Custom resource DexProvider

Deprecated resource. Support for the resource might be removed in a later release.

Defines the configuration for connecting a third-party provider.

With it, you can flexibly configure the integration of the account directory with Kubernetes.

Usage example…

• spec

  object

  Required value

  • spec.bitbucketCloud

    object

    Parameters of the Bitbucket Cloud (intended for the type: BitbucketCloud).

    • spec.bitbucketCloud.clientID

      string

      Required value

      Team application ID from BitbucketCloud (Key).

    • spec.bitbucketCloud.clientSecret

      string

      Required value

      Team application secret key from BitbucketCloud.

    • spec.bitbucketCloud.includeTeamGroups

      boolean

      Optional parameter to include team groups.

      If enabled, the groups claim of Dex id_token will looks like this:

      ["my_team", "my_team/administrators", "my_team/members"]
      

      Default: false

    • spec.bitbucketCloud.teams

      array of strings

      A list of allowed Bitbucket Cloud teams (filter).

      The user token will contain a set intersection of Bitbucket Cloud teams and teams from this list. If the set is empty, the authorization will be considered unsuccessful.

      The user token will contain the user teams in the groups claim (similar to other providers).

  • spec.crowd

    object

    Parameters of the Crowd (intended for the type: Crowd).

    • spec.crowd.baseURL

      string

      Required value

      Base part of Attlassian Crowd URL.

      Example:

      baseURL: https://crowd.example.com/crowd
      

    • spec.crowd.clientID

      string

      Required value

      Application ID from Atlassian Crowd (Application Name).

    • spec.crowd.clientSecret

      string

      Required value

      Application secret key from Atlassian Crowd (Password).

    • spec.crowd.enableBasicAuth

      boolean

      Enables basic authorization for the Kubernetes API server.

      The username and password of the user from the application created in Crowd are used as credentials for basic authorization (you can enable it only if there is just one provider of the OIDC/Crowd type). Works only if the publishAPI is enabled.

      Authorization and group data obtained from an IdP are stored in the cache for 10 seconds.

    • spec.crowd.groups

      array of strings

      A list of allowed Crowd groups (filter).

      The user token will contain a set intersection of Crowd groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.

      The user token will contain all Crowd groups if the parameter is not set.

    • spec.crowd.usernamePrompt

      string

      Prompt for username field.

      Default: "Crowd username"

  • spec.displayName

    string

    Required value

    The provider name to show on the authentication provider selection page. The selection page will not be displayed if there is only one provider configured.

  • spec.github

    object

    Parameters of the GitHub provider (intended for the type: Github case only).

    • spec.github.clientID

      string

      Required value

      Organization application ID from GitHub.

    • spec.github.clientSecret

      string

      Required value

      Organization application secret key from GitHub.

    • spec.github.orgs

      array of objects

      Filter for user organizations. ID token will contain only organizations from this list. If the user is not in any organization from this list, an authorization will fail.

      By default, all organizations allowed.

      • spec.github.orgs.name

        string

        Required value

        Name of organization.

      • spec.github.orgs.teams

        array of strings

        A list of allowed GitHub teams (filter).

        The user token will contain a set intersection of teams from GitHub and teams from this list. If the set is empty, the authorization will be considered unsuccessful.

        The user token will contain all GitHub teams if the parameter is not set.

    • spec.github.teamNameField

      string

      As an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:

      • [‘acme:Site Reliability Engineers’] for ‘name’
      • [‘acme:site-reliability-engineers’] for ‘slug’
      • [‘acme:Site Reliability Engineers’, ‘acme:site-reliability-engineers’] for ‘both’

      ‘name’ will be used by default.

      Default: "name"

      Allowed values: name, slug, both

    • spec.github.useLoginAsID

      boolean

      Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

      Equals to false by default.

  • spec.gitlab

    object

    Parameters of the GitLab provider (intended for the type: Gitlab case only).

    • spec.gitlab.baseURL

      string

      Base part of GitLab URL.

      Example:

      baseURL: https://gitlab.example.com
      

    • spec.gitlab.clientID

      string

      Required value

      Application ID from GitLab.

    • spec.gitlab.clientSecret

      string

      Required value

      Application secret key from GitLab.

    • spec.gitlab.groups

      array of strings

      A list (filter) of allowed GitLab groups (group paths and not names).

      The user token will contain a set intersection of GitLab groups and groups from this list. If the set is empty, the authorization will be considered unsuccessful.

      The user token will contain all GitLab groups if the parameter is not set;

    • spec.gitlab.useLoginAsID

      boolean

      Flag to switch from using the internal GitLab id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

      Equals to false by default.

  • spec.ldap

    object

    Parameters of the LDAP.

    • spec.ldap.bindDN

      string

      The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous auth.

      Example:

      bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
      

    • spec.ldap.bindPW

      string

      Password for read-only service account. Please note that if the bind password contains a $, it has to be saved in an environment variable which should be given as the value to bindPW.

      Example:

      bindPW: password
      

    • spec.ldap.groupSearch

      object

      Group search queries for groups given a user entry. Details

      • spec.ldap.groupSearch.baseDN

        string

        Required value

        BaseDN to start the search from.

        Example:

        baseDN: cn=users,dc=example,dc=com
        

      • spec.ldap.groupSearch.filter

        string

        Optional filter to apply when searching the directory.

        Example:

        filter: "(objectClass=person)"
        

      • spec.ldap.groupSearch.nameAttr

        string

        Required value

        Represents group name.

        Example:

        nameAttr: name
        

      • spec.ldap.groupSearch.userMatchers

        array of objects

        Required value

        Following list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user’s attribute value.

        • spec.ldap.groupSearch.userMatchers.groupAttr

          string

          Required value

          The name of the attribute that stores the group member names.

          Example:

          groupAttr: member
          

        • spec.ldap.groupSearch.userMatchers.userAttr

          string

          Required value

          The name of the attribute that stores the user name.

          Example:

          userAttr: uid
          

    • spec.ldap.host

      string

      Required value

      Host and optional port of the LDAP server in the form “host:port”. If the port is not supplied, it will be guessed based on “insecureNoSSL”, and “startTLS” flags. 389 for insecure or StartTLS connections, 636 otherwise.

      Example:

      host: ldap.example.com:636
      

    • spec.ldap.insecureNoSSL

      boolean

      Following field is required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network as Dex. Equals to false by default.

      Default: false

    • spec.ldap.insecureSkipVerify

      boolean

      If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.

      Default: false

    • spec.ldap.rootCAData

      string

      A CA chain to validate the provider in PEM format.

      Example:

      rootCAData: |
        -----BEGIN CERTIFICATE-----
        MIIFaDC...
        -----END CERTIFICATE-----
      

    • spec.ldap.startTLS

      boolean

      When connecting to the server, connect using the ldap:// protocol then issue a StartTLS command. If unspecified, connections will use the ldaps:// protocol

      Default: false

    • spec.ldap.userSearch

      object

      Required value

      User search maps a username and password entered by a user to a LDAP entry. Details…

      • spec.ldap.userSearch.baseDN

        string

        Required value

        BaseDN to start the search from.

        Example:

        baseDN: cn=users,dc=example,dc=com
        

      • spec.ldap.userSearch.emailAttr

        string

        Required value

        LDAP attribute that will be matched to Dex user email entry. When an email address is not available, use another value unique to the user, like uid.

        Example:

        emailAttr: mail
        

      • spec.ldap.userSearch.filter

        string

        Optional filter to apply when searching the directory.

        Example:

        filter: "(objectClass=person)"
        

      • spec.ldap.userSearch.idAttr

        string

        Required value

        LDAP attribute that will be matched to Dex user id entry.

        Example:

        idAttr: uid
        

      • spec.ldap.userSearch.nameAttr

        string

        LDAP attribute that will be matched to Dex user name entry. No default value provided.

        Example:

        nameAttr: name
        

      • spec.ldap.userSearch.username

        string

        Required value

        Username attribute used for comparing user entries. This will be translated and combined with the other filter as “(=)".

        Example:

        username: uid
        

    • spec.ldap.usernamePrompt

      string

      The attribute to display in the provided password prompt. If unset, will display “LDAP Username”.

      Default: "LDAP username"

      Example:

      usernamePrompt: SSO Username
      

  • spec.oidc

    object

    Parameters of the OIDC (intended for the type: OIDC).

    • spec.oidc.basicAuthUnsupported

      boolean

      Use POST requests to interact with the provider instead of including the token in the Basic Authorization header. Generally, Dex automatically determines the type of request to make, while in some cases enabling this parameter can help.

      Default: false

    • spec.oidc.claimMapping

      object

      Some providers return non-standard claims (eg. mail). Claim mappings are hints for Dex how to map claims to standard OIDC claims.

      Dex can only map a non-standard claim to a standard one if it’s not included in the id_token returned by OIDC provider.

      • spec.oidc.claimMapping.email

        string

        The claim to use as the user email.

        Default: "email"

      • spec.oidc.claimMapping.groups

        string

        The claim to use as the user groups.

        Default: "groups"

      • spec.oidc.claimMapping.preferred_username

        string

        The claim to use as the user preferred username.

        Default: "preferred_username"

    • spec.oidc.claimMappingOverride

      boolean

      If enabled, the claim mapping will override the standard OIDC claims.

      By default, the claim mapping will be used only if the standard OIDC claims are not present, e.g., if there is no email claim in the id_token, the claimMapping.email will be used.

      Default: false

    • spec.oidc.clientID

      string

      Required value

      OIDC issuer application ID.

    • spec.oidc.clientSecret

      string

      Required value

      OIDC issuer application secret key.

    • spec.oidc.enableBasicAuth

      boolean

      Enables basic authorization for the Kubernetes API server.

      The username and password of the user from the application created in OIDC are used as credentials for basic authorization (you can enable it only if there is just one provider of the OIDC/Crowd type). Works only if the publishAPI parameter is enabled.

      Authorization and group data obtained from an IdP are stored in the cache for 10 seconds.

    • spec.oidc.getUserInfo

      boolean

      Request additional info about the authenticated user.

      Learn more here…

      Default: false

    • spec.oidc.insecureSkipEmailVerified

      boolean

      Allow authentication for clients without verified email address.

      Default: false

    • spec.oidc.insecureSkipVerify

      boolean

      If a custom certificate isn’t provided, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.

      Default: false

    • spec.oidc.issuer

      string

      Required value

      Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.

      Example:

      issuer: https://accounts.google.com
      

    • spec.oidc.promptType

      string

      Determines if the Issuer should ask for confirmation and provide hints during the authentication process.

      By default, the confirmation will be requested on the first authentication. Possible values may vary depending on the Issuer.

      Default: "consent"

    • spec.oidc.rootCAData

      string

      A CA chain to validate the provider in PEM format.

      Example:

      rootCAData: |
        -----BEGIN CERTIFICATE-----
        MIIFaDC...
        -----END CERTIFICATE-----
      

    • spec.oidc.scopes

      array of strings

      List of additional scopes to request in token response.

      Default: ["openid","profile","email","groups","offline_access"]

    • spec.oidc.userIDKey

      string

      The claim to use as the user id.

      Default: "sub"

    • spec.oidc.userNameKey

      string

      The claim to use as the user name.

      Default: "name"

  • spec.type

    string

    Required value

    Type of authentication provider.

    Allowed values: Github, Gitlab, BitbucketCloud, Crowd, OIDC, LDAP