Octelium Logo
Documentation
ManagementGuideService ExamplesHomelab
Self-Hosting Dex as an Identity Provider

This is a quick guide on how to deploy Dex, an open source, self-hosted identity provider (IdP) on the same underlying Kubernetes cluster that is running the Octelium Cluster and use it as an OpenID Connect IdentityProvider (read more about IdentityProviders here) to be able to login to the Cluster.

In this guide we use Helm to install Dex. First, we need to create a values.yaml YAML file for the Dex Helm chart (see the chart here) as follows:

1
image:

2
  repository: ghcr.io/dexidp/dex

3


4
config:

5
  issuer: https://idp.<DOMAIN>/dex

6
  storage:

7
    type: kubernetes

8
    config:

9
      inCluster: true

10
  web:

11
    http: 0.0.0.0:5556

12


13
  staticClients:

14
    - id: octelium

15
      redirectURIs:

16
        - "https://<DOMAIN>/callback"

17
      name: "My Demo App"

18
      secret: <CLIENT_SECRET>

19


20
  staticPasswords:

21
    - email: <YOUR_EMAIL>

22
      hash: <PASSWORD_BCRYPT_HASH>

23
      username: "admin"

24
      userID: <UUID_V4>

25


26
  enablePasswordDB: true

You can, for example, use Python to generate a bcrypt hash of a password for the hash field as follows:

python -c 'import bcrypt; print(bcrypt.hashpw("<YOUR_PASSWORD>".encode(), bcrypt.gensalt()).decode())'

You can also use Python to generate a UUIDv4 for the userID field as follows:

python -c 'import uuid; print(uuid.uuid4())'

Now deploy Dex on the Kubernetes cluster using the values.yaml file shown above as follows:

helm repo add dex https://charts.dexidp.io

helm repo update

helm install octelium-dex --namespace octelium -f </PATH/TO/VALUES.YAML>

Now create an Octelium Service with the Dex web server as an upstream as follows:

1
kind: Service

2
metadata:

3
  name: idp

4
spec:

5
  mode: HTTP

6
  config:

7
    upstream:

8
      url: http://octelium-dex.octelium.svc:5556

9
    http:

10
      header:

11
        host:

12
          preserve: true

13
  isPublic: true

14
  isAnonymous: true

Now you can apply the creation of the Service via the octeliumctl apply command (read more here) as follows:

octeliumctl apply /PATH/TO/SERVICE.YAML
NOTE

Notice that we created the Service as isAnonymous since we need to access it anonymously in order to login to the Cluster. You can read more about anonymous Services here.

Now create an a Secret for the application's client secret as follows:

octeliumctl create secret dex-client

Now create an OpenID Connect IdentityProvider using the application's client id, the client secret's Secret and the issuer URL as follows:

1
kind: IdentityProvider

2
metadata:

3
  name: dex

4
spec:

5
  displayName: Main Login

6
  oidc:

7
    clientID: octelium

8
    clientSecret:

9
      fromSecret: dex-client

10
    issuerURL: https://idp.<DOMAIN>/dex

Now you can apply the creation of the IdentityProvider via the octeliumctl apply command as follows:

octeliumctl apply /PATH/TO/IDENTITY_PROVIDER.YAML

Now you can visit the URL https://<DOMAIN> to be able to login to the Cluster with Dex via your <YOUR_EMAIL> and <YOUR_PASSWORD> set above in the values.yaml Helm file.

© 2026 octelium.comOctelium Labs, LLCAll rights reserved
Octelium and Octelium logo are trademarks of Octelium Labs, LLC.
WireGuard is a registered trademark of Jason A. Donenfeld
AboutContactSolutionsEnterprise
Privacy PolicyTerms