diff --git a/charts/dex-aio/templates/Deployment-dex.yaml b/charts/dex-aio/templates/Deployment-dex.yaml index 394d3e2e..adbcca76 100644 --- a/charts/dex-aio/templates/Deployment-dex.yaml +++ b/charts/dex-aio/templates/Deployment-dex.yaml @@ -105,7 +105,8 @@ spec: - serve - /etc/dex/dex.yaml env: - - name: LDAP_BINDPW + # - name: LDAP_BINDPW + - name: {{ .Values.params.ldap.config.bind_pw_env }} valueFrom: secretKeyRef: name: {{ template "helpers.labels.fullname" . }} diff --git a/charts/dex-aio/values.yaml b/charts/dex-aio/values.yaml index 79dfc2cc..01a16e23 100644 --- a/charts/dex-aio/values.yaml +++ b/charts/dex-aio/values.yaml @@ -5,7 +5,7 @@ images: applications: dex: - tag: v2.20.0 + tag: v2.28.1 name: dexidp/dex repo: quay.io nginx: @@ -47,7 +47,28 @@ params: client_id: my-cluster client_secret: pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok ldap: - bind_password: super-secure + bind_password: "super-secure" + name: ITTESTSERVICES + config: + host: ldap.test.com + port: 636 + bind_dn: uid@ldap.services.test.com + bind_pw_env: LDAP_BINDPW + username_prompt: SSO Username + user_search: + base_dn: dc=ldap,dc=services,dc=test,dc=com + filter: "(objectClass=person)" + username: cn + idAttr: cn + emailAttr: name + nameAttr: name + group_search: + base_dn: ou=groups,dc=ldap,dc=services,dc=test,dc=com + filter: "(objectClass=group)" + userMatchers: + userAttr: name + groupAttr: member + nameAttr: name over_rides: deployment: @@ -84,6 +105,48 @@ config: - token - id_token skipApprovalScreen: true + connectors: + - type: ldap + name: "{{ .Values.params.ldap.name }}" + id: ldap + config: + # LDAPS without certificate validation: + host: "{{ .Values.params.ldap.config.host }}:{{ .Values.params.ldap.config.port }}" + insecureNoSSL: false + insecureSkipVerify: true + + bindDN: "{{ .Values.params.ldap.config.bind_dn }}" + bindPW: "${{ .Values.params.ldap.config.bind_pw_env }}" + + # usernamePrompt: Email Address + usernamePrompt: "{{ .Values.params.ldap.config.username_prompt }}" + + userSearch: + # The directory directly above the user entry. + baseDN: "{{ .Values.params.ldap.config.user_search.base_dn }}" + filter: "{{ .Values.params.ldap.config.user_search.filter }}" + # Expect user to enter "attuid" when logging in. + username: "{{ .Values.params.ldap.config.user_search.username }}" + idAttr: "{{ .Values.params.ldap.config.user_search.idAttr }}" + # When an email address is not available, use another value unique to the user, like name. + emailAttr: "{{ .Values.params.ldap.config.user_search.emailAttr }}" + nameAttr: "{{ .Values.params.ldap.config.user_search.nameAttr }}" + + groupSearch: + # The directory directly above the group entry. + # baseDN: cn=groups,cn=compat,dc=example,dc=org + baseDN: "{{ .Values.params.ldap.config.group_search.base_dn }}" + filter: "{{ .Values.params.ldap.config.group_search.filter }}" + + # The group search needs to match the "cn" attribute on + # the user with the "member" attribute on the group. + userMatchers: + - userAttr: "{{ .Values.params.ldap.config.group_search.userMatchers.userAttr }}" + groupAttr: "{{ .Values.params.ldap.config.group_search.userMatchers.groupAttr }}" + + # Unique name of the group. + nameAttr: "{{ .Values.params.ldap.config.group_search.nameAttr }}" + staticClients: - id: "{{ .Values.params.oidc.client_id }}" name: "{{ .Values.params.site.name }}"