace where the ServiceMonitor resource should be deployed. |
| serviceMonitor.interval | duration | nil |
Prometheus scrape interval. |
| serviceMonitor.scrapeTimeout | duration | nil |
Prometheus scrape timeout. |
| serviceMonitor.labels | object | {} |
Labels to be added to the ServiceMonitor. |
| serviceMonitor.annotations | object | {} |
Annotations to be added to the ServiceMonitor. |
| serviceMonitor.scheme | string | "" |
HTTP scheme to use for scraping. Can be used with tlsConfig for example if using istio mTLS. |
| serviceMonitor.path | string | "/metrics" |
HTTP path to scrape for metrics. |
| serviceMonitor.tlsConfig | object | {} |
TLS configuration to use when scraping the endpoint. For example if using istio mTLS. |
| serviceMonitor.bearerTokenFile | string | nil |
Prometheus scrape bearerTokenFile |
| serviceMonitor.honorLabels | bool | false |
HonorLabels chooses the metric's labels on collisions with target labels. |
| serviceMonitor.metricRelabelings | list | [] |
Prometheus scrape metric relabel configs to apply to samples before ingestion. |
| serviceMonitor.relabelings | list | [] |
Relabel configs to apply to samples before ingestion. |
| resources | object | No requests or limits. | Container resource requests and limits. See the API reference for details. |
| autoscaling | object | Disabled by default. | Autoscaling configuration (see values.yaml for details). |
| nodeSelector | object | {} |
Node selector configuration. |
| tolerations | list | [] |
Tolerations for node taints. See the API reference for details. |
| affinity | object | {} |
Affinity configuration. See the API reference for details. |
| topologySpreadConstraints | list | [] |
TopologySpreadConstraints configuration. See the API reference for details. |
| strategy | object | {} |
Deployment strategy configuration. |
| networkPolicy.enabled | bool | false |
Create Network Policies |
| networkPolicy.egressRules | list | [] |
A list of network policy egress rules |
This chart is not backwards compatible with the stable/dex (or banzaicloud-stable/dex) chart.
However, Dex itself remains backwards compatible, so you can easily install the new chart in place of the old one and continue using Dex with a minimal downtime.