dex-cm.yaml

apiVersion: v1
data:
  config.yaml: |
    issuer: https://dex-k8s.example.org/dex
    storage:
      type: kubernetes
      config:
        inCluster: true
    web:
      https: 0.0.0.0:5556
      tlsCert: /etc/dex/tls/tls.crt
      tlsKey: /etc/dex/tls/tls.key
    logger:
      level: debug
      format: text

    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: LDAP
        config:
          # Host and optional port of the LDAP server in the form "host:port".
          # If the port is not supplied, it will be guessed based on "insecureNoSSL",
          # and "startTLS" flags. 389 for insecure or StartTLS connections, 636
          # otherwise.Also it possible to point to server with Global Catalog role, therefore LDAP directory can be accessed on port 3268 in secure, with LDAPS on port 3269.
          host: ldap_server:3268

          # Following field is required if the LDAP host is not using TLS (port 389).
          # Because this option inherently leaks passwords to anyone on the same network
          # as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.
          #
          insecureNoSSL: true
          # If a custom certificate isn't provide, this option can be used to turn on
          # TLS certificate checks. As noted, it is insecure and shouldn't be used outside
          # of explorative phases.
          #
          insecureSkipVerify: true
          # When connecting to the server, connect using the ldap:// protocol then issue
          # a StartTLS command. If unspecified, connections will use the ldaps:// protocol
          #
          # startTLS: true
          # Path to a trusted root certificate file. Default: use the host's root CA.
          #rootCA: /etc/dex/ldap.ca
          # A raw certificate file can also be provided inline.
          #rootCAData:
          # The DN and password for an application service account. The connector uses
          # these credentials to search for users and groups. Not required if the LDAP
          # server provides access for anonymous auth.
          # Please note that if the bind password contains a `$`, it has to be saved in an
          # environment variable which should be given as the value to `bindPW`.
          bindDN: cn=ks8-ro,ou=k8s-users,dc=example,dc=org
          bindPW: 'password'

          # User search maps a username and password entered by a user to a LDAP entry.
          userSearch:
            # BaseDN to start the search from. It will translate to the query
            # "(&(objectClass=person)(uid=<username>))".
            baseDN: ou=user_grops,dc=example,dc=org
            # Optional filter to apply when searching the directory.
            #filter: "(objectClass=posixAccount)"
            #filter: "(&(objectClass=person)(sAMAccountName={0}))"
            filter: "(objectCategory=person)(objectClass=user)"
            # username attribute used for comparing user entries. This will be translated
            # and combine with the other filter as "(<attr>=<username>)".
            username: sAMAccountName
            # The following three fields are direct mappings of attributes on the user entry.
            # String representation of the user.
            #idAttr: uid
            idAttr: sAMAccountName
            # Required. Attribute to map to Email.
            emailAttr: mail
            # Maps to display name of users. No default value.
            #nameAttr: uid
            nameAttr: sAMAccountName

          # Group search queries for groups given a user entry.
          groupSearch:
            # BaseDN to start the search from. It will translate to the query
            # "(&(objectClass=group)(member=<user uid>))".
            baseDN: ou=user_groups,dc=example,dc=org
            # Optional filter to apply when searching the directory.
            #filter: "(objectClass=posixGroup)"
            #filter: "(&(objectClass=group)(sAMAccountName={0}))"
            #filter: "(objectCategory=group)"
            filter: "(objectCategory=Group)"
            # Following two fields are used to match a user to a group. It adds an additional
            # requirement to the filter that an attribute in the group must match the user's
            # attribute value.
            #userAttr: uid
            userAttr: DN
            groupAttr: member
            #groupAttr: memberUid
            # Represents group name.
            #nameAttr: cn
            nameAttr: name
    oauth2:
      skipApprovalScreen: true

    staticClients:
    - id: loginapp
      redirectURIs:
      - 'https://k8s-dashboard.example-org/oauth/callback'
      - 'https://login-k8s.example.org/callback'
      name: 'Login Application'
      secret: 4TORGiNV9M54BTk1v7dNuFSaI6hUjfjr
kind: ConfigMap
metadata:
  creationTimestamp: null
  name: dex
  selfLink: /api/v1/namespaces/auth/configmaps/dex