mpashka
commented
6 years ago I found there is no need to enter anything special into login form - instead you can use default empty values. But I suppose it is better to document that moment.
Open mpashka opened 6 years ago
mpashka
commented
6 years ago I found there is no need to enter anything special into login form - instead you can use default empty values. But I suppose it is better to document that moment.
RaphaelHerd
commented
6 years ago I tried the same. I get dex working in k8s but I'm not able to configure the crappy sample app that I can receive a token for authentication. I tried multiple parameters while configuring the sample-app. I always get some errors. The documentation is not complete, because for example you also have to configure dex with the redirect url to your sample app. If dex is running within kubernetes (not on the local machine), your sample-app cannot run local. This is because you have to configure a redirect url in dex and if it runs locally, you do not have a public internet facing endpoint.
So that relates to the fact, that the sample app is completely useless to me. I also cannot find any docs or scripts on the internet that demonstrates the usage of github and dex in a structured way.
So I decide to use https://github.com/heptio/authenticator instead of dex because I'm on AWS. It's very pity for dex that the howto's are so incomplete.
mpashka
commented
6 years ago Actually to add groups support in kubernetes authentication (which is very useful) you have to put groups into "Extra scopes" field (second one). My proposal is to make sample application part of dex. I can provide PR for that.
nabadger
commented
6 years ago We're using dex with kubernetes (backed by ldap) at the moment. I've written a web-based dex-client authenticator service based on the example app. It lets you configure multiple clusters that you want to auth against (you select 1 during the login process) and handles the redirect, then provides you with a complete kubeconfig. I'll opensource this shortly if anyone is interested.
SEJeff
commented
6 years ago @nabadger that would be great! I was just in the process of starting to write my own.
whereisaaron
commented
6 years ago @nabadger if you can share that it would be fantastic.
I just read a bunch of issues like above where people are struggling to configure dex even for a basic k8s/LDAP configuration, giving up and using something else. I can't find a single properly explained example for using dex. Any references for writing examples would be appreciated.
whereisaaron
commented
6 years ago This might be @nabadger's work here:
nabadger
commented
6 years ago Apologies, I missed notifications on this thread. The repo that @whereisaaron mentions is the right one. I think it meets our needs internally (at work), but it's not under heavy usage yet. I expect we'll see more issues/pr's from our internal users as we ramp up our experiments with k8s (in the next few months).
Feel free to contribute to it and raise issues/pr's. The helm charts that @whereisaaron has added should provide a really easy way to get started with Dex :+1:
whereisaaron
commented
6 years ago Thanks @nabadger. The helm charts aim it make it dead simple to deploy both dex and optionally, the excellent dex-k8s-authenticator as well. So you don't have to repeat the pain we went through 😄
The dex chart instructions includes a somewhat better example configuration file for dex with links to where to configure Open ID at the various services like Google, Microsoft and Github. The chart also handles Open ID secrets for you, even if you e.g. need two different Microsoft configurations. And the dex-k8s-authenticator makes it trivial to authenticate and then configure kubectl.
https://github.com/mintel/dex-k8s-authenticator/tree/master/charts
I created #1192 here to try and get the charts linked from the dex project.
git clone git@github.com:mintel/dex-k8s-authenticator.git
helm inspect values charts/dex > dex.yaml
helm inspect values charts/dex-k8s-authenticator > dex-k8s-authenticator.yamlEdit the values files for your environment and requirements (dex.yaml and dex-k8s-authenticator.yaml).
Create the DNS names for your dex (e.g. 'dex.example.com') and dex-k8s-authenticator (e.g. 'login.example.com') pointed at the ingress controller you are using. Be sure to enable HTTPS. You can install cert-manager to automatically issue Lets Encrypt certificates.
You also need to configure each Kubernetes cluster to use dex at e.g. 'dex.example.com' by setting the OIDC parameters for the Kubernetes API server.
helm install --namespace dex --values dex.yaml charts/dex
helm install --namespace dex --values dex-k8s-authenticator charts/dex-k8s-authenticatorNavigate to https://login.example.com and follow the instructions to authenticate using dex and configure kubectl.
totahuanocotl
commented
6 years ago We also just made public osprey. It is a login tool for kubernetes using dex and (currently) and ldap connector. It has a CLI that logs you into one or multiple clusters based.
sagikazarmark
commented
5 years ago We recently published a post on our blog about the topic. Check it out, maybe it helps you: https://banzaicloud.com/blog/k8s-rbac/
I'm trying to integrate dex with kubernetes and to use LDAP for users authentication. First I tried 'Kubernetes authentication through dex' instruction. Everything was clear except almost the last step: Logging into the cluster ... Once the example app is running, choose the GitHub option and grant access to dex to view your profile.
I can't understand how can I choose GitHub option there. After starting example-app and using http://127.0.0.1:5555 URL in my browser I see the following form
But I can't understand what should I put into that input fields. I tried to put my github login and admin and admin@example.com as 'Authenticate for' and 'openid' string as 'Extra scopes'. But got the same error there: invalid_scope: Client can't request scope(s) ["audience:server:client_id:admin"]
So can you please give more details there.