dexidp / helm-charts Goto Github PK
View Code? Open in Web Editor NEWDex Helm chart repository
License: Apache License 2.0
Dex Helm chart repository
License: Apache License 2.0
The helm chart allows environment to be configured, but env: does not complete env:
section.
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
env:
section should work the same as you define envFrom:
The range logic assumes the end user only ever wants to use value:
but Kubernetes allows more things than value:
Please update the helm chart to replace the range with with.Values.env
with an nindent. Then the user can define the environment according to what Kubernetes allows.
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- with .Values.envFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
I cannot override the default strategy
for the Dex deployment (for example I may want to change the default maxSurge
and maxUnavailable
)
Add strategy
field from helm value (and in deployment template)
No response
No response
The contributing guide includes a section about bumping chart versions, but it doesn't offer any guidance on how.
Let's add a versioning policy to the contributing guide, something along these lines:
No response
No response
Since envFrom
is not being consumed, the environment isn't populated by it.
No possibilities to define labels and annotation for resources in chart.
Best practice for helm chart development consists to add following metadata definitions on each template :
labels:
app.kubernetes.io/name: {{ template "dex.name" . }}
helm.sh/chart: {{ template "dex.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
and following block in templates :
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
(or integrate common helm chart from bitnami as dependency: https://artifacthub.io/packages/helm/bitnami/common)
No response
No response
Fixes dexidp/dex#1709
Blocked by:
Potential blockers / nice to haves:
We should probably sort dexidp/dex#1893 out as well before releasing a chart to avoid breaks later.
dex
0.6.3
The documentation should contain valid examples
pathType: ImplementationSpecific
is missing from the example here: https://github.com/dexidp/helm-charts/tree/master/charts/dex#minimal-tls-configuration
No response
No response
No response
When we do not create the Dex secret using the helm chart (configSecret.create = false
), we want to be able to override the checksum/config
annotation so that it matches the content of the secret we use
In some cases, we may want to specify IP for Cluster IP service, but today it's not supported in the helm chart
I am trying to deploy this chart using the Hashicorp vault operator which requires the use of annotations. However, no matter which values I set I get the following error. Setting this map in a values file and CLI both trigger the exact same error. Even setting with something like podAnnotations.a=b throws the same error.
Helm version 3.5.2
helm template dex/dex --set podAnnotations.vault.security.banzaicloud.io/vault-addr="https://vault.vault:8200"
Error: template: dex/templates/deployment.yaml:19:28: executing "dex/templates/deployment.yaml" at <include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: dex/templates/secret.yaml:4:11: executing "dex/templates/secret.yaml" at <include "dex.componentname" (list . "config")>: error calling include: template: dex/templates/_helpers.tpl:74:20: executing "dex.componentname" at <include "dex.fullname" $global>: error calling include: template: dex/templates/_helpers.tpl:14:14: executing "dex.fullname" at <.Values.fullnameOverride>: nil pointer evaluating interface {}.fullnameOverride
helm template dex/dex --set podAnnotations.a=b
Error: template: dex/templates/deployment.yaml:19:28: executing "dex/templates/deployment.yaml" at <include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: dex/templates/secret.yaml:4:11: executing "dex/templates/secret.yaml" at <include "dex.componentname" (list . "config")>: error calling include: template: dex/templates/_helpers.tpl:74:20: executing "dex.componentname" at <include "dex.fullname" $global>: error calling include: template: dex/templates/_helpers.tpl:14:14: executing "dex.fullname" at <.Values.fullnameOverride>: nil pointer evaluating interface {}.fullnameOverride
This helm chart supports setting "service.type" but if you define the service.type to LoadBalancer the helm chart does not have the option to set "service.loadBalancerIP" which is required to define a dex service external IP for direct remote access.
This would be a simple change. The following three lines would be required in templates/service.yaml.
spec:
type: {{ .Values.service.type }}
{{- with .Values.service.clusterIP }}
clusterIP: {{ . }}
{{- end }}
{{- with .Values.service.loadBalancerIP }} <--
loadBalancerIP: {{ . }} <--
{{- end }} <--
ports:
Modify helm chart or use another helm chart. By way of comparison, some other dex helm charts do support loadBalancerIP.
No response
Missing HTTPS service port in values.yaml
file. It's referenced into templates but not defined into values file.
service:
annotations: {}
type: ClusterIP
ports:
http:
# -- HTTP service port
port: 5556
# -- (int) HTTP node port (when applicable)
nodePort: 32080
https: # <<< THIS!
# -- HTTPS service port
port: 5554
# -- (int) HTTPS node port (when applicable)
nodePort: 32443
grpc:
# -- gRPC service port
port: 5557
# -- (int) gRPC node port (when applicable)
nodePort:
Add a ServiceMonitor template for fetching metrics from the telemetry endpoint of Dex.
I'd like to keep my dex config in Vault rather than in a Kubernetes secret. Now that the Secrets Store CSI Driver is stable I'd like to use this mechanism to mount my secret in.
This all works without issue but it's not compatible with the current chart.
I'd like to be able to specify a CSI volume to load the secret from.
It might be a good idea (initially?) to enforce this as a secrets-store.csi.k8s.io
type volume so other CSI drivers are not used. I assume the reason that dex only supports secrets for mounting the config is for security reasons, so allowing any CSI driver could potentially allow people to inadvertently store their config on, say, a public store of some kind.
I'm not too fussed personally, but I could understand if that requirement was enforced.
I made a few changes to the deployment and was able to get this working:
--- a/templates/deployment.yaml
+++ b/templates/deployment.yaml
@@ -111,8 +111,13 @@ spec:
{{- end }}
volumes:
- name: config
+ {{- if .Values.configSecret.csi.enabled }}
+ csi:
+ {{- toYaml .Values.configSecret.csi.tpl | nindent 12 }}
+ {{- else }}
secret:
secretName: {{ include "dex.configSecretName" . }}
+ {{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
--- a/oss/dex/values.yaml
+++ b/oss/dex/values.yaml
@@ -47,6 +47,19 @@ configSecret:
# Must point to secret that contains at least a `config.yaml` key.
name: ""
+ # -- Enable use of a CSI driver to mount the secret instead of using a kubernetes secret
+ # If configSecret.csi.enable is true, this will be used instead of the normal
+ # kubernetes secret. The provider must contain a `config.yaml` file.
+ csi:
+ enabled: false
+ tpl: {}
+ # tpl:
+ # driver: secrets-store.csi.k8s.io
+ # readOnly: true
+ # volumeAttributes:
+ # secretProviderClass: "dex-config"
+
+
# -- Application configuration.
# See the [official documentation](https://dexidp.io/docs/).
config: {}
I could use regular secrets but for policy reasons (and ease of edit/backup) I'd like to keep my secrets in vault (this also would allow anyone to use GCP or AWS secrets engines too).
I have a working version of this with a few minor changes but would be looking for guidance on how this can work with the existing secret mounts. It's a bit awkward globbed on as there would be 3 conditions:
This is a bit strange/confusing to deal with and explain that the create secret option is only valid if the csi volume is not used.
Users might want to use the HTTPS service endpoint in Ingress. By default it uses the HTTP endpoint.
Add a test to make sure that ingress works properly.
See #27
i used below steps to install dex
in a kubernetes cluster
helm repo add dex https://charts.dexidp.io
helm search repo dex
helm install dex dex/dex
but the pods
did not get installed because there was some problem in launching replicaset
below is the error information. please let me know how to fix this
Currently the image used is "master" which is problematic and last tagged version of dex doesn't work with this chart. Is it possible to use a tag that works with the helm chart and is not master? Or make an official release of dex with support for this chart?
Relevant code: https://github.com/dexidp/helm-charts/blob/master/charts/dex/values.yaml#L13-L15
When using the Google connector you have to set the serviceAccountFilePath
in the config. When installing inside the cluster this will have to exists in a secret that we can mount. It would be great if there is an option in the helm chart for this instead of having to create it before using the helm chart.
Does this seem like a reasonable request? If so I could probably send in a PR for it.
This repo requires users to run certain commands and change certain files. We should document that and call that out in the PR template (eg. in the form of TODOs)
Configuring all aspects of Dex via a single config:
key in a single values.yaml
is not so easy.
Having the ability to pass piece of configuration via ConfigMap / Secret would offer more flexibility.
For example, I wish to publish a Dex with a preconfigured connectors
but I want to delay or dynamically load configurations related to staticClients
or staticPasswords
.
Perhaps with a Helm key like:
staticClientsSecrets:
- myFirstClient
- mySecondClient
These Secrets are mounted in /etc/dex/clients.d
and an initContainer is responsible of assembling the config:
part and these parts.
PS : it is probably simpler if these feature of splitting configuration is directly supported by Dex.
No response
No response
This is a minor isolation issue.
Custom resources from API group dex.coreos.com
are namespaced by their nature. Dex instance in Kubernetes cluster only needs to react to resources from its namespace.
So, it is better to use Role
to give dex rights as below:
- apiGroups: ["dex.coreos.com"]
resources: ["*"]
verbs: ["*"]
Hi,
It would be nice if there was a Changelog.
@sagikazarmark could you perhaps keep a Changelog? You're already writing into the chart the latest changes. But since the chart only displays the changes for the latest release, you have to dig through git history to see all the changes if you haven't upgraded in a few releases.
Add Kubernetes 1.22 to the test matrix once there is a kind version that supports it.
There are no extravolumes and extravolumemounts
Add support for extravolumes and extravolumemounts
No response
No response
dex
0.8.1
Using cluster scoped resources with rbac.createClusterScoped: true
, Dex starts successfully with logs looking as follows:
time="2022-04-06T06:54:43Z" level=info msg="Dex Version: v2.31.1-dirty, Go Version: go1.17.8, Go OS/ARCH: linux amd64"
time="2022-04-06T06:54:43Z" level=info msg="config using log level: debug"
time="2022-04-06T06:54:43Z" level=info msg="config issuer: https://xxx/dex"
time="2022-04-06T06:54:43Z" level=info msg="kubernetes client apiVersion = dex.coreos.com/v1"
time="2022-04-06T06:54:43Z" level=info msg="creating custom Kubernetes resources"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource authcodes.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource authcodes.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource authrequests.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource authrequests.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource oauth2clients.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource oauth2clients.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource signingkeies.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource signingkeies.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource refreshtokens.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource refreshtokens.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource passwords.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource passwords.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource offlinesessionses.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource offlinesessionses.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource connectors.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource connectors.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource devicerequests.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource devicerequests.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="checking if custom resource devicetokens.dex.coreos.com has already been created..."
time="2022-04-06T06:54:43Z" level=info msg="The custom resource devicetokens.dex.coreos.com already available, skipping create"
time="2022-04-06T06:54:43Z" level=info msg="config storage: kubernetes"
time="2022-04-06T06:54:43Z" level=info msg="config static client: grafana"
time="2022-04-06T06:54:43Z" level=info msg="config connector: corp"
time="2022-04-06T06:54:43Z" level=info msg="config skipping approval screen"
time="2022-04-06T06:54:43Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-04-06T06:54:43Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2022-04-06T06:54:43Z" level=info msg="listening (http) on 0.0.0.0:5556"
Dex ServiceAccount cannot list or create CRD's and fails to start with:
time="2022-04-06T06:41:41Z" level=info msg="Dex Version: v2.31.1-dirty, Go Version: go1.17.8, Go OS/ARCH: linux amd64"
time="2022-04-06T06:41:41Z" level=info msg="config using log level: debug"
time="2022-04-06T06:41:41Z" level=info msg="config issuer: https://xxx/dex"
time="2022-04-06T06:41:41Z" level=info msg="kubernetes client apiVersion = dex.coreos.com/v1"
time="2022-04-06T06:41:41Z" level=info msg="creating custom Kubernetes resources"
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource authcodes.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource authcodes.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource authcodes.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource authrequests.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource authrequests.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource authrequests.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource oauth2clients.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource oauth2clients.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource oauth2clients.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource signingkeies.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource signingkeies.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource signingkeies.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource refreshtokens.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource refreshtokens.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource refreshtokens.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource passwords.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource passwords.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource passwords.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource offlinesessionses.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource offlinesessionses.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource offlinesessionses.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource connectors.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource connectors.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource connectors.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource devicerequests.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource devicerequests.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource devicerequests.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource devicetokens.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource devicetokens.dex.coreos.com, attempting to create: not found"
time="2022-04-06T06:41:41Z" level=error msg="creating custom resource devicetokens.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
time="2022-04-06T06:41:41Z" level=info msg="config storage: kubernetes"
time="2022-04-06T06:41:41Z" level=info msg="config static client: grafana"
time="2022-04-06T06:41:41Z" level=info msg="config connector: corp"
time="2022-04-06T06:41:41Z" level=info msg="config skipping approval screen"
time="2022-04-06T06:41:41Z" level=info msg="config refresh tokens rotation enabled: true"
time="2022-04-06T06:41:41Z" level=info msg="checking if custom resource authcodes.dex.coreos.com has already been created..."
time="2022-04-06T06:41:41Z" level=info msg="failed to list custom resource authcodes.dex.coreos.com, attempting to create: not found"
failed to initialize server: server: failed to list connector objects from storage: failed to list connectors: not found
0.8.1
CrashLoopBackoff
creating custom resource oauth2clients.dex.coreos.com: POST https://[172.20.0.1]:443/apis/apiextensions.k8s.io/v1/customresourcedefinitions Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"customresourcedefinitions.apiextensions.k8s.io is forbidden: User \\\"system:serviceaccount:dex:dex\\\" cannot create resource \\\"customresourcedefinitions\\\" in API group \\\"apiextensions.k8s.io\\\" at the cluster scope\",\"reason\":\"Forbidden\",\"details\":{\"group\":\"apiextensions.k8s.io\",\"kind\":\"customresourcedefinitions\"},\"code\":403}\""
image:
repository: docker.io/dexidp/dex
rbac:
createClusterScoped: true
config:
issuer: ""
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
telemetry:
http: 0.0.0.0:5558
logger:
level: debug
format: text
oauth2:
skipApprovalScreen: true
enablePasswordDB: false
issuer: "https://xxx/dex"
staticClients:
...
connectors:
...
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: cluster-vault-issuer
kubernetes.io/ingress.class: "alb"
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80, "HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: '443'
hosts:
- host: xxx
paths:
- path: /
pathType: Prefix
tls:
- secretName: dex-tls
hosts:
- xxx
resources:
requests:
memory: 20Mi
limits:
memory: 20Mi
Hi, I tried the two commands given in the readme doc, the results I got are:
helm repo add dex https://charts.dexidp.io
"dex" has been added to your repositories
helm search repo dex
No results found
What could I be doing wrong? Or is this repo not ready yet?
I tried to install dex via helm chart on my k8s cluster. I need to use it to connect to my ldap setup.
In the dex ldap docu I can see
# Please note that if the bind password contains a `$`, it has to be saved in an
# environment variable which should be given as the value to `bindPW`.
bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
bindPW: password
my bindPW
actually contains $
and I cannot change the password from my side.
So I'd be appreciated if somebody figures out and documents how exactly to specify bindPW value which contains $
in case of Helm Chart.
At this moment I tried several ideas, like using --set-string
for helm upgrade
, specifying env variable at env
section of values, etc. Nothing works so far.
I don't have the solution.
No response
No response
We are installing Dex from helm chart v0.13.0 in k8s 1.24.
After installation there is no errors in pod logs, also there are:
{"level":"info","msg":"listening (telemetry) on 0.0.0.0:5558","time":"2023-03-20T12:03:05Z"}
{"level":"info","msg":"listening (http) on 0.0.0.0:5556","time":"2023-03-20T12:03:05Z"}
But when we are trying to reach Dex from browser by ingress, we get 404. We get the same error code when we are doing
wget http://127.0.0.1:5556
inside pod.
This is not documented
Either document it or revert to
dex
v2.37.0
Consistent tagging between appVersion and image tag between Chart.yaml
and values.yaml
.
Currently, releases contain Helm charts which have Chart.yaml appVersion: "X.YY.Z"
. But the values.yaml tag references a different format (vX.YY.Z
), also instructing users that if you don't specify anything, the appVersion is used.
We are automatically updating upstream charts with PRs which are automatically opened in our internal repos, this behavior impedes us.
Please help. Thank you.
No response
No response
No response
Allow configuring PodDisruptionBudget resource to avoid terminating all instances at once.
No problem, just an enhancement of the chart publish workflow
The helm chart is published using the classic approach with a static webserver and an index.yaml (GitHub pages).
helm repo add dex https://charts.dexidp.io
helm install --generate-name --wait dex/dex
However in helm 3.8+ the OCI method went GA:
I'd like to push the packaged helm charts also on ghcr.io (right besides the already existing container images) so we can pull/install the helm chart like this:
helm install dex oci://ghcr.io/dexidp/helm-charts/dex --version x.y.z
Still using the classic approach with GitHub pages and the index.yaml
none
https://github.com/dexidp/dex/releases/tag/v2.30.0
Running on kuberenetes 1.21 should be easier, because of dexidp/dex#2082.
I want to be able to use a ConfigMap instead of a Secret for storing the config
. Dex makes it possible to not need actual secrets in the config. We can use env vars for that as seen in the Dex GitHub example.
This makes it easier (at least for me) to integrate this chart into e.g. external-secrets, jenkins x, hashicorp vault and similar.
Add an field configType
with secret
set as default - so no breaking change - and configMap
as option. Handling of the ConfigMap analogue to the Secret handling.
Subcharting this Chart. Since there is no option to not reference the secret in the volumes section of the deployment this is not possible.
No response
Some enterprises have strict policies on pod and container level. For example I have a case where Dex is used in an organization where at the same they use Kyverno and enforce a policy to use supplementalGroups between ranges 100-200 and 500-600. Dex chart as of writing has no support for it.
Add supplementalGroups list\array to values.yaml under podSecurityContext values.
podSecurityContext: {}
##fsGroup: 2000
##supplementalGroups: [] <--
No response
No response
It would be great if we could add extraObjects directly in the values.
There is an example to set it :
## templates/extra-manifests.yaml
{{ range .Values.extraObjects }}
---
{{ if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}
No response
No response
When using kustomize or helm template to render the chart .Capabilities isn't available. This results in the wrong behavior in the ingress object despite supporting the new API version.
Allow for a value that overrides the k8s version coming from the .Capabilities function. Allows for easy support for rendering via helm template or kustomize.
No response
https://github.com/dexidp/helm-charts/blob/master/charts/dex/templates/ingress.yaml#L4-L8 example
The objects generated by Helm do not wear a Namespace. There is no way to specify one, as Helm's namespace
argument is pretty inconsistent.
Add Namespace
-properties to all object's yaml wrapped in a condition. This would give the opportunity to set the namespace using Values
and would otherwise not affect at all.
Export objects with helm template
and specify -n
on kubectl
. Does not really go with most GitOps flows.
No response
I can't add custom annotations to deployment
Add a .Values.deploymentAnnotations
value which allows users to add custom annotations to the deployment
Adding annotations to the pod, however the annotation I need to add must be added to the deployment because they require use of rolling updates
No response
Below deployment part where listen addresses are hardcoded and ipv4 only. With ipv6 only kubernetes cluster dex fail to work properly.
args:
- dex
- serve
- --web-http-addr
- 0.0.0.0:5556
{{- if .Values.https.enabled }}
- --web-https-addr
- 0.0.0.0:5554
{{- end }}
{{- if .Values.grpc.enabled }}
- --grpc-addr
- 0.0.0.0:5557
{{- end }}
- --telemetry-addr
- 0.0.0.0:5558
Add multiple addresses if possible:
Or add chart value for listen address.
No response
No response
I propose to consider adding the containers
section. This section will allow users to inject additional containers, e.g., a reverse proxy, GRPC API adapter, or even a database.
values.yaml
# containers:
# - name: proxy
# image: nginx:1.19.6
# resources:
# requests:
# cpu: 10m
# memory: 32Mi
Adding the initContainers
section can also be useful for preparing config, certificates, or other assets.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.