dexidp / helm-charts Goto Github PK

The helm chart allows environment to be configured, but env: does not complete env: section.

https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables

env: section should work the same as you define envFrom: The range logic assumes the end user only ever wants to use value: but Kubernetes allows more things than value: Please update the helm chart to replace the range with with.Values.env with an nindent. Then the user can define the environment according to what Kubernetes allows.

            {{- range $key, $value := .Values.env }}
            - name: {{ $key }}
              value: {{ $value | quote }}
            {{- end }}
          {{- with .Values.envFrom }}
          envFrom:
            {{- toYaml . | nindent 12 }}
          {{- end }}

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I cannot override the default strategy for the Dex deployment (for example I may want to change the default maxSurge and maxUnavailable)

Proposed Solution

Add strategy field from helm value (and in deployment template)

Alternatives Considered

No response

Additional Information

No response

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

The contributing guide includes a section about bumping chart versions, but it doesn't offer any guidance on how.

Proposed Solution

Let's add a versioning policy to the contributing guide, something along these lines:

• patch version: very small changes, but mostly bug fixes only
• minor version: new features
• major version: breaking changes, discuss with the maintainers first

Alternatives Considered

No response

Additional Information

No response

Since envFrom is not being consumed, the environment isn't populated by it.

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

No possibilities to define labels and annotation for resources in chart.

Proposed Solution

Best practice for helm chart development consists to add following metadata definitions on each template :

  labels:
    app.kubernetes.io/name: {{ template "dex.name" . }}
    helm.sh/chart: {{ template "dex.chart" . }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    {{- if .Values.commonLabels }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
    {{- end }}
  annotations:
    {{- if .Values.commonAnnotations }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
    {{- end }}

and following block in templates :

{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
    {{- if typeIs "string" .value }}
        {{- tpl .value .context }}
    {{- else }}
        {{- tpl (.value | toYaml) .context }}
    {{- end }}
{{- end -}}

(or integrate common helm chart from bitnami as dependency: https://artifacthub.io/packages/helm/bitnami/common)

Alternatives Considered

No response

Additional Information

No response

Fixes dexidp/dex#1709

Blocked by:

• dexidp/dex#1919
• https://github.com/dexidp/dex/milestone/20

Potential blockers / nice to haves:

• dexidp/dex#1941

We should probably sort dexidp/dex#1893 out as well before releasing a chart to avoid breaks later.

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Chart

dex

Version

0.6.3

Expected Behavior

The documentation should contain valid examples

Actual Behavior

pathType: ImplementationSpecific is missing from the example here: https://github.com/dexidp/helm-charts/tree/master/charts/dex#minimal-tls-configuration

Steps To Reproduce

No response

Additional Information

No response

Values

No response

When we do not create the Dex secret using the helm chart (configSecret.create = false), we want to be able to override the checksum/config annotation so that it matches the content of the secret we use

In some cases, we may want to specify IP for Cluster IP service, but today it's not supported in the helm chart

I am trying to deploy this chart using the Hashicorp vault operator which requires the use of annotations. However, no matter which values I set I get the following error. Setting this map in a values file and CLI both trigger the exact same error. Even setting with something like podAnnotations.a=b throws the same error.

Helm version 3.5.2

helm template dex/dex --set podAnnotations.vault.security.banzaicloud.io/vault-addr="https://vault.vault:8200"

Error: template: dex/templates/deployment.yaml:19:28: executing "dex/templates/deployment.yaml" at <include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: dex/templates/secret.yaml:4:11: executing "dex/templates/secret.yaml" at <include "dex.componentname" (list . "config")>: error calling include: template: dex/templates/_helpers.tpl:74:20: executing "dex.componentname" at <include "dex.fullname" $global>: error calling include: template: dex/templates/_helpers.tpl:14:14: executing "dex.fullname" at <.Values.fullnameOverride>: nil pointer evaluating interface {}.fullnameOverride

helm template dex/dex --set podAnnotations.a=b

Error: template: dex/templates/deployment.yaml:19:28: executing "dex/templates/deployment.yaml" at <include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: dex/templates/secret.yaml:4:11: executing "dex/templates/secret.yaml" at <include "dex.componentname" (list . "config")>: error calling include: template: dex/templates/_helpers.tpl:74:20: executing "dex.componentname" at <include "dex.fullname" $global>: error calling include: template: dex/templates/_helpers.tpl:14:14: executing "dex.fullname" at <.Values.fullnameOverride>: nil pointer evaluating interface {}.fullnameOverride

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

This helm chart supports setting "service.type" but if you define the service.type to LoadBalancer the helm chart does not have the option to set "service.loadBalancerIP" which is required to define a dex service external IP for direct remote access.

Proposed Solution

This would be a simple change. The following three lines would be required in templates/service.yaml.

spec:
  type: {{ .Values.service.type }}
  {{- with .Values.service.clusterIP }}
  clusterIP: {{ . }}
  {{- end }}
  {{- with .Values.service.loadBalancerIP }}    <--
  loadBalancerIP: {{ . }}                       <--
  {{- end }}                                    <--
  ports:

Alternatives Considered

Modify helm chart or use another helm chart. By way of comparison, some other dex helm charts do support loadBalancerIP.

Additional Information

No response

Missing HTTPS service port in values.yaml file. It's referenced into templates but not defined into values file.

service:
  annotations: {}
  type: ClusterIP
  ports:
    http:
      # -- HTTP service port
      port: 5556
      # -- (int) HTTP node port (when applicable)
      nodePort: 32080
    https: # <<< THIS!
      # -- HTTPS service port
      port: 5554
      # -- (int) HTTPS node port (when applicable)
      nodePort: 32443
    grpc:
      # -- gRPC service port
      port: 5557
      # -- (int) gRPC node port (when applicable)
      nodePort:

Add a ServiceMonitor template for fetching metrics from the telemetry endpoint of Dex.

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I'd like to keep my dex config in Vault rather than in a Kubernetes secret. Now that the Secrets Store CSI Driver is stable I'd like to use this mechanism to mount my secret in.

This all works without issue but it's not compatible with the current chart.

Proposed Solution

I'd like to be able to specify a CSI volume to load the secret from.

It might be a good idea (initially?) to enforce this as a secrets-store.csi.k8s.io type volume so other CSI drivers are not used. I assume the reason that dex only supports secrets for mounting the config is for security reasons, so allowing any CSI driver could potentially allow people to inadvertently store their config on, say, a public store of some kind.

I'm not too fussed personally, but I could understand if that requirement was enforced.

I made a few changes to the deployment and was able to get this working:

--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -111,8 +111,13 @@ spec:
           {{- end }}
       volumes:
         - name: config
+          {{- if .Values.configSecret.csi.enabled }}
+          csi:
+            {{- toYaml .Values.configSecret.csi.tpl | nindent 12 }}
+          {{- else }}
           secret:
             secretName: {{ include "dex.configSecretName" . }}
+          {{- end }}
       {{- with .Values.volumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}

--- a/oss/dex/values.yaml
+++ b/oss/dex/values.yaml
@@ -47,6 +47,19 @@ configSecret:
   # Must point to secret that contains at least a `config.yaml` key.
   name: ""

+  # -- Enable use of a CSI driver to mount the secret instead of using a kubernetes secret
+  # If configSecret.csi.enable is true, this will be used instead of the normal
+  # kubernetes secret. The provider must contain a `config.yaml` file.
+  csi:
+    enabled: false
+    tpl: {}
+    # tpl:
+    #   driver: secrets-store.csi.k8s.io
+    #   readOnly: true
+    #   volumeAttributes:
+    #     secretProviderClass: "dex-config"
+
+
 # -- Application configuration.
 # See the [official documentation](https://dexidp.io/docs/).
 config: {}

Alternatives Considered

I could use regular secrets but for policy reasons (and ease of edit/backup) I'd like to keep my secrets in vault (this also would allow anyone to use GCP or AWS secrets engines too).

Additional Information

I have a working version of this with a few minor changes but would be looking for guidance on how this can work with the existing secret mounts. It's a bit awkward globbed on as there would be 3 conditions:

• create secret
• mount existing secret
• mount csi volume

This is a bit strange/confusing to deal with and explain that the create secret option is only valid if the csi volume is not used.

Users might want to use the HTTPS service endpoint in Ingress. By default it uses the HTTP endpoint.

Add a test to make sure that ingress works properly.

See #27

i used below steps to install dex in a kubernetes cluster
helm repo add dex https://charts.dexidp.io
helm search repo dex
helm install dex dex/dex

but the pods did not get installed because there was some problem in launching replicaset

below is the error information. please let me know how to fix this

Currently the image used is "master" which is problematic and last tagged version of dex doesn't work with this chart. Is it possible to use a tag that works with the helm chart and is not master? Or make an official release of dex with support for this chart?

Relevant code: https://github.com/dexidp/helm-charts/blob/master/charts/dex/values.yaml#L13-L15

When using the Google connector you have to set the serviceAccountFilePath in the config. When installing inside the cluster this will have to exists in a secret that we can mount. It would be great if there is an option in the helm chart for this instead of having to create it before using the helm chart.

Does this seem like a reasonable request? If so I could probably send in a PR for it.

https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/

This repo requires users to run certain commands and change certain files. We should document that and call that out in the PR template (eg. in the form of TODOs)

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Configuring all aspects of Dex via a single config: key in a single values.yaml is not so easy.
Having the ability to pass piece of configuration via ConfigMap / Secret would offer more flexibility.

For example, I wish to publish a Dex with a preconfigured connectors but I want to delay or dynamically load configurations related to staticClients or staticPasswords.

1. I deploy Dex
2. I depoy the clients with their own configurations part for Dex

Proposed Solution

Perhaps with a Helm key like:

staticClientsSecrets:
- myFirstClient
- mySecondClient

These Secrets are mounted in /etc/dex/clients.d and an initContainer is responsible of assembling the config: part and these parts.

PS : it is probably simpler if these feature of splitting configuration is directly supported by Dex.

Alternatives Considered

No response

Additional Information

No response

This is a minor isolation issue.

Custom resources from API group dex.coreos.com are namespaced by their nature. Dex instance in Kubernetes cluster only needs to react to resources from its namespace.

So, it is better to use Role to give dex rights as below:

- apiGroups: ["dex.coreos.com"]
  resources: ["*"]
  verbs: ["*"]

Hi,

It would be nice if there was a Changelog.
@sagikazarmark could you perhaps keep a Changelog? You're already writing into the chart the latest changes. But since the chart only displays the changes for the latest release, you have to dig through git history to see all the changes if you haven't upgraded in a few releases.

Add support for the builtin HTTPS server.

A couple changes that needs to be made:

• add another service for "public" (ie. LoadBalancer type) service (the current service should not be published like that) See #16
• make http/https endpoint configurable in ingress See #15

Add Kubernetes 1.22 to the test matrix once there is a kind version that supports it.

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

There are no extravolumes and extravolumemounts

Proposed Solution

Add support for extravolumes and extravolumemounts

Alternatives Considered

No response

Additional Information

No response

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Chart

dex

Version

0.8.1

Expected Behavior

Using cluster scoped resources with rbac.createClusterScoped: true, Dex starts successfully with logs looking as follows:

time="2022-04-06T06:54:43Z" level=info msg="Dex Version: v2.31.1-dirty, Go Version: go1.17.8, Go OS/ARCH: linux amd64"
time="2022-04-06T06:54:43Z" level=info msg="config using log level: debug"
time="2022-04-06T06:54:43Z" level=info msg="config issuer: https://xxx/dex"
time="2022-04-06T06:54:43Z" level=info msg="kubernetes client apiVersion = dex.coreos.com/v1"
time="2022-04-06T06:54:43Z" level=info msg="creating custom Kubernetes resources"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource authcodes.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource authcodes.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource authrequests.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource authrequests.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource oauth2clients.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource oauth2clients.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource signingkeies.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource signingkeies.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource refreshtokens.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource refreshtokens.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource passwords.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource passwords.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource offlinesessionses.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource offlinesessionses.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource connectors.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource connectors.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource devicerequests.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource devicerequests.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource devicetokens.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource devicetokens.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="config storage: kubernetes"
time="2022-04-06T06:54:43Z" level=info msg="config static client: grafana"
time="2022-04-06T06:54:43Z" level=info msg="config connector: corp"
time="2022-04-06T06:54:43Z" level=info msg="config skipping approval screen"
time="2022-04-06T06:54:43Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-04-06T06:54:43Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2022-04-06T06:54:43Z" level=info msg="listening (http) on 0.0.0.0:5556"

Actual Behavior

Dex ServiceAccount cannot list or create CRD's and fails to start with:

time="2022-04-06T06:41:41Z" level=info msg="Dex Version: v2.31.1-dirty, Go Version: go1.17.8, Go OS/ARCH: linux amd64"
time="2022-04-06T06:41:41Z" level=info msg="config using log level: debug"
time="2022-04-06T06:41:41Z" level=info msg="config issuer: https://xxx/dex"
time="2022-04-06T06:41:41Z" level=info msg="kubernetes client apiVersion = dex.coreos.com/v1"
time="2022-04-06T06:41:41Z" level=info msg="creating custom Kubernetes resources"
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource authcodes.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource authcodes.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource authcodes.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource authrequests.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource authrequests.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource authrequests.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource oauth2clients.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource oauth2clients.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource oauth2clients.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource signingkeies.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource signingkeies.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource signingkeies.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource refreshtokens.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource refreshtokens.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource refreshtokens.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource passwords.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource passwords.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource passwords.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource offlinesessionses.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource offlinesessionses.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource offlinesessionses.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource connectors.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource connectors.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource connectors.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource devicerequests.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource devicerequests.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource devicerequests.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource devicetokens.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource devicetokens.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource devicetokens.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="config storage: kubernetes"
time="2022-04-06T06:41:41Z" level=info msg="config static client: grafana"
time="2022-04-06T06:41:41Z" level=info msg="config connector: corp"
time="2022-04-06T06:41:41Z" level=info msg="config skipping approval screen"
time="2022-04-06T06:41:41Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource authcodes.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource authcodes.dex.coreos.com, attempting to create: not found"
failed to initialize server: server: failed to list connector objects from storage: failed to list connectors: not found

Steps To Reproduce

1. Install helm Chart version 0.8.1
2. Note the Dex Pod in CrashLoopBackoff
3. Logs with permission errors around listing and creating resource:

creating custom resource oauth2clients.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""

Additional Information

• As a result of changes in #72
• EKS cluster with Kubernetes 1.22

Values

image:
  repository: docker.io/dexidp/dex

rbac:
  createClusterScoped: true

config:
  issuer: ""

  storage:
    type: kubernetes
    config:
      inCluster: true

  web:
    http: 0.0.0.0:5556
  telemetry:
    http: 0.0.0.0:5558

  logger:
    level: debug
    format: text

  oauth2:
    skipApprovalScreen: true

  enablePasswordDB: false

  issuer: "https://xxx/dex"

  staticClients:
...

connectors:
...

ingress:
  enabled: true
  annotations:
    cert-manager.io/cluster-issuer: cluster-vault-issuer
    kubernetes.io/ingress.class: "alb"
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80, "HTTPS": 443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'

  hosts:
    - host: xxx
      paths:
        - path: /
          pathType: Prefix

  tls:
    - secretName: dex-tls
      hosts:
        - xxx

resources:
  requests:
    memory: 20Mi
  limits:
    memory: 20Mi

Hi, I tried the two commands given in the readme doc, the results I got are:
helm repo add dex https://charts.dexidp.io
"dex" has been added to your repositories

helm search repo dex
No results found

What could I be doing wrong? Or is this repo not ready yet?

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I tried to install dex via helm chart on my k8s cluster. I need to use it to connect to my ldap setup.
In the dex ldap docu I can see

    # Please note that if the bind password contains a `$`, it has to be saved in an
    # environment variable which should be given as the value to `bindPW`.
    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
    bindPW: password

my bindPW actually contains $ and I cannot change the password from my side.
So I'd be appreciated if somebody figures out and documents how exactly to specify bindPW value which contains $ in case of Helm Chart.

At this moment I tried several ideas, like using --set-string for helm upgrade, specifying env variable at env section of values, etc. Nothing works so far.

Proposed Solution

I don't have the solution.

Alternatives Considered

No response

Additional Information

No response

We are installing Dex from helm chart v0.13.0 in k8s 1.24.
After installation there is no errors in pod logs, also there are:

{"level":"info","msg":"listening (telemetry) on 0.0.0.0:5558","time":"2023-03-20T12:03:05Z"}
{"level":"info","msg":"listening (http) on 0.0.0.0:5556","time":"2023-03-20T12:03:05Z"}

But when we are trying to reach Dex from browser by ingress, we get 404. We get the same error code when we are doing
wget http://127.0.0.1:5556 inside pod.

This is not documented

Either document it or revert to

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.
• I am not looking for support or already pursued the available support channels without success.

Chart

dex

Version

v2.37.0

Expected Behavior

Consistent tagging between appVersion and image tag between Chart.yaml and values.yaml.

Actual Behavior

Currently, releases contain Helm charts which have Chart.yaml appVersion: "X.YY.Z". But the values.yaml tag references a different format (vX.YY.Z), also instructing users that if you don't specify anything, the appVersion is used.

We are automatically updating upstream charts with PRs which are automatically opened in our internal repos, this behavior impedes us.

Please help. Thank you.

Steps To Reproduce

No response

Additional Information

No response

Values

No response

Allow configuring PodDisruptionBudget resource to avoid terminating all instances at once.

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

No problem, just an enhancement of the chart publish workflow

Proposed Solution

The helm chart is published using the classic approach with a static webserver and an index.yaml (GitHub pages).

helm repo add dex https://charts.dexidp.io
helm install --generate-name --wait dex/dex

However in helm 3.8+ the OCI method went GA:

• https://blog.bitnami.com/2023/04/httpsblog.bitnami.com202304bitnami-helm-charts-now-oci.html?m=1
• https://helm.sh/docs/topics/registries/
• https://github.com/helm/helm/releases/tag/v3.8.0

I'd like to push the packaged helm charts also on ghcr.io (right besides the already existing container images) so we can pull/install the helm chart like this:

helm install dex oci://ghcr.io/dexidp/helm-charts/dex --version x.y.z

Alternatives Considered

Still using the classic approach with GitHub pages and the index.yaml

Additional Information

none

https://github.com/dexidp/dex/releases/tag/v2.30.0

Running on kuberenetes 1.21 should be easier, because of dexidp/dex#2082.

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I want to be able to use a ConfigMap instead of a Secret for storing the config. Dex makes it possible to not need actual secrets in the config. We can use env vars for that as seen in the Dex GitHub example.

This makes it easier (at least for me) to integrate this chart into e.g. external-secrets, jenkins x, hashicorp vault and similar.

Proposed Solution

Add an field configType with secret set as default - so no breaking change - and configMap as option. Handling of the ConfigMap analogue to the Secret handling.

Alternatives Considered

Subcharting this Chart. Since there is no option to not reference the secret in the volumes section of the deployment this is not possible.

Additional Information

No response

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Some enterprises have strict policies on pod and container level. For example I have a case where Dex is used in an organization where at the same they use Kyverno and enforce a policy to use supplementalGroups between ranges 100-200 and 500-600. Dex chart as of writing has no support for it.

Proposed Solution

Add supplementalGroups list\array to values.yaml under podSecurityContext values.

podSecurityContext: {}
##fsGroup: 2000
##supplementalGroups: [] <--

Alternatives Considered

No response

Additional Information

No response

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

It would be great if we could add extraObjects directly in the values.

Proposed Solution

There is an example to set it :

## templates/extra-manifests.yaml

{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
    {{- tpl . $ }}
{{- else }}
    {{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

Alternatives Considered

No response

Additional Information

No response

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

When using kustomize or helm template to render the chart .Capabilities isn't available. This results in the wrong behavior in the ingress object despite supporting the new API version.

Proposed Solution

Allow for a value that overrides the k8s version coming from the .Capabilities function. Allows for easy support for rendering via helm template or kustomize.

Alternatives Considered

No response

Additional Information

https://github.com/dexidp/helm-charts/blob/master/charts/dex/templates/ingress.yaml#L4-L8 example

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

The objects generated by Helm do not wear a Namespace. There is no way to specify one, as Helm's namespace argument is pretty inconsistent.

Proposed Solution

Add Namespace-properties to all object's yaml wrapped in a condition. This would give the opportunity to set the namespace using Values and would otherwise not affect at all.

Alternatives Considered

Export objects with helm template and specify -n on kubectl. Does not really go with most GitOps flows.

Additional Information

No response

Similarly to this: https://github.com/sagikazarmark/helm-charts/blob/a8b620c77aa9219d352745c76fde458707bcf702/charts/sftpgo/values.yaml#L131-L143

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

I can't add custom annotations to deployment

Proposed Solution

Add a .Values.deploymentAnnotations value which allows users to add custom annotations to the deployment

Alternatives Considered

Adding annotations to the pod, however the annotation I need to add must be added to the deployment because they require use of rolling updates

Additional Information

No response

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Below deployment part where listen addresses are hardcoded and ipv4 only. With ipv6 only kubernetes cluster dex fail to work properly.

          args:
            - dex
            - serve
            - --web-http-addr
            - 0.0.0.0:5556
            {{- if .Values.https.enabled }}
            - --web-https-addr
            - 0.0.0.0:5554
            {{- end }}
            {{- if .Values.grpc.enabled }}
            - --grpc-addr
            - 0.0.0.0:5557
            {{- end }}
            - --telemetry-addr
            - 0.0.0.0:5558

Proposed Solution

Add multiple addresses if possible:

• 0.0.0.0
• [::]

Or add chart value for listen address.

Alternatives Considered

No response

Additional Information

No response

Description

I propose to consider adding the containers section. This section will allow users to inject additional containers, e.g., a reverse proxy, GRPC API adapter, or even a database.

values.yaml

# containers:
# - name: proxy
#   image: nginx:1.19.6
#   resources:
#     requests:
#       cpu: 10m
#       memory: 32Mi

Additional info

Adding the initContainers section can also be useful for preparing config, certificates, or other assets.