Skip to content

Instantly share code, notes, and snippets.

@johanot

johanot/dex.yaml

Created October 30, 2018 16:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save johanot/9b204ac781d51f53091d294c0be54472 to your computer and use it in GitHub Desktop.
Save johanot/9b204ac781d51f53091d294c0be54472 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
dex.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: dex
name: dex
spec:
replicas: 4
template:
metadata:
labels:
app: dex
spec:
serviceAccountName: dex
containers:
- image: "quay.io/dexidp/dex:v2.12.0"
imagePullPolicy: Never # Must be pre-seeded to nodes
name: dex
command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"]
ports:
- name: https
containerPort: 5556
volumeMounts:
- name: config
mountPath: /etc/dex/cfg
- name: https
mountPath: /var/run/secrets
env:
volumes:
- name: config
configMap:
name: dex
items:
- key: config.yaml
path: config.yaml
- name: https
secret:
secretName: dex-https
items:
- key: cert
path: cert.pem
- key: key
path: key.pem
---
kind: ConfigMap
apiVersion: v1
metadata:
name: dex
data:
config.yaml: |
issuer: https://dex.default.svc.${CLUSTERDOMAIN}:5556
storage:
type: kubernetes
config:
inCluster: true
web:
https: 0.0.0.0:5556
tlsCert: /var/run/secrets/cert.pem
tlsKey: /var/run/secrets/key.pem
expiry:
# signingKeys: 1m
idTokens: 1h
connectors:
- type: ldap
id: ldap
name: ldap
config:
insecureNoSSL: false
insecureSkipVerify: true
host: "HOST"
bindDN: "DN"
bindPW: "SECRET"
userSearch:
baseDN: "dc=dbc,dc=dk"
emailAttr: "mail"
filter: "(objectClass=person)"
idAttr: "DN"
nameAttr: "cn"
username: "uid"
groupSearch:
baseDN: "dc=dbc,dc=dk"
filter: "(objectClass=group)"
groupAttr: "member"
nameAttr: "name"
userAttr: "DN"
oauth2:
skipApprovalScreen: true
staticClients:
- id: kube-login
secret: SECRET
name: 'kube-login'
redirectURIs:
- 'http://kube-login.default.svc.${CLUSTERDOMAIN}:5555/callback'
- 'http://oauth2-proxy.default.svc.${CLUSTERDOMAIN}:4180/oauth2/callback'
---
apiVersion: v1
kind: Service
metadata:
name: dex
spec:
type: ClusterIP
ports:
- name: dex
port: 5556
protocol: TCP
selector:
app: dex
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dex
rules:
- apiGroups: ["dex.coreos.com"] # API group created by dex
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dex
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dex
subjects:
- kind: ServiceAccount
name: dex # Service account assigned to the dex pod.
namespace: default # The namespace dex is running in.
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dex
---
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: dex
spec:
egress:
- ports:
- port: 636
protocol: TCP
ingress:
- ports:
- port: 5556
protocol: TCP
podSelector:
matchLabels:
app: dex
policyTypes:
- Ingress
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment