DexAuthenticator
Scope: Namespaced
After the DexAuthenticator
object appears in the namespace, the following objects will be created:
- Deployment containing oauth2-proxy and redis containers
- Service, pointing to a Deployment with an oauth2-proxy
- Ingress, configured to receive requests on
https://<applicationDomain>/dex-authenticator
and send it to a service side - Secrets, needed to access dex
NOTE! After restarting a pod with an oauth2-proxy, the current access token
and id token
will be queried (using the refresh token) and stored in a redis memory.
- specobject
Required value
- spec.allowedGroupsarray of strings
Groups that the user should be in to authenticate successfully.
Additionally, this parameter limits the list of groups that will be put into OIDC token (there will be an intersection of the specified groups and the actual groups of the user).
Default:
All groups are allowed.
- spec.applicationDomainstring
Required value
Public domain that points to your application. Must be specified without HTTP scheme.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
Example:
applicationDomain: my-app.domain.com
- spec.applicationIngressCertificateSecretNamestring
Name of TLS-certificate secret specified in your application Ingress object to add to dex authenticator Ingress object for HTTPS access. Secret must be located in the same namespace with DexAuthenticator object.
Pattern:
^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
Example:
applicationIngressCertificateSecretName: ingress-tls
- spec.applicationIngressClassNamestring
Required value
Ingress class that serves your application ingress resource.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
Example:
applicationIngressClassName: nginx
- spec.keepUsersLoggedInForstring
User session will be kept for specified amount of time even if user will not log in.
Specified with s, m or h suffix.
Default:
"168h"
Example:
keepUsersLoggedInFor: 24h
- spec.nodeSelectorobject
If specified, the
dex-authenticator
podsnodeSelector
.If the parameter is omitted or
false
, it will be determined automatically.Pattern: the same as in the pods’
spec.nodeSelector
parameter in Kubernetes; - boolean
Request to application will be sent with “Authorization: Bearer” header when the option is switched to true.
- spec.signOutURLstring
Provide the URL from which requests will be proxied to the Dex authenticator sign out URL.
- spec.tolerationsarray of objects
If specified, the
dex-authenticator
podstolerations
.The
dex-authenticator
pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator. If the parameter is omitted or
false
, it will be determined automatically.Pattern: Standard toleration object. Pods inherit this object AS IS.
- spec.tolerations.effectstring
Effect indicates the taint effect to match. Empty means match all taint effects.
Allowed values:
NoSchedule
,PreferNoSchedule
,NoExecute
- spec.tolerations.keystring
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- spec.tolerations.operatorstring
Operator represents a key’s relationship to the value.
Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
Default:
"Equal"
Allowed values:
Exists
,Equal
- spec.tolerations.tolerationSecondsinteger
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint.
By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- spec.tolerations.valuestring
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
- spec.tolerations.effectstring
- spec.whitelistSourceRangesarray of strings
CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
Example:
whitelistSourceRanges: - 192.168.42.0/24
- Element of the arraystring
Pattern:
^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- Element of the arraystring
- spec.allowedGroupsarray of strings
After the DexAuthenticator
object appears in the namespace, the following objects will be created:
- Deployment containing oauth2-proxy and redis containers
- Service, pointing to a Deployment with an oauth2-proxy
- Ingress, configured to receive requests on
https://<applicationDomain>/dex-authenticator
and send it to a service side - Secrets, needed to access dex
NOTE! After restarting a pod with an oauth2-proxy, the current access token
and id token
will be queried (using the refresh token) and stored in a redis memory.
- specobject
Required value
- spec.allowedGroupsarray of strings
Groups that the user should be in to authenticate successfully.
Additionally, this parameter limits the list of groups that will be put into OIDC token (there will be an intersection of the specified groups and the actual groups of the user).
Default:
All groups are allowed.
- spec.applicationDomainstring
Required value
Public domain that points to your application. Must be specified without HTTP scheme.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
Example:
applicationDomain: my-app.domain.com
- spec.applicationIngressCertificateSecretNamestring
Name of TLS-certificate secret specified in your application Ingress object to add to dex authenticator Ingress object for HTTPS access. Secret must be located in the same namespace with DexAuthenticator object.
Pattern:
^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$
Example:
applicationIngressCertificateSecretName: ingress-tls
- spec.applicationIngressClassNamestring
Required value
Ingress class that serves your application ingress resource.
Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
Example:
applicationIngressClassName: nginx
- spec.keepUsersLoggedInForstring
User session will be kept for specified amount of time even if user will not log in.
Specified with s, m or h suffix.
Default:
"168h"
Example:
keepUsersLoggedInFor: 24h
- spec.nodeSelectorobject
If specified, the
dex-authenticator
podsnodeSelector
.If the parameter is omitted or
false
, it will be determined automatically.Pattern: the same as in the pods’
spec.nodeSelector
parameter in Kubernetes; - boolean
Request to application will be sent with “Authorization: Bearer” header when the option is switched to true.
- spec.signOutURLstring
Provide the URL from which requests will be proxied to the Dex authenticator sign out URL.
- spec.tolerationsarray of objects
If specified, the
dex-authenticator
podstolerations
.The
dex-authenticator
pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator. If the parameter is omitted or
false
, it will be determined automatically.Pattern: Standard toleration object. Pods inherit this object AS IS.
- spec.tolerations.effectstring
Effect indicates the taint effect to match. Empty means match all taint effects.
Allowed values:
NoSchedule
,PreferNoSchedule
,NoExecute
- spec.tolerations.keystring
Key is the taint key that the toleration applies to. Empty means match all taint keys.
If the key is empty, operator must be Exists; this combination means to match all values and all keys.
- spec.tolerations.operatorstring
Operator represents a key’s relationship to the value.
Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.
Default:
"Equal"
Allowed values:
Exists
,Equal
- spec.tolerations.tolerationSecondsinteger
TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint.
By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.
- spec.tolerations.valuestring
Value is the taint value the toleration matches to.
If the operator is Exists, the value should be empty, otherwise just a regular string.
- spec.tolerations.effectstring
- spec.whitelistSourceRangesarray of strings
CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.
Example:
whitelistSourceRanges: - 192.168.42.0/24
- Element of the arraystring
Pattern:
^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$
- Element of the arraystring
- spec.allowedGroupsarray of strings
DexClient
Scope: Namespaced
Allows applications that support DC authentication to interact with dex.
After the DexClient
object appears in the cluster:
- Dex will register a client with a
dex-client-<NAME>@<NAMESPACE>
clientID, where<NAME>
and<NAMESPACE>
aremetadata.name
andmetadata.namespace
of the DexClient object, respectively. - A
dex-client-<NAME>
Secret containing the client access password (clientSecret) will be created in the corresponding namespace (where<NAME>
ismetadata.name
of the DexClient object).
- specobject
Required value
- spec.allowedGroupsarray of strings
A list of groups whose members are allowed to connect to the client; By default, all groups can connect.
- spec.redirectURIsarray of strings
Array or urls that dex can redirect to after successful authentication.
- spec.trustedPeersarray of strings
OAuth2 client IDs that allowed cross authentication with the current client.
- spec.allowedGroupsarray of strings
Allows applications that support DC authentication to interact with dex.
After the DexClient
object appears in the cluster:
- Dex will register a client with a
dex-client-<NAME>@<NAMESPACE>
clientID, where<NAME>
and<NAMESPACE>
aremetadata.name
andmetadata.namespace
of the DexClient object, respectively. - A
dex-client-<NAME>
Secret containing the client access password (clientSecret) will be created in the corresponding namespace (where<NAME>
ismetadata.name
of the DexClient object).
- specobject
Required value
- spec.allowedGroupsarray of strings
A list of groups whose members are allowed to connect to the client; By default, all groups can connect.
- spec.redirectURIsarray of strings
Array or urls that dex can redirect to after successful authentication.
- spec.trustedPeersarray of strings
OAuth2 client IDs that allowed cross authentication with the current client.
- spec.allowedGroupsarray of strings
DexProvider
Scope: Cluster
Defines the configuration for connecting a third-party provider.
With it, you can flexibly configure the integration of the account directory with Kubernetes.
- specobject
Required value
- spec.bitbucketCloudobject
Parameters of the Bitbucket Cloud (intended for the
type: BitbucketCloud
).- spec.bitbucketCloud.clientIDstring
Required value
Team application ID from BitbucketCloud (Key).
- spec.bitbucketCloud.clientSecretstring
Required value
Team application secret key from BitbucketCloud.
- spec.bitbucketCloud.includeTeamGroupsboolean
Optional parameter to include team groups.
If enabled, the groups claim of dex id_token will looks like this:
["my_team", "my_team/administrators", "my_team/members"]
Default:
false
- spec.bitbucketCloud.teamsarray of strings
A list of allowed Bitbucket Cloud teams (filter).
The user token will contain a set intersection of Bitbucket Cloud teams and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain the user teams in the
groups
claim (similar to other providers).
- spec.bitbucketCloud.clientIDstring
- spec.crowdobject
Parameters of the Crowd (intended for the
type: Crowd
).- spec.crowd.baseURLstring
Required value
Base part of Attlassian Crowd URL.
Example:
baseURL: https://crowd.example.com/crowd
- spec.crowd.clientIDstring
Required value
Application ID from Atlassian Crowd (Application Name).
- spec.crowd.clientSecretstring
Required value
Application secret key from Atlassian Crowd (Password).
- spec.crowd.enableBasicAuthboolean
Enables basic authorization for the Kubernetes API server.
The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the Crowd type). Works only if the
publishAPI
is enabled.Authorization and group data obtained from Crowd are stored in the cache for 10 seconds.
- spec.crowd.groupsarray of strings
A list of allowed Crowd groups (filter).
The user token will contain a set intersection of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain all Crowd groups if the parameter is not set.
- spec.crowd.usernamePromptstring
Prompt for username field.
Default:
"Crowd username"
- spec.crowd.baseURLstring
- spec.displayNamestring
Required value
The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.
- spec.githubobject
Parameters of the GitHub provider (intended for the
type: Github
case only).- spec.github.clientIDstring
Required value
Organization application ID from GitHub.
- spec.github.clientSecretstring
Required value
Organization application secret key from GitHub.
- spec.github.orgsarray of objects
Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.
By default, all organizations allowed.
- spec.github.orgs.namestring
Required value
Name of organization.
- spec.github.orgs.teamsarray of strings
A list of allowed GitHub teams (filter).
The user token will contain a set intersection of teams from GitHub and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain all GitHub teams if the parameter is not set.
- spec.github.orgs.namestring
- spec.github.teamNameFieldstring
As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:
- [‘acme:Site Reliability Engineers’] for ‘Name’
- [‘acme:site-reliability-engineers’] for ‘Slug’
- [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘Both’
‘name’ will be used by default.
Default:
"Name"
Allowed values:
Name
,Slug
,Both
- spec.github.useLoginAsIDboolean
Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
Equals to false by default.
- spec.github.clientIDstring
- spec.gitlabobject
Parameters of the GitLab provider (intended for the
type: Gitlab
case only).- spec.gitlab.baseURLstring
Base part of GitLab URL.
Example:
baseURL: https://gitlab.example.com
- spec.gitlab.clientIDstring
Required value
Application ID from GitLab.
- spec.gitlab.clientSecretstring
Required value
Application secret key from GitLab.
- spec.gitlab.groupsarray of strings
A list (filter) of allowed GitLab groups (group paths and not names).
The user token will contain a set intersection of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain all GitLab groups if the parameter is not set;
- spec.gitlab.useLoginAsIDboolean
Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
Equals to false by default.
- spec.gitlab.baseURLstring
- spec.ldapobject
Parameters of the LDAP.
- spec.ldap.bindDNstring
The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
Example:
bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
- spec.ldap.bindPWstring
Password for read-only service account. Please note that if the bind password contains a
$
, it has to be saved in an environment variable which should be given as the value tobindPW
.Example:
bindPW: password
- spec.ldap.groupSearchobject
Group search queries for groups given a user entry. Details
- spec.ldap.groupSearch.baseDNstring
Required value
BaseDN to start the search from.
Example:
baseDN: cn=users,dc=example,dc=com
- spec.ldap.groupSearch.filterstring
Optional filter to apply when searching the directory.
Example:
filter: "(objectClass=person)"
- spec.ldap.groupSearch.nameAttrstring
Required value
Represents group name.
Example:
nameAttr: name
- spec.ldap.groupSearch.userMatchersarray of objects
Required value
Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.
- spec.ldap.groupSearch.userMatchers.groupAttrstring
Required value
The name of the attribute that stores the group member names.
Example:
groupAttr: member
- spec.ldap.groupSearch.userMatchers.userAttrstring
Required value
The name of the attribute that stores the user name.
Example:
userAttr: uid
- spec.ldap.groupSearch.userMatchers.groupAttrstring
- spec.ldap.groupSearch.baseDNstring
- spec.ldap.hoststring
Required value
Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.
Example:
host: ldap.example.com:636
- spec.ldap.insecureNoSSLboolean
Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as dex. Equals to false by default.
Default:
false
- spec.ldap.insecureSkipVerifyboolean
If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
Default:
false
- spec.ldap.rootCADatastring
A CA chain to validate the provider in PEM format.
Example:
-----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
- spec.ldap.startTLSboolean
When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol
Default:
false
- spec.ldap.userSearchobject
Required value
User search maps a username and password entered by a user to a LDAP entry. Details…
- spec.ldap.userSearch.baseDNstring
Required value
BaseDN to start the search from.
Example:
baseDN: cn=users,dc=example,dc=com
- spec.ldap.userSearch.emailAttrstring
Required value
LDAP attribute that will be matched to dex user email entry. When an email address is not available, use another value unique to the user, like uid.
Example:
emailAttr: mail
- spec.ldap.userSearch.filterstring
Optional filter to apply when searching the directory.
Example:
filter: "(objectClass=person)"
- spec.ldap.userSearch.idAttrstring
Required value
LDAP attribute that will be matched to dex user id entry.
Example:
idAttr: uid
- spec.ldap.userSearch.nameAttrstring
LDAP attribute that will be matched to dex user name entry. No default value provided.
Example:
nameAttr: name
- spec.ldap.userSearch.usernamestring
Required value
Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(
= )". Example:
username: uid
- spec.ldap.userSearch.baseDNstring
- spec.ldap.usernamePromptstring
The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.
Default:
"LDAP username"
Example:
usernamePrompt: SSO Username
- spec.ldap.bindDNstring
- spec.oidcobject
Parameters of the OIDC (intended for the
type: OIDC
).- spec.oidc.basicAuthUnsupportedboolean
Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, dex automatically determines the type of request to make, while in some cases enabling this parameter can help.
Default:
false
- spec.oidc.claimMappingobject
Some providers return non-standard claims (eg. mail). Claim mappings are hints for Dex how to map claims to standard OIDC claims.
Dex can only map a non-standard claim to a standard one if it’s not included in the id_token returned by OIDC provider.
- spec.oidc.claimMapping.emailstring
The claim to use as the user email.
Default:
"email"
- spec.oidc.claimMapping.groupsstring
The claim to use as the user groups.
Default:
"groups"
- spec.oidc.claimMapping.preferred_usernamestring
The claim to use as the user preferred username.
Default:
"preferred_username"
- spec.oidc.claimMapping.emailstring
- spec.oidc.clientIDstring
Required value
OIDC issuer application ID.
- spec.oidc.clientSecretstring
Required value
OIDC issuer application secret key.
- spec.oidc.getUserInfoboolean
Request additional info about the authenticated user.
Learn more here…
Default:
false
- spec.oidc.insecureSkipEmailVerifiedboolean
Allow authentication for clients without verified email address.
Default:
false
- spec.oidc.insecureSkipVerifyboolean
If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
Default:
false
- spec.oidc.issuerstring
Required value
Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.
Example:
issuer: https://accounts.google.com
- spec.oidc.promptTypestring
Determines if the Issuer should ask for confirmation and provide hints during the authentication process.
By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.
Default:
"consent"
- spec.oidc.rootCADatastring
A CA chain to validate the provider in PEM format.
Example:
-----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
- spec.oidc.scopesarray of strings
List of additional scopes to request in token response.
Default:
["openid","profile","email","groups","offline_access"]
- spec.oidc.userIDKeystring
The claim to use as the user id.
Default:
"sub"
- spec.oidc.userNameKeystring
The claim to use as the user name.
Default:
"name"
- spec.oidc.basicAuthUnsupportedboolean
- spec.typestring
Required value
Type of authentication provider.
Allowed values:
Github
,Gitlab
,BitbucketCloud
,Crowd
,OIDC
,LDAP
- spec.bitbucketCloudobject
Defines the configuration for connecting a third-party provider.
With it, you can flexibly configure the integration of the account directory with Kubernetes.
- specobject
Required value
- spec.bitbucketCloudobject
Parameters of the Bitbucket Cloud (intended for the
type: BitbucketCloud
).- spec.bitbucketCloud.clientIDstring
Required value
Team application ID from BitbucketCloud (Key).
- spec.bitbucketCloud.clientSecretstring
Required value
Team application secret key from BitbucketCloud.
- spec.bitbucketCloud.includeTeamGroupsboolean
Optional parameter to include team groups.
If enabled, the groups claim of dex id_token will looks like this:
["my_team", "my_team/administrators", "my_team/members"]
Default:
false
- spec.bitbucketCloud.teamsarray of strings
A list of allowed Bitbucket Cloud teams (filter).
The user token will contain a set intersection of Bitbucket Cloud teams and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain the user teams in the
groups
claim (similar to other providers).
- spec.bitbucketCloud.clientIDstring
- spec.crowdobject
Parameters of the Crowd (intended for the
type: Crowd
).- spec.crowd.baseURLstring
Required value
Base part of Attlassian Crowd URL.
Example:
baseURL: https://crowd.example.com/crowd
- spec.crowd.clientIDstring
Required value
Application ID from Atlassian Crowd (Application Name).
- spec.crowd.clientSecretstring
Required value
Application secret key from Atlassian Crowd (Password).
- spec.crowd.enableBasicAuthboolean
Enables basic authorization for the Kubernetes API server.
The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the Crowd type). Works only if the
publishAPI
is enabled.Authorization and group data obtained from Crowd are stored in the cache for 10 seconds.
- spec.crowd.groupsarray of strings
A list of allowed Crowd groups (filter).
The user token will contain a set intersection of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain all Crowd groups if the parameter is not set.
- spec.crowd.usernamePromptstring
Prompt for username field.
Default:
"Crowd username"
- spec.crowd.baseURLstring
- spec.displayNamestring
Required value
The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.
- spec.githubobject
Parameters of the GitHub provider (intended for the
type: Github
case only).- spec.github.clientIDstring
Required value
Organization application ID from GitHub.
- spec.github.clientSecretstring
Required value
Organization application secret key from GitHub.
- spec.github.orgsarray of objects
Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.
By default, all organizations allowed.
- spec.github.orgs.namestring
Required value
Name of organization.
- spec.github.orgs.teamsarray of strings
A list of allowed GitHub teams (filter).
The user token will contain a set intersection of teams from GitHub and teams from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain all GitHub teams if the parameter is not set.
- spec.github.orgs.namestring
- spec.github.teamNameFieldstring
As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:
- [‘acme:Site Reliability Engineers’] for ‘name’
- [‘acme:site-reliability-engineers’] for ‘slug’
- [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘both’
‘name’ will be used by default.
Default:
"name"
Allowed values:
name
,slug
,both
- spec.github.useLoginAsIDboolean
Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
Equals to false by default.
- spec.github.clientIDstring
- spec.gitlabobject
Parameters of the GitLab provider (intended for the
type: Gitlab
case only).- spec.gitlab.baseURLstring
Base part of GitLab URL.
Example:
baseURL: https://gitlab.example.com
- spec.gitlab.clientIDstring
Required value
Application ID from GitLab.
- spec.gitlab.clientSecretstring
Required value
Application secret key from GitLab.
- spec.gitlab.groupsarray of strings
A list (filter) of allowed GitLab groups (group paths and not names).
The user token will contain a set intersection of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.
The user token will contain all GitLab groups if the parameter is not set;
- spec.gitlab.useLoginAsIDboolean
Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
Equals to false by default.
- spec.gitlab.baseURLstring
- spec.ldapobject
Parameters of the LDAP.
- spec.ldap.bindDNstring
The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.
Example:
bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
- spec.ldap.bindPWstring
Password for read-only service account. Please note that if the bind password contains a
$
, it has to be saved in an environment variable which should be given as the value tobindPW
.Example:
bindPW: password
- spec.ldap.groupSearchobject
Group search queries for groups given a user entry. Details
- spec.ldap.groupSearch.baseDNstring
Required value
BaseDN to start the search from.
Example:
baseDN: cn=users,dc=example,dc=com
- spec.ldap.groupSearch.filterstring
Optional filter to apply when searching the directory.
Example:
filter: "(objectClass=person)"
- spec.ldap.groupSearch.nameAttrstring
Required value
Represents group name.
Example:
nameAttr: name
- spec.ldap.groupSearch.userMatchersarray of objects
Required value
Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.
- spec.ldap.groupSearch.userMatchers.groupAttrstring
Required value
The name of the attribute that stores the group member names.
Example:
groupAttr: member
- spec.ldap.groupSearch.userMatchers.userAttrstring
Required value
The name of the attribute that stores the user name.
Example:
userAttr: uid
- spec.ldap.groupSearch.userMatchers.groupAttrstring
- spec.ldap.groupSearch.baseDNstring
- spec.ldap.hoststring
Required value
Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.
Example:
host: ldap.example.com:636
- spec.ldap.insecureNoSSLboolean
Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as dex. Equals to false by default.
Default:
false
- spec.ldap.insecureSkipVerifyboolean
If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
Default:
false
- spec.ldap.rootCADatastring
A CA chain to validate the provider in PEM format.
Example:
-----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
- spec.ldap.startTLSboolean
When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol
Default:
false
- spec.ldap.userSearchobject
Required value
User search maps a username and password entered by a user to a LDAP entry. Details…
- spec.ldap.userSearch.baseDNstring
Required value
BaseDN to start the search from.
Example:
baseDN: cn=users,dc=example,dc=com
- spec.ldap.userSearch.emailAttrstring
Required value
LDAP attribute that will be matched to dex user email entry. When an email address is not available, use another value unique to the user, like uid.
Example:
emailAttr: mail
- spec.ldap.userSearch.filterstring
Optional filter to apply when searching the directory.
Example:
filter: "(objectClass=person)"
- spec.ldap.userSearch.idAttrstring
Required value
LDAP attribute that will be matched to dex user id entry.
Example:
idAttr: uid
- spec.ldap.userSearch.nameAttrstring
LDAP attribute that will be matched to dex user name entry. No default value provided.
Example:
nameAttr: name
- spec.ldap.userSearch.usernamestring
Required value
Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(
= )". Example:
username: uid
- spec.ldap.userSearch.baseDNstring
- spec.ldap.usernamePromptstring
The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.
Default:
"LDAP username"
Example:
usernamePrompt: SSO Username
- spec.ldap.bindDNstring
- spec.oidcobject
Parameters of the OIDC (intended for the
type: OIDC
).- spec.oidc.basicAuthUnsupportedboolean
Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, dex automatically determines the type of request to make, while in some cases enabling this parameter can help.
Default:
false
- spec.oidc.claimMappingobject
Some providers return non-standard claims (eg. mail). Claim mappings are hints for Dex how to map claims to standard OIDC claims.
Dex can only map a non-standard claim to a standard one if it’s not included in the id_token returned by OIDC provider.
- spec.oidc.claimMapping.emailstring
The claim to use as the user email.
Default:
"email"
- spec.oidc.claimMapping.groupsstring
The claim to use as the user groups.
Default:
"groups"
- spec.oidc.claimMapping.preferred_usernamestring
The claim to use as the user preferred username.
Default:
"preferred_username"
- spec.oidc.claimMapping.emailstring
- spec.oidc.clientIDstring
Required value
OIDC issuer application ID.
- spec.oidc.clientSecretstring
Required value
OIDC issuer application secret key.
- spec.oidc.getUserInfoboolean
Request additional info about the authenticated user.
Learn more here…
Default:
false
- spec.oidc.insecureSkipEmailVerifiedboolean
Allow authentication for clients without verified email address.
Default:
false
- spec.oidc.insecureSkipVerifyboolean
If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
Default:
false
- spec.oidc.issuerstring
Required value
Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.
Example:
issuer: https://accounts.google.com
- spec.oidc.promptTypestring
Determines if the Issuer should ask for confirmation and provide hints during the authentication process.
By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.
Default:
"consent"
- spec.oidc.rootCADatastring
A CA chain to validate the provider in PEM format.
Example:
-----BEGIN CERTIFICATE----- MIIFaDC... -----END CERTIFICATE-----
- spec.oidc.scopesarray of strings
List of additional scopes to request in token response.
Default:
["openid","profile","email","groups","offline_access"]
- spec.oidc.userIDKeystring
The claim to use as the user id.
Default:
"sub"
- spec.oidc.userNameKeystring
The claim to use as the user name.
Default:
"name"
- spec.oidc.basicAuthUnsupportedboolean
- spec.typestring
Required value
Type of authentication provider.
Allowed values:
Github
,Gitlab
,BitbucketCloud
,Crowd
,OIDC
,LDAP
- spec.bitbucketCloudobject
Group
Scope: Cluster
Version: v1alpha1
Contains information about a user group.
- specobject
Required value
- spec.membersarray of objects
Required value
List of group members.
- spec.members.kindstring
Required value
Type of a group member.
Allowed values:
User
,Group
- spec.members.namestring
Required value
User or group name.
- spec.members.kindstring
- spec.namestring
Required value
Unique group name.
- spec.statusobject
- spec.status.errorsarray of objects
- spec.status.errors.messagestring
- spec.status.errors.objectRefobject
- spec.status.errors.objectRef.kindstring
Allowed values:
User
,Group
- spec.status.errors.objectRef.namestring
- spec.status.errors.objectRef.kindstring
- spec.status.errorsarray of objects
- spec.membersarray of objects
User
Scope: Cluster
Contains information about the static user.
- specobject
Required value
- spec.emailstring
Required value
User E-mail.
Caution! Note that if used together with the user-authz module, you must specify an
email
to grant rights to the specific user as the user name in the ClusterAuthorizationRule CR.Example:
email: user@domain.com
- spec.groupsDeprecatedarray of strings
Static user groups.
Deprecated. Use the Group resource.
- spec.passwordstring
Required value
Hashed user password.
You can use the following command to encrypt the user password:
echo "$password" | htpasswd -inBC 10 "" | tr -d ':\n' | sed 's/$2y/$2a/'
. Also, you can use the online service.Pattern:
^\$2[ayb]\$.{56}$
Example:
password: "$2a$10$F9ey7zW.sVliT224RFxpWeMsgzO.D9YRG54a8T36/K2MCiT41nzmC"
- spec.ttlstring
Static user TTL.
- It is specified as a string containing the time unit in hours and minutes: 30m, 1h, 2h30m, 24h.
- You can only set the TTL once. The
expireAt
date will not be updated if you change it again.
Pattern:
^([0-9]+h([0-9]+m)?|[0-9]+m)$
Example:
ttl: 24h
- spec.userIDstring
Unique issuer user ID. It equals to .metadata.name by default.
Example:
userID: '08a8684b-db88-4b73-90a9-3cd1661f5466'
- spec.emailstring
Contains information about the static user.
- specobject
Required value
- spec.emailstring
Required value
User E-mail.
Caution! Note that if used together with the user-authz module, you must specify an
email
to grant rights to the specific user as the user name in the ClusterAuthorizationRule CR.Example:
email: user@domain.com
- spec.groupsDeprecatedarray of strings
Static user groups.
Deprecated. Use the Group resource.
- spec.passwordstring
Required value
Hashed user password.
You can use the following command to encrypt the user password:
echo "$password" | htpasswd -inBC 10 "" | tr -d ':\n' | sed 's/$2y/$2a/'
. Also, you can use the online service.Pattern:
^\$2[ayb]\$.{56}$
Example:
password: "$2a$10$F9ey7zW.sVliT224RFxpWeMsgzO.D9YRG54a8T36/K2MCiT41nzmC"
- spec.ttlstring
Static user TTL.
- It is specified as a string containing the time unit in hours and minutes: 30m, 1h, 2h30m, 24h.
- You can only set the TTL once. The
expireAt
date will not be updated if you change it again.
Pattern:
^([0-9]+h([0-9]+m)?|[0-9]+m)$
Example:
ttl: 24h
- spec.userIDstring
Unique issuer user ID. It equals to .metadata.name by default.
Example:
userID: '08a8684b-db88-4b73-90a9-3cd1661f5466'
- spec.emailstring