Self-Hosting Dex as an Identity Provider

This is a quick guide on how to deploy Dex, an open source, self-hosted identity provider (IdP) on the same underlying Kubernetes cluster that is running the Octelium Cluster and use it as an OpenID Connect IdentityProvider (read more about IdentityProviders here) to be able to login to the Cluster.

In this guide we use Helm to install Dex. First, we need to create a values.yaml YAML file for the Dex Helm chart (see the chart here) as follows:

image:
  repository: ghcr.io/dexidp/dex

config:
  issuer: https://idp.<DOMAIN>/dex
  storage:
    type: kubernetes
    config:
      inCluster: true
  web:
    http: 0.0.0.0:5556

  staticClients:
    - id: octelium
      redirectURIs:
        - "https://<DOMAIN>/callback"
      name: "My Demo App"
      secret: <CLIENT_SECRET>

  staticPasswords:
    - email: <YOUR_EMAIL>
      hash: <PASSWORD_BCRYPT_HASH>
      username: "admin"
      userID: <UUID_V4>

  enablePasswordDB: true

You can, for example, use Python to generate a bcrypt hash of a password for the hash field as follows:

python -c 'import bcrypt; print(bcrypt.hashpw("<YOUR_PASSWORD>".encode(), bcrypt.gensalt()).decode())'

You can also use Python to generate a UUIDv4 for the userID field as follows:

python -c 'import uuid; print(uuid.uuid4())'

Now deploy Dex on the Kubernetes cluster using the values.yaml file shown above as follows:

helm repo add dex https://charts.dexidp.io
helm repo update
helm install octelium-dex --namespace octelium -f </PATH/TO/VALUES.YAML>

Now create an Octelium Service with the Dex web server as an upstream as follows:

kind: Service
metadata:
  name: idp
spec:
  mode: HTTP
  config:
    upstream:
      url: http://octelium-dex.octelium.svc:5556
    http:
      header:
        host:
          preserve: true
  isPublic: true
  isAnonymous: true

Now you can apply the creation of the Service via the octeliumctl apply command (read more here) as follows:

octeliumctl apply /PATH/TO/SERVICE.YAML

note

Notice that we created the Service as isAnonymous since we need to access it anonymously in order to login to the Cluster. You can read more about anonymous Services here.

Now create an a Secret for the application's client secret as follows:

octeliumctl create secret dex-client

Now create an OpenID Connect IdentityProvider using the application's client id, the client secret's Secret and the issuer URL as follows:

kind: IdentityProvider
metadata:
  name: dex
spec:
  displayName: Main Login
  oidc:
    clientID: octelium
    clientSecret:
      fromSecret: dex-client
    issuerURL: https://idp.<DOMAIN>/dex

Now you can apply the creation of the IdentityProvider via the octeliumctl apply command as follows:

octeliumctl apply /PATH/TO/IDENTITY_PROVIDER.YAML

Now you can visit the URL https://<DOMAIN> to be able to login to the Cluster with Dex via your <YOUR_EMAIL> and <YOUR_PASSWORD> set above in the values.yaml Helm file.