github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/dex/README.md.gotmpl

github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/dex/README.md.gotmpl (about)

     1  {{ template "chart.baseHead" . }}
     2  
     3  ## Getting started
     4  
     5  ### Minimal configuration
     6  
     7  Dex requires a minimal configuration in order to work.
     8  You can pass configuration to Dex using Helm values:
     9  
    10  ```yaml
    11  config:
    12    # Set it to a valid URL
    13    issuer: http://my-issuer-url.com
    14  
    15    # See https://dexidp.io/docs/storage/ for more options
    16    storage:
    17      type: memory
    18  
    19    # Enable at least one connector
    20    # See https://dexidp.io/docs/connectors/ for more options
    21    enablePasswordDB: true
    22  ```
    23  
    24  The above configuration won't make Dex automatically available on the configured URL.
    25  One (and probably the easiest) way to achieve that is configuring ingress:
    26  
    27  ```yaml
    28  ingress:
    29    enabled: true
    30  
    31    hosts:
    32      - host: my-issuer-url.com
    33        paths:
    34          - path: /
    35  ```
    36  
    37  ### Minimal TLS configuration
    38  
    39  HTTPS is basically mandatory these days, especially for authentication and authorization services.
    40  There are several solutions for protecting services with TlS in Kubernetes,
    41  but by far the most popular and portable is undoubtedly [Cert Manager](https://cert-manager.io).
    42  
    43  Cert Manager can be [installed](https://cert-manager.io/docs/installation/kubernetes) with a few steps:
    44  
    45  ```shell
    46  helm repo add jetstack https://charts.jetstack.io
    47  helm repo update
    48  kubectl create namespace cert-manager
    49  helm install \
    50    cert-manager jetstack/cert-manager \
    51    --namespace cert-manager \
    52    --set installCRDs=true
    53  ```
    54  
    55  The next step is setting up an [issuer](https://cert-manager.io/docs/concepts/issuer/) (eg. [Let's Encrypt](https://letsencrypt.org/)):
    56  
    57  ```shell
    58  cat <<EOF | kubectl apply -f -
    59  apiVersion: cert-manager.io/v1
    60  kind: ClusterIssuer
    61  metadata:
    62    name: acme
    63  spec:
    64    acme:
    65      email: YOUR@EMAIL_ADDRESS
    66      server: https://acme-v02.api.letsencrypt.org/directory
    67      privateKeySecretRef:
    68        name: acme-account-key
    69      solvers:
    70      - http01:
    71         ingress:
    72           class: YOUR_INGRESS_CLASS
    73  EOF
    74  ```
    75  
    76  Finally, change the ingress config to use TLS:
    77  
    78  ```yaml
    79  ingress:
    80    enabled: true
    81  
    82    annotations:
    83      cert-manager.io/cluster-issuer: acme
    84  
    85    hosts:
    86      - host: my-issuer-url.com
    87        paths:
    88          - path: /
    89  
    90    tls:
    91      - hosts:
    92          - my-issuer-url.com
    93        secretName: dex-cert
    94  ```
    95  
    96  {{ template "chart.valuesSection" . }}
    97  
    98  ## Migrating from stable/dex (or banzaicloud-stable/dex) chart
    99  
   100  This chart is not backwards compatible with the `stable/dex` (or `banzaicloud-stable/dex`) chart.
   101  
   102  However, Dex itself remains backwards compatible, so you can easily install the new chart in place of the old one
   103  and continue using Dex with a minimal downtime.