Custom resource DexAuthenticator

• spec

  object

  Required value

  • spec.allowedGroups

    array of strings

    A list of groups whose members are allowed to connect to the client.

    By default, all groups can connect.

    Default: All groups are allowed.

  • spec.applications

    array of objects

    Required value

    A list of applications for which user authentication is required.

    • spec.applications.domain

      string

      Required value

      An application domain (for Ingress resources) from which the user request will be redirected for authentication in Dex.

      Warning. Must be specified without HTTP scheme.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • spec.applications.ingressClassName

      string

      Required value

      The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • spec.applications.ingressSecretName

      string

      The name of the Secret containing the TLS certificate for the application domain (is used in the Ingress resource). The Secret must be located in the same namespace as the DexAuthenticator.

      Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$

    • spec.applications.signOutURL

      string

      The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.

      It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.

    • spec.applications.whitelistSourceRanges

      array of strings

      CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, if not specified.

      • Element of the array

        string

        Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

  • spec.highAvailability

    boolean

    Enables high availability mode for dex-authenticator.

    When this mode is enabled, multiple pod replicas will be deployed to ensure fault tolerance.

    Default: false

  • spec.keepUsersLoggedInFor

    string

    User session will be kept for specified amount of time even if user will not log in.

    Specified with s, m or h suffix.

    Default: "168h"

  • spec.nodeSelector

    object

    If specified, the dex-authenticator pods nodeSelector.

    Format: the standard nodeSelector list. Instance pods inherit this field as is.

  • spec.sendAuthorizationHeader

    boolean

    Request to application will be sent with Authorization: Bearer header when the option is switched to true.

  • spec.tolerations

    array of objects

    If specified the dex-authenticator pods tolerations.

    Format: the standard toleration list. Instance pods inherit this field as is.

    • spec.tolerations.effect

      string

      Defines the taint’s effect this toleration is associated with (it matches any effect if empty).

      Allowed values: NoSchedule, PreferNoSchedule, NoExecute

    • spec.tolerations.key

      string

      Defines the taint’s key this toleration is associated with (it matches any key if empty).

      If the key is omitted (emplty), then operator must be set to Exists (which means it matches any value and key).

    • spec.tolerations.operator

      string

      Defines how the key and its value are linked — whether the key must be Equal to the value or can have any value.

      Setting it to Exists is equivalent to the value having any value so that the pod with the specified toleration can match the corresponding taint.

      Default: "Equal"

      Allowed values: Exists, Equal

    • spec.tolerations.tolerationSeconds

      integer

      Specifies the period (in seconds) that the scheduler waits before evicting a Pod from a node if the toleration no longer matches the taint (only applicable to the NoExecute effect, otherwise ignored).

      If the parameter is not set, the Pod will not be evicted from the node if the toleration no longer matches the taint. If the parameter is set to zero (or negative), the Pod will be evicted immediately if the toleration no longer matches the taint.

      The default is: not set.

    • spec.tolerations.value

      string

      The value that the toleration must match.

      Must be empty if the operator parameter is set to Exists.

Deprecated resource. Support for the resource might be removed in a later release.

After the DexAuthenticator object appears in the namespace, the following objects will be created:

• Deployment containing OAuth2-Proxy and Redis containers;
• Service, pointing to OAuth2-Proxy;
• Ingress resource, configured to receive requests on https://<applicationDomain>/dex-authenticator and send it to a service side;
• Secrets, needed to access Dex.

Warning. After restarting a pod with an OAuth2-Proxy, the current Access Token and ID Token will be queried (using the refresh token) and stored in a Redis memory.

apiVersion: deckhouse.io/v1
kind: DexAuthenticator
metadata:
  name: app-name
  namespace: app-namespace
spec:
  applicationDomain: app-name.kube.my-domain.com
  sendAuthorizationHeader: false
  applicationIngressCertificateSecretName: ingress-tls
  applicationIngressClassName: nginx
  keepUsersLoggedInFor: 720h
  allowedGroups:
  - everyone
  - admins
  whitelistSourceRanges:
  - 1.1.1.1/32
  - 192.168.0.0/24
  additionalApplications:
  - domain: additional-app-name.kube.my-domain.com
    ingressSecretName: ingress-tls
    ingressClassName: nginx
    signOutURL: "/logout"
    whitelistSourceRanges:
    - 2.2.2.2/32

• spec

  object

  Required value

  • spec.additionalApplications

    array of objects

    A list of additional applications for which user authentication is required.

    • spec.additionalApplications.domain

      string

      Required value

      An application domain from which the user request will be redirected for authentication in Dex.

      Warning. Must be specified without HTTP scheme.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • spec.additionalApplications.ingressClassName

      string

      Required value

      The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • spec.additionalApplications.ingressSecretName

      string

      The name of the Secret containing the TLS certificate (from the domain) used in the applications Ingress resource. The Secret must be in the same namespace as DexAuthenticator.

      Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$

    • spec.additionalApplications.signOutURL

      string

      The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.

      It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.

    • spec.additionalApplications.whitelistSourceRanges

      array of strings

      CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.

      • Element of the array

        string

        Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$

  • spec.allowedGroups

    array of strings

    A list of groups whose members are allowed to connect to the client.

    By default, all groups can connect.

    Default: All groups are allowed.

  • spec.applicationDomain

    string

    Required value

    An address for the application (DNS domain for Ingress resource) from which the user request will be redirected for authentication in Dex.

    Warning. Must be specified without HTTP scheme.

    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    Example:

    applicationDomain: my-app.domain.com
    

  • spec.applicationIngressCertificateSecretName

    string

    The name of the Secret containing the TLS certificate for the application domain (is used in the Ingress resource). The Secret must be located in the same namespace as the DexAuthenticator.

    Pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)$

    Example:

    applicationIngressCertificateSecretName: ingress-tls
    

  • spec.applicationIngressClassName

    string

    Required value

    The name of the Ingress class to be used in the Ingress resource (it must match the Ingress class name for the application domain).

    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    Example:

    applicationIngressClassName: nginx
    

  • spec.highAvailability

    boolean

    Enables high availability mode for dex-authenticator.

    When this mode is enabled, multiple pod replicas will be deployed to ensure fault tolerance.

    Default: false

  • spec.keepUsersLoggedInFor

    string

    User session will be kept for specified amount of time even if user will not log in. Specified with s, m or h suffix.

    Default: "168h"

    Example:

    keepUsersLoggedInFor: 24h
    

  • spec.nodeSelector

    object

    If specified, the dex-authenticator pods nodeSelector.

    Format: the standard nodeSelector list. Instance pods inherit this field as is.

  • spec.sendAuthorizationHeader

    boolean

    Request to application will be sent with Authorization: Bearer header when the option is switched to true.

  • spec.signOutURL

    string

    The URL of the application from which requests will be redirected to the sign-out URL of the dex-authenticator.

    It is used in the application to direct logout requests. A separate Ingress resource will be created for the specified URL, and requests to it will be redirected to dex-authenticator.

  • spec.tolerations

    array of objects

    If specified the dex-authenticator pods tolerations.

    Format: the standard toleration list. Instance pods inherit this field as is.

    • spec.tolerations.effect

      string

      Defines the taint’s effect this toleration is associated with (it matches any effect if empty).

      Allowed values: NoSchedule, PreferNoSchedule, NoExecute

    • spec.tolerations.key

      string

      Defines the taint’s key this toleration is associated with (it matches any key if empty).

      If the key is omitted (emplty), then operator must be set to Exists (which means it matches any value and key).

    • spec.tolerations.operator

      string

      Defines how the key and its value are linked — whether the key must be Equal to the value or can have any value.

      Setting it to Exists is equivalent to the value having any value so that the pod with the specified toleration can match the corresponding taint.

      Default: "Equal"

      Allowed values: Exists, Equal

    • spec.tolerations.tolerationSeconds

      integer

      Specifies the period (in seconds) that the scheduler waits before evicting a Pod from a node if the toleration no longer matches the taint (only applicable to the NoExecute effect, otherwise ignored).

      If the parameter is not set, the Pod will not be evicted from the node if the toleration no longer matches the taint. If the parameter is set to zero (or negative), the Pod will be evicted immediately if the toleration no longer matches the taint.

      The default is: not set.

    • spec.tolerations.value

      string

      The value that the toleration must match.

      Must be empty if the operator parameter is set to Exists.

  • spec.whitelistSourceRanges

    array of strings

    CIDRs that are allowed to authenticate. Authentication is allowed without IP address restrictions, If not specified.

    Example:

    whitelistSourceRanges: 192.168.42.0/24
    

    • Element of the array

      string

      Pattern: ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[0-9]{1,2}$