github.com/kubernetes-incubator/kube-aws@v0.16.4/contrib/dex/README.md (about) 1 ## Configure Dex as a custom provider in cluster.yaml 2 3 Example: 4 ``` 5 oidc: 6 enabled: true 7 issuerUrl: "https://dex.example.com" 8 clientId: "example-app" 9 usernameClaim: "email" 10 groupsClaim: "groups" 11 ``` 12 13 ## Deploy Dex 14 15 1. Edit the configMap `contrib/dex/dex.cm.yaml` according to your setup. By default only the GitHub provider and static clients are enabled. 16 If you have a different setup, please check [Dex's documentation](https://github.com/coreos/dex/tree/master/Documentation) 17 18 2. Create a secret containing your [GitHub OAuth2 client credentials](https://github.com/settings/applications/new) 19 ``` 20 kubectl create secret \ 21 generic github-client \ 22 --from-literal=client-id=$GITHUB_CLIENT_ID \ 23 --from-literal=client-secret=$GITHUB_CLIENT_SECRET 24 ``` 25 3. Deploy Dex: `kubectl apply -f contrib/dex/dex.de.yaml` 26 27 **Deploy Dex using Helm** 28 29 For those who prefer deploying it using helm, Samsung-CNT has a [chart](https://github.com/samsung-cnct/chart-dex) available. 30 31 ## Exposing DEX 32 After Dex is deployed, you have to expose it using a ELB or Ingress. 33 34 **Note:** 35 Always use https with trusted SSL/TLS certificates. 36 37 1. ELB 38 The recommended method is to use a ELB with certificates provided by AWS Certificate Manager. 39 SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application. 40 41 Examples are provided in `contrib/dex/elb` directory. 42 43 2. Ingress 44 45 An example that works with [nginx-ingress](https://github.com/nginxinc/kubernetes-ingress/tree/master/cmd/nginx-ingress) + [kube-lego](https://github.com/jetstack/kube-lego) is provided in `contrib/dex/ingress`. 46 47 48 ## Configure `kubectl` for token authentication 49 50 * `kubectl` config using command line example: 51 52 ``` 53 kubectl config set-credentials admin@example.com \ 54 --auth-provider=oidc \ 55 --auth-provider-arg=idp-issuer-url=https://dex.example.com \ 56 --auth-provider-arg=client-id=example-app \ 57 --auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \ 58 --auth-provider-arg=refresh-token=refresh_token \ 59 --auth-provider-arg=idp-certificate-authority=/etc/kubernetes/ssl/ca.pem \ 60 --auth-provider-arg=id-token=id_token \ 61 --auth-provider-arg=extra-scopes=groups 62 ``` 63 64 * `kubectl` config file example: 65 66 ``` 67 apiVersion: v1 68 clusters: 69 - cluster: 70 certificate-authority-data: ca.pem_base64_encoded 71 server: https://kubeapi.example.com 72 name: your_cluster_name 73 contexts: 74 - context: 75 cluster: your_cluster_name 76 user: admin@example.com 77 name: your_cluster_name 78 current-context: your_cluster_name 79 kind: Config 80 preferences: {} 81 users: 82 - name: admin@example.com 83 user: 84 auth-provider: 85 config: 86 access-token: id_token 87 client-id: example-app 88 client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0 89 extra-scopes: groups 90 id-token: id_token 91 idp-issuer-url: https://dex.example.com 92 refresh-token: refresh_token 93 name: oidc 94 ```