Comments (4)
Hi @nikolajbrinch,
-
Yes example.com is an example, you will need to configure your /etc/hosts (and minikube's one) to resolve the name. You can also try nip.io (used by minishift for setting up routes)
-
You can get the CA file from letsencrypt website. I think this CA is for production certs.
You can also use a custom pki, and generate your own certs. I'll had a full example with a custom CA. -
Which commands do you speak about ? Commands used to deploy the helm chart or commands for the kubenertes manifests ?
Regards,
from k8s-ldap.
- I figured it out :-) I just created a domain-name and used that including som CNAMEs for subdomains (dex, loginapp etc.), and used cert-manager for Letsencrypt. Everything works out fine - but it took a couple of days and a lot of searching around. I used the standard Dex chart and the example-app from dex to get initial bootstrapping done.
I can't get minikube to boot using oidc konfiguration for the API server (latest version), so I droppen Minikube, and used acs-engine on Azure (that is what my company uses). - I never found a way to get trust into K8s, Dex & loginapp for letsencrypt staging certificates (or self signed ones) - maybe there is a way. Getting it up running with pure HTTP to begin with might be an option.
- The kubectl commands.
Is the CRD still necessary for the authcodes? I can see that Dex itself creates a lot of CRDs when it starts.
Somewhere in one of the charts, I find that the Dex service account is given cluster-admin role, is this really a good idea og even necessary?
Thank you for your time and a great product!
from k8s-ldap.
I can't get minikube to boot using oidc konfiguration for the API server (latest version)
Did you used the following options for minikube ?
[...]
--extra-config=apiserver.Authorization.Mode=RBAC \
--extra-config=apiserver.Authentication.OIDC.IssuerURL=https://dex.example.com:5554/dex \
--extra-config=apiserver.Authentication.OIDC.UsernameClaim=email \
--extra-config=apiserver.Authentication.OIDC.ClientID="minikube" \
--extra-config=apiserver.Authentication.OIDC.GroupsClaim=groups \
--extra-config=apiserver.Authentication.OIDC.CAFile="/minikube-host/ssl/ca.pem" \
[...]
Getting it up running with pure HTTP to begin with might be an option.
Kubernetes will refuse to configure a non-https oidc issuer (or maybe there is an insecure option I did not see !)
- I will add more doc + an example to easily setup the chart with minikube
Is the CRD still necessary for the authcodes? I can see that Dex itself creates a lot of CRDs when it starts.
I think yes, one of the crd created is used for authcodes.
Somewhere in one of the charts, I find that the Dex service account is given cluster-admin role, is this really a good idea og even necessary?
...where ?
Dex get is own ClusterRole with the following access rules:
rules:
- apiGroups: ["dex.coreos.com"] # API group created by dex
resources: ["*"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
from k8s-ldap.
Closing this issue because of inactivity.
Re-open if you have more questions.
from k8s-ldap.
Related Issues (12)
- Loginapp deployment errors HOT 2
- can't use config generated to DEx HOT 1
- Without external access HOT 2
- Rendering Kubernetes Cluster Config using loginapp. HOT 2
- handshake failure
- Loginapp invalid certificate HOT 5
- Unable to connect to loginapp service HOT 2
- Future updates HOT 7
- What is URL"https://dex.k8s.example.com/dex" in API Server configuration? HOT 1
- loginapp CrashLoopBackOff HOT 2
- LICENSE? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k8s-ldap.