github.com/kubernetes-incubator/kube-aws@v0.16.4/contrib/dex/README.md

github.com/kubernetes-incubator/kube-aws@v0.16.4/contrib/dex/README.md (about)

     1  ## Configure Dex as a custom provider in cluster.yaml
     2  
     3  Example: 
     4  ```
     5         oidc:
     6           enabled: true
     7           issuerUrl: "https://dex.example.com"
     8           clientId: "example-app"
     9           usernameClaim: "email"
    10           groupsClaim: "groups"
    11  ```
    12  
    13  ## Deploy Dex
    14  
    15   1. Edit the configMap `contrib/dex/dex.cm.yaml` according to your setup. By default only the GitHub provider and static clients are enabled.
    16   If you have a different setup, please check [Dex's documentation](https://github.com/coreos/dex/tree/master/Documentation)
    17   
    18   2. Create a secret containing your [GitHub OAuth2 client credentials](https://github.com/settings/applications/new)
    19   ```
    20       kubectl create secret \
    21           generic github-client \
    22           --from-literal=client-id=$GITHUB_CLIENT_ID \
    23           --from-literal=client-secret=$GITHUB_CLIENT_SECRET
    24   ```        
    25   3. Deploy Dex: `kubectl apply -f contrib/dex/dex.de.yaml`
    26   
    27   **Deploy Dex using Helm**
    28   
    29   For those who prefer deploying it using helm, Samsung-CNT has a [chart](https://github.com/samsung-cnct/chart-dex) available.
    30   
    31  ## Exposing DEX
    32  After Dex is deployed, you have to expose it using a ELB or Ingress. 
    33  
    34  **Note:**
    35  Always use https with trusted SSL/TLS certificates.
    36  
    37  1. ELB
    38  The recommended method is to use a ELB with certificates provided by AWS Certificate Manager.
    39  SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.
    40  
    41  Examples are provided in `contrib/dex/elb` directory.
    42  
    43  2. Ingress
    44  
    45  An example that works with [nginx-ingress](https://github.com/nginxinc/kubernetes-ingress/tree/master/cmd/nginx-ingress) + [kube-lego](https://github.com/jetstack/kube-lego)  is provided in `contrib/dex/ingress`. 
    46  
    47  
    48  ## Configure `kubectl` for token authentication
    49  
    50  * `kubectl` config using command line example:
    51  
    52  ```
    53      kubectl config set-credentials admin@example.com  \
    54      --auth-provider=oidc \   
    55      --auth-provider-arg=idp-issuer-url=https://dex.example.com \
    56      --auth-provider-arg=client-id=example-app \
    57      --auth-provider-arg=client-secret=ZXhhbXBsZS1hcHAtc2VjcmV0 \   
    58      --auth-provider-arg=refresh-token=refresh_token \   
    59      --auth-provider-arg=idp-certificate-authority=/etc/kubernetes/ssl/ca.pem \   
    60      --auth-provider-arg=id-token=id_token \
    61      --auth-provider-arg=extra-scopes=groups
    62  ```
    63  
    64  * `kubectl` config file example:
    65  
    66  ```
    67      apiVersion: v1
    68      clusters:
    69      - cluster:
    70          certificate-authority-data: ca.pem_base64_encoded
    71          server: https://kubeapi.example.com
    72        name: your_cluster_name
    73      contexts:
    74      - context:
    75          cluster: your_cluster_name
    76          user: admin@example.com
    77        name: your_cluster_name
    78      current-context: your_cluster_name
    79      kind: Config
    80      preferences: {}
    81      users:
    82      - name: admin@example.com
    83        user:
    84          auth-provider:
    85            config:
    86              access-token: id_token
    87              client-id: example-app 
    88              client-secret: ZXhhbXBsZS1hcHAtc2VjcmV0
    89              extra-scopes: groups
    90              id-token: id_token
    91              idp-issuer-url: https://dex.example.com
    92              refresh-token: refresh_token
    93            name: oidc
    94  ```