mirror of https://github.com/dexidp/dex.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
158 lines
3.4 KiB
158 lines
3.4 KiB
--- |
|
apiVersion: v1 |
|
kind: Namespace |
|
metadata: |
|
name: dex |
|
--- |
|
apiVersion: apps/v1 |
|
kind: Deployment |
|
metadata: |
|
labels: |
|
app: dex |
|
name: dex |
|
namespace: dex |
|
spec: |
|
replicas: 3 |
|
selector: |
|
matchLabels: |
|
app: dex |
|
template: |
|
metadata: |
|
labels: |
|
app: dex |
|
spec: |
|
serviceAccountName: dex # This is created below |
|
containers: |
|
- image: ghcr.io/dexidp/dex:v2.30.0 |
|
name: dex |
|
command: ["/usr/local/bin/dex", "serve", "/etc/dex/cfg/config.yaml"] |
|
|
|
ports: |
|
- name: https |
|
containerPort: 5556 |
|
|
|
volumeMounts: |
|
- name: config |
|
mountPath: /etc/dex/cfg |
|
- name: tls |
|
mountPath: /etc/dex/tls |
|
|
|
env: |
|
- name: GITHUB_CLIENT_ID |
|
valueFrom: |
|
secretKeyRef: |
|
name: github-client |
|
key: client-id |
|
- name: GITHUB_CLIENT_SECRET |
|
valueFrom: |
|
secretKeyRef: |
|
name: github-client |
|
key: client-secret |
|
|
|
readinessProbe: |
|
httpGet: |
|
path: /healthz |
|
port: 5556 |
|
scheme: HTTPS |
|
volumes: |
|
- name: config |
|
configMap: |
|
name: dex |
|
items: |
|
- key: config.yaml |
|
path: config.yaml |
|
- name: tls |
|
secret: |
|
secretName: dex.example.com.tls |
|
--- |
|
kind: ConfigMap |
|
apiVersion: v1 |
|
metadata: |
|
name: dex |
|
namespace: dex |
|
data: |
|
config.yaml: | |
|
issuer: https://dex.example.com:32000 |
|
storage: |
|
type: kubernetes |
|
config: |
|
inCluster: true |
|
web: |
|
https: 0.0.0.0:5556 |
|
tlsCert: /etc/dex/tls/tls.crt |
|
tlsKey: /etc/dex/tls/tls.key |
|
connectors: |
|
- type: github |
|
id: github |
|
name: GitHub |
|
config: |
|
clientID: $GITHUB_CLIENT_ID |
|
clientSecret: $GITHUB_CLIENT_SECRET |
|
redirectURI: https://dex.example.com:32000/callback |
|
org: kubernetes |
|
oauth2: |
|
skipApprovalScreen: true |
|
|
|
staticClients: |
|
- id: example-app |
|
redirectURIs: |
|
- 'http://127.0.0.1:5555/callback' |
|
name: 'Example App' |
|
secret: ZXhhbXBsZS1hcHAtc2VjcmV0 |
|
|
|
enablePasswordDB: true |
|
staticPasswords: |
|
- email: "admin@example.com" |
|
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2) |
|
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" |
|
username: "admin" |
|
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" |
|
--- |
|
apiVersion: v1 |
|
kind: Service |
|
metadata: |
|
name: dex |
|
namespace: dex |
|
spec: |
|
type: NodePort |
|
ports: |
|
- name: dex |
|
port: 5556 |
|
protocol: TCP |
|
targetPort: 5556 |
|
nodePort: 32000 |
|
selector: |
|
app: dex |
|
--- |
|
apiVersion: v1 |
|
kind: ServiceAccount |
|
metadata: |
|
labels: |
|
app: dex |
|
name: dex |
|
namespace: dex |
|
--- |
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
kind: ClusterRole |
|
metadata: |
|
name: dex |
|
rules: |
|
- apiGroups: ["dex.coreos.com"] # API group created by dex |
|
resources: ["*"] |
|
verbs: ["*"] |
|
- apiGroups: ["apiextensions.k8s.io"] |
|
resources: ["customresourcedefinitions"] |
|
verbs: ["create"] # To manage its own resources, dex must be able to create customresourcedefinitions |
|
--- |
|
apiVersion: rbac.authorization.k8s.io/v1 |
|
kind: ClusterRoleBinding |
|
metadata: |
|
name: dex |
|
roleRef: |
|
apiGroup: rbac.authorization.k8s.io |
|
kind: ClusterRole |
|
name: dex |
|
subjects: |
|
- kind: ServiceAccount |
|
name: dex # Service account assigned to the dex pod, created above |
|
namespace: dex # The namespace dex is running in
|
|
|