--- apiVersion: v1 kind: Namespace metadata: name: dex --- apiVersion: apps/v1 kind: Deployment metadata: labels: app: dex name: dex namespace: dex spec: replicas: 3 selector: matchLabels: app: dex template: metadata: labels: app: dex spec: serviceAccountName: dex # This is created below containers: - image: dexidp/dex:v2.27.0 #or quay.io/dexidp/dex:v2.26.0 name: dex command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] ports: - name: https containerPort: 5556 volumeMounts: - name: config mountPath: /etc/dex/cfg - name: tls mountPath: /etc/dex/tls env: - name: GITHUB_CLIENT_ID valueFrom: secretKeyRef: name: github-client key: client-id - name: GITHUB_CLIENT_SECRET valueFrom: secretKeyRef: name: github-client key: client-secret readinessProbe: httpGet: path: /healthz port: 5556 scheme: HTTPS volumes: - name: config configMap: name: dex items: - key: config.yaml path: config.yaml - name: tls secret: secretName: dex.example.com.tls --- kind: ConfigMap apiVersion: v1 metadata: name: dex namespace: dex data: config.yaml: | issuer: https://dex.example.com:32000 storage: type: kubernetes config: inCluster: true web: https: 0.0.0.0:5556 tlsCert: /etc/dex/tls/tls.crt tlsKey: /etc/dex/tls/tls.key connectors: - type: github id: github name: GitHub config: clientID: $GITHUB_CLIENT_ID clientSecret: $GITHUB_CLIENT_SECRET redirectURI: https://dex.example.com:32000/callback org: kubernetes oauth2: skipApprovalScreen: true staticClients: - id: example-app redirectURIs: - 'http://127.0.0.1:5555/callback' name: 'Example App' secret: ZXhhbXBsZS1hcHAtc2VjcmV0 enablePasswordDB: true staticPasswords: - email: "admin@example.com" # echo password | htpasswd -BinC 10 admin | cut -d: -f2 hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" username: "admin" userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" --- apiVersion: v1 kind: Service metadata: name: dex namespace: dex spec: type: NodePort ports: - name: dex port: 5556 protocol: TCP targetPort: 5556 nodePort: 32000 selector: app: dex --- apiVersion: v1 kind: ServiceAccount metadata: labels: app: dex name: dex namespace: dex --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: dex rules: - apiGroups: ["dex.coreos.com"] # API group created by dex resources: ["*"] verbs: ["*"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dex roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: dex subjects: - kind: ServiceAccount name: dex # Service account assigned to the dex pod, created above namespace: dex # The namespace dex is running in