├── .gitignore
├── .helmignore
├── Chart.yaml
├── LICENSE
├── README.md
├── examples
├── SAML.md
└── cross-client.md
├── templates
├── NOTES.txt
├── _helpers.tpl
├── ca-cm.yaml
├── dex-cm.yaml
├── dex-cr.yaml
├── dex-crb.yaml
├── dex-crd.yaml
├── dex-deployment.yaml
├── dex-ingress.yaml
├── dex-sa.yaml
├── dex-service.yaml
├── keycloak-proxy-cm.yaml
├── keycloak-proxy-deployment.yaml
├── keycloak-proxy-ingress.yaml
├── keycloak-proxy-service.yaml
├── loginapp-cm.yaml
├── loginapp-deployment.yaml
├── loginapp-ingress.yaml
└── loginapp-service.yaml
└── values.yaml
/.gitignore:
--------------------------------------------------------------------------------
1 | override.yaml
2 |
--------------------------------------------------------------------------------
/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *~
18 | # Various IDEs
19 | .project
20 | .idea/
21 | *.tmproj
22 | override.yaml
23 | examples/
24 | LICENSE
25 |
--------------------------------------------------------------------------------
/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | description: Helm chart to deploy OIDC stack for Kubernetes auth
3 | name: kube-oidc
4 | version: 1.2.0
5 | maintainers:
6 | - email: flav.hardy@gmail.com
7 | name: fydrah
8 | keywords:
9 | - kubernetes
10 | - oidc
11 | - openid
12 | - keycloak
13 | - loginapp
14 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
178 | APPENDIX: How to apply the Apache License to your work.
179 |
180 | To apply the Apache License to your work, attach the following
181 | boilerplate notice, with the fields enclosed by brackets "[]"
182 | replaced with your own identifying information. (Don't include
183 | the brackets!) The text should be enclosed in the appropriate
184 | comment syntax for the file format. We also recommend that a
185 | file or class name and description of purpose be included on the
186 | same "printed page" as the copyright notice for easier
187 | identification within third-party archives.
188 |
189 | Copyright [yyyy] [name of copyright owner]
190 |
191 | Licensed under the Apache License, Version 2.0 (the "License");
192 | you may not use this file except in compliance with the License.
193 | You may obtain a copy of the License at
194 |
195 | http://www.apache.org/licenses/LICENSE-2.0
196 |
197 | Unless required by applicable law or agreed to in writing, software
198 | distributed under the License is distributed on an "AS IS" BASIS,
199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 | See the License for the specific language governing permissions and
201 | limitations under the License.
202 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # kube-oidc
2 |
3 | This chart deploys:
4 | * [dex](https://github.com/dexidp/dex): identity provider supporting multiple connectors (SAML, LDAP...)
5 | * [loginapp](https://github.com/fydrah/loginapp): web application for Kubernetes cli configuration with OIDC
6 | * [keycloak proxy](https://github.com/keycloak/keycloak-gatekeeper): OpenID / Keycloak proxy service (used for OIDC dashboard auth)
7 |
8 | ## Install
9 |
10 | * From chart repository:
11 |
12 | ```
13 | helm repo add fhardy-stable https://registry.fhardy.fr/chartrepo/stable
14 | helm repo update
15 | ```
16 |
17 | Override [default configuration](./values.yaml) with an `override.yaml` file.
18 |
19 | ```
20 | helm install fhardy-stable/kube-oidc -f override.yaml
21 | ```
22 |
23 | * From GitHub:
24 |
25 | ```
26 | git clone https://github.com/ObjectifLibre/kube-oidc
27 | ```
28 |
29 | Override [default configuration](./values.yaml) with an `override.yaml` file.
30 |
31 | ```
32 | cd kube-oidc/
33 | helm install . -f override.yaml
34 | ```
35 |
36 | ## Configure
37 |
38 | See [values.yaml](./values.yaml).
39 |
40 | ## Changes on kuberentes
41 |
42 | See [kube-apiserver oidc](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)
43 |
44 | ## Examples
45 |
46 | * [SAML configuration](./examples/SAML.md)
47 | * [Cross client configuration for k8s](./examples/cross-client.md)
48 |
--------------------------------------------------------------------------------
/examples/SAML.md:
--------------------------------------------------------------------------------
1 | # Example SAML config
2 |
3 | Since dex is a backend app that can support multiple [connectors](https://github.com/dexidp/dex/tree/master/Documentation/connectors), we can modify the chart in order to use SAML as the connector without modyfing the chart itself.
4 |
5 | ## SAML configuration
6 | In most SAML Identity Providers (IP) we need to create a metadata file, which registers our application in the IP. This file can be created manually, or by the use of a UI, however the effect should be similar to this:
7 |
8 | ```xml
9 |
10 |
11 |
12 |
13 |
14 | dex.k8s.example.org
15 |
16 | IDENTITY_CERT
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 | ```
25 |
26 | ## Dex configuration
27 | We only need to modify the connectors part of the configuration in order to change our backend:
28 |
29 | ```yaml
30 | dex:
31 | config:
32 | connectors:
33 | - type: saml
34 | # Required field for connector id.
35 | id: APP_ID
36 | # Required field for connector name.
37 | name: APP_NAME
38 | config:
39 | # entityId taken from the metadata
40 | entityIssuer: dex.k8s.example.org
41 | # URL to the POST endpoint of the SSO provider
42 | ssoURL: YOUR_SSO_POST_ENDPOINT
43 | # Base64 of the same cert we used in the metadata
44 | caData: BASE64_IDENTITY_CERT
45 | # POST endpoint of DEX
46 | redirectURI: https://dex.k8s.example.org/dex/callback
47 | # Parameter mapping, similar to LDAP
48 | usernameAttr: name
49 | emailAttr: email
50 | groupsAttr: groups
51 | groupsDelim: ", "
52 | insecureSkipSignatureValidation: true
53 | ```
54 |
--------------------------------------------------------------------------------
/examples/cross-client.md:
--------------------------------------------------------------------------------
1 | ### Cross client configuration for k8s
2 |
3 | A Kubernetes cluster currently allows to setup only one IdP in the configuration.
4 |
5 | You will have to configure cross-client trust for loginapp and keycloack proxy.
6 |
7 | Full explaination about cross-client trust can be found [here](https://github.com/coreos/dex/blob/master/Documentation/custom-scopes-claims-clients.md#cross-client-trust-and-authorized-party)
8 |
9 | The configuration begins on Dex:
10 | ```
11 | staticClients:
12 | - id: cli
13 | redirectURIs:
14 | - 'https://logincli.example.org/callback/cli'
15 | name: 'Login Application'
16 | secret: SeCrEtKeyCLI
17 | - id: login
18 | redirectURIs:
19 | - 'https://dashboard.example.org/oauth/callback'
20 | name: 'Dashboard Application'
21 | secret: SeCrEtKeyDashboard
22 | trustedPeers:
23 | - cli
24 | ```
25 |
26 | Then you must configure Loginapp to use cross-client:
27 | ```
28 | name: "Kubernetes Auth"
29 | listen: "0.0.0.0:8080"
30 | oidc:
31 | client:
32 | id: "cli"
33 | secret: SeCrEtKeyCLI
34 | redirect_url: "https://logincli.example.org/callback"
35 | issuer:
36 | root_ca: "/etc/ssl/ca.pem"
37 | url: "https://dex.example.org/dex"
38 | extra_scopes:
39 | - groups
40 | offline_as_scope: true
41 | cross_clients:
42 | - login
43 | tls:
44 | enabled: false
45 | log:
46 | level: Info
47 | format: json
48 | ```
49 |
50 | *cross_client: [login]* is the important field.
51 |
--------------------------------------------------------------------------------
/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | {{- if .Values.loginapp.ingress.enabled }}
2 | Login application URL accessible at :
3 | {{- range .Values.loginapp.ingress.hosts }}
4 | http{{ if $.Values.loginapp.ingress.tls }}s{{ end }}://{{ . }}
5 | {{- end -}}
6 | {{- end -}}
7 |
--------------------------------------------------------------------------------
/templates/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{/* vim: set filetype=mustache: */}}
2 | {{/*
3 | Expand the name of the chart.
4 | */}}
5 | {{- define "k8s-ldap.name" -}}
6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
7 | {{- end -}}
8 |
9 | {{/*
10 | Create a default fully qualified app name.
11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
12 | If release name contains chart name it will be used as a full name.
13 | */}}
14 | {{- define "k8s-ldap.fullname" -}}
15 | {{- $name := default .Chart.Name .Values.nameOverride -}}
16 | {{- $fullname := printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
17 | {{- default $fullname .Values.fullNameOverride | trunc 63 | trimSuffix "-" -}}
18 | {{- end -}}
19 |
20 | {{/*
21 | Create chart name and version as used by the chart label.
22 | */}}
23 | {{- define "k8s-ldap.chart" -}}
24 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
25 | {{- end -}}
26 |
27 | {{/*
28 | Dex fully qualified app name.
29 | */}}
30 | {{- define "k8s-ldap.dex.fullname" -}}
31 | {{- $name := default .Chart.Name .Values.nameOverride -}}
32 | {{- printf "%s-%s-%s" .Release.Name $name .Values.dex.name | trunc 63 | trimSuffix "-" -}}
33 | {{- end -}}
34 |
35 | {{/*
36 | Loginapp fully qualified app name.
37 | */}}
38 | {{- define "k8s-ldap.loginapp.fullname" -}}
39 | {{- $name := default .Chart.Name .Values.nameOverride -}}
40 | {{- printf "%s-%s-%s" .Release.Name $name .Values.loginapp.name | trunc 63 | trimSuffix "-" -}}
41 | {{- end -}}
42 |
43 | {{/*
44 | Keycloak fully qualified app name.
45 | */}}
46 | {{- define "k8s-ldap.keycloakProxy.fullname" -}}
47 | {{- $name := default .Chart.Name .Values.nameOverride -}}
48 | {{- printf "%s-%s-%s" .Release.Name $name .Values.keycloakProxy.name | trunc 63 | trimSuffix "-" -}}
49 | {{- end -}}
50 |
--------------------------------------------------------------------------------
/templates/ca-cm.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | labels:
5 | app: {{ template "k8s-ldap.name" . }}
6 | chart: {{ template "k8s-ldap.chart" . }}
7 | release: {{ .Release.Name }}
8 | heritage: {{ .Release.Service }}
9 | component: {{ .Values.loginapp.name }}
10 | name: {{ .Release.Name }}-ca
11 | data:
12 | ca.pem: |
13 | {{ .Values.loginapp.issuerCA | indent 4 }}
14 |
--------------------------------------------------------------------------------
/templates/dex-cm.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.dex.name }}
11 | name: {{ template "k8s-ldap.dex.fullname" . }}
12 | data:
13 | config.yaml: |
14 | {{ toYaml .Values.dex.config | indent 4 }}
15 | {{- end -}}
16 |
--------------------------------------------------------------------------------
/templates/dex-cr.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled -}}
2 | {{- if .Values.dex.rbac.create }}
3 | apiVersion: rbac.authorization.k8s.io/v1beta1
4 | kind: ClusterRole
5 | metadata:
6 | labels:
7 | app: {{ template "k8s-ldap.name" . }}
8 | chart: {{ template "k8s-ldap.chart" . }}
9 | release: {{ .Release.Name }}
10 | heritage: {{ .Release.Service }}
11 | component: {{ .Values.dex.name }}
12 | name: {{ template "k8s-ldap.dex.fullname" . }}
13 | rules:
14 | - apiGroups: ["dex.coreos.com"] # API group created by dex
15 | resources: ["*"]
16 | verbs: ["*"]
17 | - apiGroups: ["apiextensions.k8s.io"]
18 | resources: ["customresourcedefinitions"]
19 | verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions.
20 | {{- end -}}
21 | {{- end -}}
22 |
--------------------------------------------------------------------------------
/templates/dex-crb.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled -}}
2 | {{- if .Values.dex.rbac.create }}
3 | apiVersion: rbac.authorization.k8s.io/v1beta1
4 | kind: ClusterRoleBinding
5 | metadata:
6 | labels:
7 | app: {{ template "k8s-ldap.name" . }}
8 | chart: {{ template "k8s-ldap.chart" . }}
9 | release: {{ .Release.Name }}
10 | heritage: {{ .Release.Service }}
11 | component: {{ .Values.dex.name }}
12 | name: {{ template "k8s-ldap.dex.fullname" . }}
13 | roleRef:
14 | apiGroup: rbac.authorization.k8s.io
15 | kind: ClusterRole
16 | name: {{ template "k8s-ldap.dex.fullname" . }}
17 | subjects:
18 | - kind: ServiceAccount
19 | name: {{ template "k8s-ldap.dex.fullname" . }}
20 | namespace: {{ .Release.Namespace }}
21 | {{- end -}}
22 | {{- end -}}
23 |
--------------------------------------------------------------------------------
/templates/dex-crd.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled }}
2 | apiVersion: apiextensions.k8s.io/v1beta1
3 | kind: CustomResourceDefinition
4 | metadata:
5 | name: authcodes.dex.coreos.com
6 | spec:
7 | group: dex.coreos.com
8 | names:
9 | kind: AuthCode
10 | listKind: AuthCodeList
11 | plural: authcodes
12 | singular: authcode
13 | scope: Namespaced
14 | version: v1
15 | {{- end -}}
16 |
--------------------------------------------------------------------------------
/templates/dex-deployment.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled }}
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.dex.name }}
11 | name: {{ template "k8s-ldap.dex.fullname" . }}
12 | spec:
13 | replicas: {{ .Values.dex.replicas }}
14 | selector:
15 | matchLabels:
16 | app: {{ template "k8s-ldap.name" . }}
17 | component: {{ .Values.dex.name }}
18 | template:
19 | metadata:
20 | annotations:
21 | checksum/config: {{ include (print $.Template.BasePath "/dex-cm.yaml") . | sha256sum }}
22 | {{- if .Values.dex.podAnnotations }}
23 | {{ toYaml .Values.dex.podAnnotations | indent 8 }}
24 | {{- end }}
25 | labels:
26 | app: {{ template "k8s-ldap.name" . }}
27 | component: {{ .Values.dex.name }}
28 | spec:
29 | serviceAccountName: {{ if .Values.dex.rbac.create }}{{ template "k8s-ldap.dex.fullname" . }}{{ else }}"{{ .Values.dex.serviceAccountName }}"{{ end }}
30 | containers:
31 | - image: {{ .Values.dex.image.repository }}:{{ .Values.dex.image.tag }}
32 | imagePullPolicy: {{ .Values.dex.image.pullPolicy }}
33 | name: {{ template "k8s-ldap.name" . }}-{{ .Values.dex.name }}
34 | command: ["dex", "serve", "/etc/dex/cfg/config.yaml"]
35 | ports:
36 | - name: http
37 | containerPort: {{ .Values.dex.port }}
38 | volumeMounts:
39 | - name: config
40 | mountPath: /etc/dex/cfg
41 | {{- if .Values.dex.resources }}
42 | resources:
43 | {{ toYaml .Values.dex.resources | indent 10 }}
44 | {{- end }}
45 | readinessProbe:
46 | httpGet:
47 | path: /healthz
48 | port: {{ .Values.dex.port }}
49 | timeoutSeconds: 5
50 | periodSeconds: 5
51 | failureThreshold: 5
52 | livenessProbe:
53 | httpGet:
54 | path: /healthz
55 | port: {{ .Values.dex.port }}
56 | initialDelaySeconds: 30
57 | periodSeconds: 5
58 | volumes:
59 | - name: config
60 | configMap:
61 | name: {{ template "k8s-ldap.dex.fullname" . }}
62 | items:
63 | - key: config.yaml
64 | path: config.yaml
65 | {{- if .Values.dex.nodeSelector }}
66 | nodeSelector:
67 | {{ toYaml .Values.dex.nodeSelector | indent 8 }}
68 | {{- end }}
69 | {{- if .Values.dex.tolerations }}
70 | tolerations:
71 | {{ toYaml .Values.dex.tolerations | indent 8 }}
72 | {{- end }}
73 | {{- if .Values.dex.affinity }}
74 | affinity:
75 | {{ toYaml .Values.dex.affinity | indent 8 }}
76 | {{- end -}}
77 | {{- end -}}
78 |
--------------------------------------------------------------------------------
/templates/dex-ingress.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled -}}
2 | {{- if .Values.dex.ingress.enabled -}}
3 | {{- $serviceName := include "k8s-ldap.dex.fullname" . }}
4 | {{- $servicePort := .Values.dex.servicePort -}}
5 | apiVersion: extensions/v1beta1
6 | kind: Ingress
7 | metadata:
8 | labels:
9 | app: {{ template "k8s-ldap.name" . }}
10 | chart: {{ template "k8s-ldap.chart" . }}
11 | release: {{ .Release.Name }}
12 | heritage: {{ .Release.Service }}
13 | component: {{ .Values.dex.name }}
14 | name: {{ template "k8s-ldap.dex.fullname" . }}
15 | {{- if .Values.dex.ingress.annotations }}
16 | annotations:
17 | {{ toYaml .Values.dex.ingress.annotations | indent 4 }}
18 | {{- end }}
19 | spec:
20 | rules:
21 | {{- range .Values.dex.ingress.hosts }}
22 | - host: {{ . }}
23 | http:
24 | paths:
25 | - backend:
26 | serviceName: {{ $serviceName }}
27 | servicePort: {{ $servicePort }}
28 | {{- end -}}
29 | {{- if .Values.dex.ingress.tls }}
30 | tls:
31 | {{ toYaml .Values.dex.ingress.tls | indent 4 }}
32 | {{- end -}}
33 | {{- end -}}
34 | {{- end -}}
35 |
--------------------------------------------------------------------------------
/templates/dex-sa.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled -}}
2 | {{- if .Values.dex.rbac.create }}
3 | apiVersion: v1
4 | kind: ServiceAccount
5 | metadata:
6 | labels:
7 | app: {{ template "k8s-ldap.name" . }}
8 | chart: {{ template "k8s-ldap.chart" . }}
9 | release: {{ .Release.Name }}
10 | heritage: {{ .Release.Service }}
11 | component: {{ .Values.dex.name }}
12 | name: {{ template "k8s-ldap.dex.fullname" . }}
13 | {{- end -}}
14 | {{- end -}}
15 |
--------------------------------------------------------------------------------
/templates/dex-service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.dex.enabled }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.dex.name }}
11 | name: {{ template "k8s-ldap.dex.fullname" . }}
12 | spec:
13 | ports:
14 | - name: http
15 | port: {{ .Values.dex.port }}
16 | protocol: TCP
17 | targetPort: {{ .Values.dex.port }}
18 | selector:
19 | app: {{ template "k8s-ldap.name" . }}
20 | component: {{ .Values.dex.name }}
21 | {{- end -}}
22 |
--------------------------------------------------------------------------------
/templates/keycloak-proxy-cm.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.keycloakProxy.enabled }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.keycloakProxy.name }}
11 | name: {{ template "k8s-ldap.keycloakProxy.fullname" . }}
12 | data:
13 | config.yaml: |
14 | {{ toYaml .Values.keycloakProxy.config | indent 4 }}
15 | {{- end -}}
16 |
--------------------------------------------------------------------------------
/templates/keycloak-proxy-deployment.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.keycloakProxy.enabled }}
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.keycloakProxy.name }}
11 | name: {{ template "k8s-ldap.keycloakProxy.fullname" . }}
12 | spec:
13 | replicas: {{ .Values.keycloakProxy.replicas }}
14 | selector:
15 | matchLabels:
16 | app: {{ template "k8s-ldap.name" . }}
17 | component: {{ .Values.keycloakProxy.name }}
18 | template:
19 | metadata:
20 | annotations:
21 | checksum/config: {{ include (print $.Template.BasePath "/keycloak-proxy-cm.yaml") . | sha256sum }}
22 | {{- if .Values.keycloakProxy.podAnnotations }}
23 | {{ toYaml .Values.keycloakProxy.podAnnotations | indent 8 }}
24 | {{- end }}
25 | labels:
26 | app: {{ template "k8s-ldap.name" . }}
27 | component: {{ .Values.keycloakProxy.name }}
28 | spec:
29 | containers:
30 | - image: {{ .Values.keycloakProxy.image.repository }}:{{ .Values.keycloakProxy.image.tag }}
31 | imagePullPolicy: {{ .Values.keycloakProxy.image.pullPolicy }}
32 | name: {{ template "k8s-ldap.name" . }}-{{ .Values.keycloakProxy.name }}
33 | args:
34 | - "--config=/app/config.yaml"
35 | - "--skip-openid-provider-tls-verify"
36 | ports:
37 | - name: http
38 | containerPort: {{ .Values.keycloakProxy.port }}
39 | volumeMounts:
40 | - name: config
41 | mountPath: /app/
42 | - name: ca
43 | mountPath: /etc/ssl/
44 | {{- if .Values.keycloakProxy.resources }}
45 | resources:
46 | {{ toYaml .Values.keycloakProxy.resources | indent 10 }}
47 | {{- end }}
48 | #readinessProbe:
49 | # httpGet:
50 | # path: /keycloakProxy/healthz
51 | # port: {{ .Values.keycloakProxy.port }}
52 | # timeoutSeconds: 5
53 | # periodSeconds: 5
54 | # failureThreshold: 5
55 | #livenessProbe:
56 | # httpGet:
57 | # path: /keycloakProxy/healthz
58 | # port: {{ .Values.keycloakProxy.port }}
59 | # initialDelaySeconds: 30
60 | # periodSeconds: 5
61 | volumes:
62 | - name: config
63 | configMap:
64 | name: {{ template "k8s-ldap.keycloakProxy.fullname" . }}
65 | items:
66 | - key: config.yaml
67 | path: config.yaml
68 | - name: ca
69 | configMap:
70 | name: {{ .Release.Name }}-ca
71 | items:
72 | - key: ca.pem
73 | path: ca.pem
74 | {{- if .Values.keycloakProxy.nodeSelector }}
75 | nodeSelector:
76 | {{ toYaml .Values.keycloakProxy.nodeSelector | indent 8 }}
77 | {{- end }}
78 | {{- if .Values.keycloakProxy.tolerations }}
79 | tolerations:
80 | {{ toYaml .Values.keycloakProxy.tolerations | indent 8 }}
81 | {{- end }}
82 | {{- if .Values.keycloakProxy.affinity }}
83 | affinity:
84 | {{ toYaml .Values.keycloakProxy.affinity | indent 8 }}
85 | {{- end -}}
86 | {{- end -}}
87 |
--------------------------------------------------------------------------------
/templates/keycloak-proxy-ingress.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.keycloakProxy.enabled -}}
2 | {{- if .Values.keycloakProxy.ingress.enabled -}}
3 | {{- $serviceName := include "k8s-ldap.keycloakProxy.fullname" . }}
4 | {{- $servicePort := .Values.keycloakProxy.servicePort -}}
5 | apiVersion: extensions/v1beta1
6 | kind: Ingress
7 | metadata:
8 | labels:
9 | app: {{ template "k8s-ldap.name" . }}
10 | chart: {{ template "k8s-ldap.chart" . }}
11 | release: {{ .Release.Name }}
12 | heritage: {{ .Release.Service }}
13 | component: {{ .Values.keycloakProxy.name }}
14 | name: {{ template "k8s-ldap.keycloakProxy.fullname" . }}
15 | {{- if .Values.keycloakProxy.ingress.annotations }}
16 | annotations:
17 | {{ toYaml .Values.keycloakProxy.ingress.annotations | indent 4 }}
18 | {{- end }}
19 | spec:
20 | rules:
21 | {{- range .Values.keycloakProxy.ingress.hosts }}
22 | - host: {{ . }}
23 | http:
24 | paths:
25 | - backend:
26 | serviceName: {{ $serviceName }}
27 | servicePort: {{ $servicePort }}
28 | {{- end -}}
29 | {{- if .Values.keycloakProxy.ingress.tls }}
30 | tls:
31 | {{ toYaml .Values.keycloakProxy.ingress.tls | indent 4 }}
32 | {{- end -}}
33 | {{- end -}}
34 | {{- end -}}
35 |
--------------------------------------------------------------------------------
/templates/keycloak-proxy-service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.keycloakProxy.enabled }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.keycloakProxy.name }}
11 | name: {{ template "k8s-ldap.keycloakProxy.fullname" . }}
12 | spec:
13 | ports:
14 | - name: http
15 | port: {{ .Values.keycloakProxy.servicePort }}
16 | protocol: TCP
17 | targetPort: {{ .Values.keycloakProxy.port }}
18 | selector:
19 | app: {{ template "k8s-ldap.name" . }}
20 | component: {{ .Values.keycloakProxy.name }}
21 | {{- end -}}
22 |
--------------------------------------------------------------------------------
/templates/loginapp-cm.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.loginapp.enabled }}
2 | apiVersion: v1
3 | kind: ConfigMap
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.loginapp.name }}
11 | name: {{ template "k8s-ldap.loginapp.fullname" . }}
12 | data:
13 | config.yaml: |
14 | {{ toYaml .Values.loginapp.config | indent 4 }}
15 | {{- end -}}
16 |
--------------------------------------------------------------------------------
/templates/loginapp-deployment.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.loginapp.enabled }}
2 | apiVersion: apps/v1
3 | kind: Deployment
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.loginapp.name }}
11 | name: {{ template "k8s-ldap.loginapp.fullname" . }}
12 | spec:
13 | replicas: {{ .Values.loginapp.replicas }}
14 | selector:
15 | matchLabels:
16 | app: {{ template "k8s-ldap.name" . }}
17 | component: {{ .Values.loginapp.name }}
18 | template:
19 | metadata:
20 | annotations:
21 | checksum/config: {{ include (print $.Template.BasePath "/loginapp-cm.yaml") . | sha256sum }}
22 | {{- if .Values.loginapp.podAnnotations }}
23 | {{ toYaml .Values.loginapp.podAnnotations | indent 8 }}
24 | {{- end }}
25 | labels:
26 | app: {{ template "k8s-ldap.name" . }}
27 | component: {{ .Values.loginapp.name }}
28 | spec:
29 | containers:
30 | - image: {{ .Values.loginapp.image.repository }}:{{ .Values.loginapp.image.tag }}
31 | imagePullPolicy: {{ .Values.loginapp.image.pullPolicy }}
32 | name: {{ template "k8s-ldap.name" . }}-{{ .Values.loginapp.name }}
33 | command:
34 | - "/loginapp"
35 | - "serve"
36 | - "/app/config.yaml"
37 | ports:
38 | - name: http
39 | containerPort: {{ .Values.loginapp.port }}
40 | volumeMounts:
41 | - name: config
42 | mountPath: /app/
43 | - name: ca
44 | mountPath: /etc/ssl/
45 | {{- if .Values.loginapp.resources }}
46 | resources:
47 | {{ toYaml .Values.loginapp.resources | indent 10 }}
48 | {{- end }}
49 | command: ["/loginapp"]
50 | args: ["serve","-c","/app/config.yaml"]
51 | readinessProbe:
52 | httpGet:
53 | path: /healthz
54 | port: {{ .Values.loginapp.port }}
55 | timeoutSeconds: 5
56 | periodSeconds: 5
57 | failureThreshold: 5
58 | livenessProbe:
59 | httpGet:
60 | path: /healthz
61 | port: {{ .Values.loginapp.port }}
62 | initialDelaySeconds: 30
63 | periodSeconds: 5
64 | volumes:
65 | - name: config
66 | configMap:
67 | name: {{ template "k8s-ldap.loginapp.fullname" . }}
68 | items:
69 | - key: config.yaml
70 | path: config.yaml
71 | - name: ca
72 | configMap:
73 | name: {{ .Release.Name }}-ca
74 | items:
75 | - key: ca.pem
76 | path: ca.pem
77 | {{- if .Values.loginapp.nodeSelector }}
78 | nodeSelector:
79 | {{ toYaml .Values.loginapp.nodeSelector | indent 8 }}
80 | {{- end }}
81 | {{- if .Values.loginapp.tolerations }}
82 | tolerations:
83 | {{ toYaml .Values.loginapp.tolerations | indent 8 }}
84 | {{- end }}
85 | {{- if .Values.loginapp.affinity }}
86 | affinity:
87 | {{ toYaml .Values.loginapp.affinity | indent 8 }}
88 | {{- end -}}
89 | {{- end -}}
90 |
--------------------------------------------------------------------------------
/templates/loginapp-ingress.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.loginapp.enabled -}}
2 | {{- if .Values.loginapp.ingress.enabled -}}
3 | {{- $serviceName := include "k8s-ldap.loginapp.fullname" . }}
4 | {{- $servicePort := .Values.loginapp.servicePort -}}
5 | apiVersion: extensions/v1beta1
6 | kind: Ingress
7 | metadata:
8 | labels:
9 | app: {{ template "k8s-ldap.name" . }}
10 | chart: {{ template "k8s-ldap.chart" . }}
11 | release: {{ .Release.Name }}
12 | heritage: {{ .Release.Service }}
13 | component: {{ .Values.loginapp.name }}
14 | name: {{ template "k8s-ldap.loginapp.fullname" . }}
15 | {{- if .Values.loginapp.ingress.annotations }}
16 | annotations:
17 | {{ toYaml .Values.loginapp.ingress.annotations | indent 4 }}
18 | {{- end }}
19 | spec:
20 | rules:
21 | {{- range .Values.loginapp.ingress.hosts }}
22 | - host: {{ . }}
23 | http:
24 | paths:
25 | - backend:
26 | serviceName: {{ $serviceName }}
27 | servicePort: {{ $servicePort }}
28 | {{- end -}}
29 | {{- if .Values.loginapp.ingress.tls }}
30 | tls:
31 | {{ toYaml .Values.loginapp.ingress.tls | indent 4 }}
32 | {{- end -}}
33 | {{- end -}}
34 | {{- end -}}
35 |
--------------------------------------------------------------------------------
/templates/loginapp-service.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.loginapp.enabled }}
2 | apiVersion: v1
3 | kind: Service
4 | metadata:
5 | labels:
6 | app: {{ template "k8s-ldap.name" . }}
7 | chart: {{ template "k8s-ldap.chart" . }}
8 | release: {{ .Release.Name }}
9 | heritage: {{ .Release.Service }}
10 | component: {{ .Values.loginapp.name }}
11 | name: {{ template "k8s-ldap.loginapp.fullname" . }}
12 | spec:
13 | ports:
14 | - name: http
15 | port: {{ .Values.loginapp.servicePort }}
16 | protocol: TCP
17 | targetPort: {{ .Values.loginapp.port }}
18 | selector:
19 | app: {{ template "k8s-ldap.name" . }}
20 | component: {{ .Values.loginapp.name }}
21 | {{- end -}}
22 |
--------------------------------------------------------------------------------
/values.yaml:
--------------------------------------------------------------------------------
1 | ##############
2 | ### Common ###
3 | ##############
4 | # fullnameOverride:
5 | # nameOverride:
6 |
7 | ###########
8 | ### Dex ###
9 | ###########
10 | dex:
11 | enabled: false
12 | name: dex
13 |
14 | # Image
15 | image:
16 | repository: quay.io/dexidp/dex
17 | tag: v2.25.0
18 | pullPolicy: IfNotPresent
19 |
20 | # Deployment settings
21 | replicas: 1
22 | resources: {}
23 | # limits:
24 | # cpu: 100m
25 | # memory: 128Mi
26 | # requests:
27 | # cpu: 100m
28 | # memory: 128Mi
29 | nodeSelector: {}
30 | tolerations: []
31 | affinity: {}
32 | podAnnotations: {}
33 | port: 8080
34 | servicePort: 8080
35 |
36 | # Ingress
37 | ingress:
38 | enabled: false
39 | annotations: {}
40 | # kubernetes.io/ingress.class: nginx
41 | # kubernetes.io/tls-acme: 'true'
42 | hosts:
43 | - dex.example.local
44 | tls: []
45 | # - secretName: dex-example-tls
46 | # hosts:
47 | # - dex.example.local
48 |
49 | # RBAC
50 | rbac:
51 | create: true
52 | # Uncomment if rbac.create is false
53 | # serviceAccountName:
54 |
55 | # Dex configuration
56 | # See https://github.com/coreos/dex/tree/master/Documentation
57 | config:
58 | issuer: https://dex.k8s.example.org/dex
59 | storage:
60 | # Kubernetes storage by default, Dex will create CRD on first launch:
61 | # * authcodes.dex.coreos.com
62 | # * authrequests.dex.coreos.com
63 | # * connectors.dex.coreos.com
64 | # * oauth2clients.dex.coreos.com
65 | # * offlinesessionses.dex.coreos.com
66 | # * passwords.dex.coreos.com
67 | # * refreshtokens.dex.coreos.com
68 | # * signingkeies.dex.coreos.com
69 | type: kubernetes
70 | config:
71 | inCluster: true
72 | web:
73 | # Be careful this should be equals to dex.port
74 | http: 0.0.0.0:8080
75 | logger:
76 | level: "debug"
77 | format: json
78 |
79 | connectors:
80 | - type: ldap
81 | # Required field for connector id.
82 | id: ldap
83 | # Required field for connector name.
84 | name: LDAP
85 | config:
86 | # Host and optional port of the LDAP server in the form "host:port".
87 | # If the port is not supplied, it will be guessed based on "insecureNoSSL",
88 | # and "startTLS" flags. 389 for insecure or StartTLS connections, 636
89 | # otherwise.
90 | host: ldap.k8s.example.org:1389
91 |
92 | # Following field is required if the LDAP host is not using TLS (port 389).
93 | # Because this option inherently leaks passwords to anyone on the same network
94 | # as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.
95 | #
96 | insecureNoSSL: true
97 | # If a custom certificate isn't provide, this option can be used to turn on
98 | # TLS certificate checks. As noted, it is insecure and shouldn't be used outside
99 | # of explorative phases.
100 | #
101 | insecureSkipVerify: true
102 | # When connecting to the server, connect using the ldap:// protocol then issue
103 | # a StartTLS command. If unspecified, connections will use the ldaps:// protocol
104 | #
105 | # startTLS: true
106 | # Path to a trusted root certificate file. Default: use the host's root CA.
107 | #rootCA: /etc/dex/ldap.ca
108 | # A raw certificate file can also be provided inline.
109 | #rootCAData:
110 | # The DN and password for an application service account. The connector uses
111 | # these credentials to search for users and groups. Not required if the LDAP
112 | # server provides access for anonymous auth.
113 | # Please note that if the bind password contains a `$`, it has to be saved in an
114 | # environment variable which should be given as the value to `bindPW`.
115 | bindDN: cn=admin,dc=example,dc=org
116 | bindPW: admin
117 |
118 | # User search maps a username and password entered by a user to a LDAP entry.
119 | userSearch:
120 | # BaseDN to start the search from. It will translate to the query
121 | # "(&(objectClass=person)(uid=))".
122 | baseDN: ou=People,dc=example,dc=org
123 | # Optional filter to apply when searching the directory.
124 | filter: "(objectClass=posixAccount)"
125 | # username attribute used for comparing user entries. This will be translated
126 | # and combine with the other filter as "(=)".
127 | username: mail
128 | # The following three fields are direct mappings of attributes on the user entry.
129 | # String representation of the user.
130 | idAttr: uid
131 | # Required. Attribute to map to Email.
132 | emailAttr: mail
133 | # Maps to display name of users. No default value.
134 | nameAttr: uid
135 |
136 | # Group search queries for groups given a user entry.
137 | groupSearch:
138 | # BaseDN to start the search from. It will translate to the query
139 | # "(&(objectClass=group)(member=))".
140 | baseDN: ou=Groups,dc=example,dc=org
141 | # Optional filter to apply when searching the directory.
142 | filter: "(objectClass=posixGroup)"
143 | # Following two fields are used to match a user to a group. It adds an additional
144 | # requirement to the filter that an attribute in the group must match the user's
145 | # attribute value.
146 | userAttr: uid
147 | groupAttr: memberUid
148 | # Represents group name.
149 | nameAttr: cn
150 | oauth2:
151 | skipApprovalScreen: true
152 |
153 | # Configure static clients.
154 | # Warning: ID fields must match client-id field on
155 | # your kubernetes API server configuration
156 | # Use trusted peers feature if more than one
157 | # app should be used by kubernetes.
158 | staticClients:
159 | - id: cli
160 | redirectURIs:
161 | - 'https://loginapp.example.local/callback'
162 | name: 'Login Application'
163 | secret: ZXhhbXBsZS1hcHAtc2VjcmV0
164 | # If keycloak is enabled, uncomment and complete
165 | # following lines:
166 | #- id: login
167 | # redirectURIs:
168 | # - 'https://dashboard.example.local/oauth/callback'
169 | # name: 'Dashboard Application'
170 | # secret: iCeiqu5phogh3Eesh5iPu3gaph9eexo6
171 | # trustedPeers:
172 | # - cli
173 |
174 | ################
175 | ### Loginapp ###
176 | ################
177 | loginapp:
178 | enabled: false
179 | name: loginapp
180 |
181 | # Image
182 | image:
183 | repository: quay.io/fydrah/loginapp
184 | tag: v3.1.0
185 | pullPolicy: IfNotPresent
186 |
187 | # Deployment settings
188 | replicas: 1
189 | resources: {}
190 | # limits:
191 | # cpu: 100m
192 | # memory: 128Mi
193 | # requests:
194 | # cpu: 100m
195 | # memory: 128Mi
196 | nodeSelector: {}
197 | tolerations: []
198 | affinity: {}
199 | podAnnotations: {}
200 | port: 8080
201 | servicePort: 8080
202 |
203 | # Ingress
204 | ingress:
205 | enabled: false
206 | annotations: {}
207 | # kubernetes.io/ingress.class: nginx
208 | # kubernetes.io/tls-acme: 'true'
209 | hosts:
210 | - loginapp.example.local
211 | tls: []
212 | # - secretName: loginapp-example-tls
213 | # hosts:
214 | # - loginapp.example.local
215 |
216 | # Loginapp configuration
217 | # see: https://github.com/fydrah/loginapp#configuration
218 | config:
219 | name: "Login Application"
220 | listen: "0.0.0.0:5555"
221 | oidc:
222 | client:
223 | id: "loginapp"
224 | secret: ZXhhbXBsZS1hcHAtc2VjcmV0
225 | redirect_url: "https://loginapp.example.local/callback"
226 | issuer:
227 | root_ca: "/etc/ssl/ca.pem"
228 | url: "https://dex.example.local"
229 |
230 | # Issuer certificate authority
231 | issuerCA: ""
232 | #
233 | # Example: Letsencrypt CA
234 | # issuerCA: |
235 | # -----BEGIN CERTIFICATE-----
236 | # MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
237 | # MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
238 | # DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
239 | # PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
240 | # Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
241 | # AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
242 | # rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
243 | # OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
244 | # xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
245 | # 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
246 | # aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
247 | # HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
248 | # SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
249 | # ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
250 | # AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
251 | # R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
252 | # JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
253 | # Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
254 | # -----END CERTIFICATE-----
255 |
256 | ######################
257 | ### Keycloak Proxy ###
258 | ######################
259 | keycloakProxy:
260 | enabled: false
261 | name: keycloak-proxy
262 |
263 | # Image
264 | image:
265 | repository: keycloak/keycloak-gatekeeper
266 | tag: 7.0.0
267 | pullPolicy: IfNotPresent
268 |
269 | # Deployment settings
270 | replicas: 1
271 | resources: {}
272 | # limits:
273 | # cpu: 100m
274 | # memory: 128Mi
275 | # requests:
276 | # cpu: 100m
277 | # memory: 128Mi
278 | nodeSelector: {}
279 | tolerations: []
280 | affinity: {}
281 | podAnnotations: {}
282 | port: 8080
283 | servicePort: 8080
284 |
285 | # Ingress
286 | ingress:
287 | enabled: false
288 | annotations: {}
289 | # kubernetes.io/ingress.class: nginx
290 | # kubernetes.io/tls-acme: 'true'
291 | hosts:
292 | - dashboard.example.local
293 | tls: []
294 | # - secretName: dashboard-example-tls
295 | # hosts:
296 | # - dashboard.example.local
297 |
298 | # Keycloak-proxy configuration
299 | # See https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration
300 | config:
301 | client-id: CLIENT_ID
302 | client-secret: CLIENT_SECRET
303 | listen: ":8080"
304 | enable-refresh-tokens: true
305 | discovery-url: https://dex.example.org/dex/.well-known/openid-configuration
306 | encryption-key: 0626a8d4c2544b141e629a9abf6c5db378b0e353
307 | # By default, insecure communication between
308 | # keycloak proxy and k8s dashboard (in-cluster communication)
309 | upstream-url: http://kubernetes-dashboard.kube-system:80
310 | scopes: []
311 | resources: []
312 |
313 | # Issuer certificate authority
314 | issuerCA: ""
315 | #
316 | # Example: Letsencrypt CA
317 | # issuerCA: |
318 | # -----BEGIN CERTIFICATE-----
319 | # MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
320 | # MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
321 | # DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
322 | # PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
323 | # Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
324 | # AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
325 | # rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
326 | # OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
327 | # xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
328 | # 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
329 | # aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
330 | # HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
331 | # SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
332 | # ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
333 | # AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
334 | # R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
335 | # JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
336 | # Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
337 | # -----END CERTIFICATE-----
338 |
339 |
--------------------------------------------------------------------------------