Documentation on how to specify dex connectors for oidc

[EPNSED]

Could you please provide an example of how to provide a dex connector for oidc? for example, the code has the following comments

## dex connectors
      ##  - dex connectors which allow bridging trust to external identity providers
      ##    https://dexidp.io/docs/connectors/
      ##  - not all connector types support refresh tokens, notably "SAML 2.0" and "OAUTH 2.0" do not
      ##    however, most providers support "OpenID Connect" which does support refresh tokens
      ##    without refresh tokens, users will be forced to re-authenticate every `expiry.idToken` period
      ##  - each element is a map with keys `type`, `id`, `name`, and `config` (which are the same aas upstream dex)
      ##    additionally, `configExistingSecret` and `configExistingSecretKey` allow you to set `config`
      ##    from a YAML-formatted string in a kubernetes secret
      ##  - in most cases `config.redirectURI` will be set to "https://{DEPLOYKF_HOST}/dex/callback" (if port is 443)
      ##
      connectors: []

I'm trying to use the example provided in https://dexidp.io/docs/connectors/oidc/

    connectors:
        type : "oidc"
        id : "google"
        name : "Google"
        config:
           issuer : "https://accounts.google.com"
           clientID : "kubeflow"
           clientSecret : "XXXXXXXXXXXXXXXXXXXXXXXXX"
           redirectURI : "https://XXXXXXXX/dex/callback"
        existingSecret: "generated--oauth2--secret"
        existingSecretKey: "client_secret"
        generateSecret: true

However, I'm getting an error

rpc error: code = Unknown desc = `helm template . --name-template dkf-core--deploykf-auth --namespace deploykf-auth --kube-version 1.26 --api-versions acme.cert-manager.io/v1 --api-versions acme.cert-manager.io/v1/Challenge --api-versions acme.cert-manager.io/v1/Order --api-versions admissionregistration.k8s.io/v1 --api-versions admissionregistration.k8s.io/v1/MutatingWebhookConfiguration --api-versions admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration --api-versions apiextensions.k8s.io/v1 --api-versions apiextensions.k8s.io/v1/CustomResourceDefinition --api-versions apiregistration.k8s.io/v1 --api-versions apiregistration.k8s.io/v1/APIService --api-versions apps/v1 --api-versions apps/v1/ControllerRevision --api-versions apps/v1/DaemonSet --api-versions apps/v1/Deployment --api-versions apps/v1/ReplicaSet --api-versions apps/v1/StatefulSet --api-versions argoproj.io/v1alpha1 --api-versions argoproj.io/v1alpha1/AppProject --api-versions argoproj.io/v1alpha1/Application --api-versions argoproj.io/v1alpha1/ApplicationSet --api-versions autoscaling/v1 --api-versions autoscaling/v1/HorizontalPodAutoscaler --api-versions autoscaling/v2 --api-versions autoscaling/v2/HorizontalPodAutoscaler --api-versions batch/v1 --api-versions batch/v1/CronJob --api-versions batch/v1/Job --api-versions cert-manager.io/v1 --api-versions cert-manager.io/v1/Certificate --api-versions cert-manager.io/v1/CertificateRequest --api-versions cert-manager.io/v1/ClusterIssuer --api-versions cert-manager.io/v1/Issuer --api-versions certificates.k8s.io/v1 --api-versions certificates.k8s.io/v1/CertificateSigningRequest --api-versions coordination.k8s.io/v1 --api-versions coordination.k8s.io/v1/Lease --api-versions crd.projectcalico.org/v1 --api-versions crd.projectcalico.org/v1/BGPConfiguration --api-versions crd.projectcalico.org/v1/BGPPeer --api-versions crd.projectcalico.org/v1/BlockAffinity --api-versions crd.projectcalico.org/v1/CalicoNodeStatus --api-versions crd.projectcalico.org/v1/ClusterInformation --api-versions crd.projectcalico.org/v1/FelixConfiguration --api-versions crd.projectcalico.org/v1/GlobalNetworkPolicy --api-versions crd.projectcalico.org/v1/GlobalNetworkSet --api-versions crd.projectcalico.org/v1/HostEndpoint --api-versions crd.projectcalico.org/v1/IPAMBlock --api-versions crd.projectcalico.org/v1/IPAMConfig --api-versions crd.projectcalico.org/v1/IPAMHandle --api-versions crd.projectcalico.org/v1/IPPool --api-versions crd.projectcalico.org/v1/IPReservation --api-versions crd.projectcalico.org/v1/KubeControllersConfiguration --api-versions crd.projectcalico.org/v1/NetworkPolicy --api-versions crd.projectcalico.org/v1/NetworkSet --api-versions dex.coreos.com/v1 --api-versions dex.coreos.com/v1/AuthCode --api-versions dex.coreos.com/v1/AuthRequest --api-versions dex.coreos.com/v1/Connector --api-versions dex.coreos.com/v1/DeviceRequest --api-versions dex.coreos.com/v1/DeviceToken --api-versions dex.coreos.com/v1/OAuth2Client --api-versions dex.coreos.com/v1/OfflineSessions --api-versions dex.coreos.com/v1/Password --api-versions dex.coreos.com/v1/RefreshToken --api-versions dex.coreos.com/v1/SigningKey --api-versions discovery.k8s.io/v1 --api-versions discovery.k8s.io/v1/EndpointSlice --api-versions events.k8s.io/v1 --api-versions events.k8s.io/v1/Event --api-versions extensions.istio.io/v1alpha1 --api-versions extensions.istio.io/v1alpha1/WasmPlugin --api-versions flowcontrol.apiserver.k8s.io/v1beta2 --api-versions flowcontrol.apiserver.k8s.io/v1beta2/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta2/PriorityLevelConfiguration --api-versions flowcontrol.apiserver.k8s.io/v1beta3 --api-versions flowcontrol.apiserver.k8s.io/v1beta3/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta3/PriorityLevelConfiguration --api-versions install.istio.io/v1alpha1 --api-versions install.istio.io/v1alpha1/IstioOperator --api-versions kyverno.io/v1 --api-versions kyverno.io/v1/ClusterPolicy --api-versions kyverno.io/v1/Policy --api-versions kyverno.io/v1alpha2 --api-versions kyverno.io/v1alpha2/AdmissionReport --api-versions kyverno.io/v1alpha2/BackgroundScanReport --api-versions kyverno.io/v1alpha2/ClusterAdmissionReport --api-versions kyverno.io/v1alpha2/ClusterBackgroundScanReport --api-versions kyverno.io/v1beta1 --api-versions kyverno.io/v1beta1/UpdateRequest --api-versions kyverno.io/v2alpha1 --api-versions kyverno.io/v2alpha1/CleanupPolicy --api-versions kyverno.io/v2alpha1/ClusterCleanupPolicy --api-versions kyverno.io/v2alpha1/PolicyException --api-versions kyverno.io/v2beta1 --api-versions kyverno.io/v2beta1/ClusterPolicy --api-versions kyverno.io/v2beta1/Policy --api-versions metallb.io/v1alpha1 --api-versions metallb.io/v1alpha1/AddressPool --api-versions metallb.io/v1beta1 --api-versions metallb.io/v1beta1/AddressPool --api-versions metallb.io/v1beta1/BFDProfile --api-versions metallb.io/v1beta1/BGPAdvertisement --api-versions metallb.io/v1beta1/BGPPeer --api-versions metallb.io/v1beta1/Community --api-versions metallb.io/v1beta1/IPAddressPool --api-versions metallb.io/v1beta1/L2Advertisement --api-versions metallb.io/v1beta2 --api-versions metallb.io/v1beta2/BGPPeer --api-versions networking.istio.io/v1alpha3 --api-versions networking.istio.io/v1alpha3/DestinationRule --api-versions networking.istio.io/v1alpha3/EnvoyFilter --api-versions networking.istio.io/v1alpha3/Gateway --api-versions networking.istio.io/v1alpha3/ServiceEntry --api-versions networking.istio.io/v1alpha3/Sidecar --api-versions networking.istio.io/v1alpha3/VirtualService --api-versions networking.istio.io/v1alpha3/WorkloadEntry --api-versions networking.istio.io/v1alpha3/WorkloadGroup --api-versions networking.istio.io/v1beta1 --api-versions networking.istio.io/v1beta1/DestinationRule --api-versions networking.istio.io/v1beta1/Gateway --api-versions networking.istio.io/v1beta1/ProxyConfig --api-versions networking.istio.io/v1beta1/ServiceEntry --api-versions networking.istio.io/v1beta1/Sidecar --api-versions networking.istio.io/v1beta1/VirtualService --api-versions networking.istio.io/v1beta1/WorkloadEntry --api-versions networking.istio.io/v1beta1/WorkloadGroup --api-versions networking.k8s.io/v1 --api-versions networking.k8s.io/v1/Ingress --api-versions networking.k8s.io/v1/IngressClass --api-versions networking.k8s.io/v1/NetworkPolicy --api-versions node.k8s.io/v1 --api-versions node.k8s.io/v1/RuntimeClass --api-versions operator.tigera.io/v1 --api-versions operator.tigera.io/v1/APIServer --api-versions operator.tigera.io/v1/ImageSet --api-versions operator.tigera.io/v1/Installation --api-versions operator.tigera.io/v1/TigeraStatus --api-versions policy/v1 --api-versions policy/v1/PodDisruptionBudget --api-versions projectcalico.org/v3 --api-versions projectcalico.org/v3/BGPConfiguration --api-versions projectcalico.org/v3/BGPPeer --api-versions projectcalico.org/v3/BlockAffinity --api-versions projectcalico.org/v3/CalicoNodeStatus --api-versions projectcalico.org/v3/ClusterInformation --api-versions projectcalico.org/v3/FelixConfiguration --api-versions projectcalico.org/v3/GlobalNetworkPolicy --api-versions projectcalico.org/v3/GlobalNetworkSet --api-versions projectcalico.org/v3/HostEndpoint --api-versions projectcalico.org/v3/IPAMConfiguration --api-versions projectcalico.org/v3/IPPool --api-versions projectcalico.org/v3/IPReservation --api-versions projectcalico.org/v3/KubeControllersConfiguration --api-versions projectcalico.org/v3/NetworkPolicy --api-versions projectcalico.org/v3/NetworkSet --api-versions projectcalico.org/v3/Profile --api-versions rbac.authorization.k8s.io/v1 --api-versions rbac.authorization.k8s.io/v1/ClusterRole --api-versions rbac.authorization.k8s.io/v1/ClusterRoleBinding --api-versions rbac.authorization.k8s.io/v1/Role --api-versions rbac.authorization.k8s.io/v1/RoleBinding --api-versions scheduling.k8s.io/v1 --api-versions scheduling.k8s.io/v1/PriorityClass --api-versions security.istio.io/v1 --api-versions security.istio.io/v1/AuthorizationPolicy --api-versions security.istio.io/v1/RequestAuthentication --api-versions security.istio.io/v1beta1 --api-versions security.istio.io/v1beta1/AuthorizationPolicy --api-versions security.istio.io/v1beta1/PeerAuthentication --api-versions security.istio.io/v1beta1/RequestAuthentication --api-versions storage.k8s.io/v1 --api-versions storage.k8s.io/v1/CSIDriver --api-versions storage.k8s.io/v1/CSINode --api-versions storage.k8s.io/v1/CSIStorageCapacity --api-versions storage.k8s.io/v1/StorageClass --api-versions storage.k8s.io/v1/VolumeAttachment --api-versions storage.k8s.io/v1beta1 --api-versions storage.k8s.io/v1beta1/CSIStorageCapacity --api-versions telemetry.istio.io/v1alpha1 --api-versions telemetry.istio.io/v1alpha1/Telemetry --api-versions trust.cert-manager.io/v1alpha1 --api-versions trust.cert-manager.io/v1alpha1/Bundle --api-versions v1 --api-versions v1/ConfigMap --api-versions v1/Endpoints --api-versions v1/Event --api-versions v1/LimitRange --api-versions v1/Namespace --api-versions v1/Node --api-versions v1/PersistentVolume --api-versions v1/PersistentVolumeClaim --api-versions v1/Pod --api-versions v1/PodTemplate --api-versions v1/ReplicationController --api-versions v1/ResourceQuota --api-versions v1/Secret --api-versions v1/Service --api-versions v1/ServiceAccount --api-versions wgpolicyk8s.io/v1alpha2 --api-versions wgpolicyk8s.io/v1alpha2/ClusterPolicyReport --api-versions wgpolicyk8s.io/v1alpha2/PolicyReport --include-crds` failed exit status 1: Error: template: deploykf-auth/templates/oauth2-proxy/Deployment.yaml:22:32: executing "deploykf-auth/templates/oauth2-proxy/Deployment.yaml" at <include (print $.Template.BasePath "/dex/Secret-config.yaml") .>: error calling include: template: deploykf-auth/templates/dex/Secret-config.yaml:191:18: executing "deploykf-auth/templates/dex/Secret-config.yaml" at <include "deploykf-auth.dex.config.yaml" .>: error calling include: template: deploykf-auth/templates/dex/Secret-config.yaml:124:23: executing "deploykf-auth.dex.config.yaml" at <$connector.configExistingSecret>: can't evaluate field configExistingSecret in type interface {} Use --debug flag to render out invalid YAML

What does can't evaluate field configExistingSecret in type interface {} mean here?

[thesuperzapper]

@EPNSED it just means you missed the - in the YAML which makes the deploykf_core.deploykf_auth.dex.connectors value a LIST rather than a MAP (aka an "interface").

For example, your Google example would be like this:

deploykf_core:

  deploykf_auth:

    dex:

      connectors:

        ## NOTE: this element is formatted the same as described in https://dexidp.io/docs/connectors/google/
        ##       but with the additional fields: `configExistingSecret` and `configExistingSecretKey`
        - type: google
          id: google
          name: Google

          ## NOTE: you can only set `config` from ONE place, specifically either:
          ##       `config` (to set in this yaml) OR 
          ##       `configExistingSecret` (to set the config from a kubernetes secret)
          config:
           clientID : "kubeflow"
           clientSecret : "XXXXXXXXXXXXXXXXXXXXXXXXX"
           redirectURI : "https://XXXXXXXX/dex/callback"

          #configExistingSecret: "my-dex-connector-secret"

          ## NOTE: the `configExistingSecretKey` is a key in the secret which contains a string of 
          ##       the `config` yaml, formatted the same as above
          #configExistingSecretKey: "google-config"

[EPNSED]

Thanks, @thesuperzapper. It seems to fix the error I was getting. Now, everything seems working fine. argocd is healthy. I can log in with the credentials hard corded with the values.yml file. login with email and password works. every other component in the deployment seems working as well.

However, I still could not figure out how to direct authentication from deploykF to oidc. When I try to access deployKF it provides me two options, either log in with email or log in with kubeflow. If I log in with email, it works. but only with hardcoded accounts in the values.yml file. even if I add the email to the user list, it seems not working without a hardcoded password. it seems it is not using OIDC. Is there a way to dynamically provision users once they authenticate by OIDC? honestly, at the moment, I'm struggling to send the request to OIDC as well.

I found this post and I think I need to use Keycloak Gatekeeper as I'm trying to use our internal keycloak instance. I appreciate it if you could give some insight into what actions deployKF perform when we set the connector values in the above section. If I want to use Keycloak Gatekeeper what should I do?

[thesuperzapper]

@EPNSED when you configure a dex connector, the login screen should show multiple options (in your case, it should be "google" and "email").

If you are not seeing this, check the logs for the dex Pod in the deploykf-auth namespace, and see if something is wrong.

Once you can see the "google" login option, users will be able to "log in" but they won't have any access by default. To give access, you will need to assign the user (via their email) to one or more profiles, which can be done with the deploykf_core.deploykf_profiles_generator.* values.

[thesuperzapper]

@EPNSED thanks for your patience, there is now an official guide on User Authentication and External Identity Providers, check it out and tell me if it does not answer your question.