An example configuration is available here
Name | Required | Context | Description |
---|---|---|---|
name | yes | cluster | Internal id of cluster |
short_description | yes | cluster | Short description of cluster |
description | yes | cluster | Extended description of cluster |
client_secret | yes | cluster | OAuth2 client-secret (shared between dex-k8s-auth and dex) |
client_id | yes | cluster | OAuth2 client-id public identifier (shared between dex-k8s-auth and dex) |
scopes | no | cluster | OAuth2 scopes to use (default: 'openid,profile,email,offline_access,groups', and 'openid' is required). |
issuer | yes | cluster | Dex issuer url |
redirect_uri | yes | cluster | Redirect uri called by dex (defines a callback on dex-k8s-auth) |
k8s_master_uri | no | cluster | Kubernetes api-server endpoint (used in kubeconfig) |
k8s_ca_uri | no | cluster | A url pointing to the CA for generating 'certificate-authority' option in kubeconfig |
k8s_ca_pem | no | cluster | The CA for your k8s server (used in generating instructions) |
tls_cert | no | root | Path to TLS cert if SSL enabled |
tls_key | no | root | Path to TLS key if SSL enabled |
idp_ca_uri | no | root | A url pointing to the CA for generating 'idp-certificate-authority' in the kubeconfig |
idp_ca_pem | no | root | The CA for generating 'idp-certificate-authority' in the kubeconfig |
idp_ca_pem_file | no | root | The CA for generating 'idp-certificate-authority' in the kubeconfig - load from file |
trusted_root_ca | no | root | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime |
trusted_root_ca_file | no | root | A list of trusted-root CA's to be loaded by dex-k8s-auth at runtime - load from file |
listen | yes | root | The listen address/port |
web_path_prefix | no | root | A path-prefix to serve dex-k8s-auth at (defaults to '/') |
kubectl_version | no | root | A kubectl-version string that is used to provided a download path |
logo_uri | no | root | A url pointing to a logo image that is displayed in the header |
debug | no | root | Enable more debug by setting to true |
Environment variables can be included in the configuration. This enables you to pass in dynamic variables or secrets without having to hardcode them.
clusters:
- name: example-cluster
short_description: "Example Cluster"
description: "Example Cluster Long Description..."
client_secret: ${CLIENT_SECRET_EXAMPLE_CLUSTER}
In this example, ${CLIENT_SECRET_EXAMPLE_CLUSTER}
is substituted at runtime. Must be enclosed by ${...}
A common practise is configure dex-k8s-authenticator
to serve requests under a specific path prefix, such as https://mycompany.example.com/dex-auth
You can achieve this by configuring the web_path_prefix
. In most cases you will need to adjust the Ingress path
setting to match.
In addition to this, you need to update the redirect_uri
value.
clusters:
- name: example-cluster
short_description: "Example Cluster"
description: "Example Cluster Long Description..."
redirect_uri: http://127.0.0.1:5555/dex-auth/callback/example-cluster
client_secret: ...
client_id: example-cluster-client-id
issuer: http://127.0.0.1:5556
k8s_master_uri: https://your-k8s-master.cluster
# A path-prefix from which to serve requests and assets
web_path_prefix: /dex-auth
Don't forget to update the Dex staticClients.redirectURIs
value to include the prefix as well.
The dex-k8s-authenticator
helm charts support this via the dexK8sAuthenticator.web_path_prefix
and ingress.path
options. You typically set these to the same value.
Note that the health-checks are configured automatically.