This topic describes how to deploy Dex on a Tanzu Kubernetes Grid management cluster that is running in Amazon EC2.

This release of Tanzu Kubernetes Grid supports using Dex with OIDC in management clusters that you deploy to Amazon EC2. LDAP is not supported for Amazon EC2 deployments.



  1. Set the focus of kubectl to the context of your management cluster.

    For example, if your cluster is named my-management-cluster, run the following command.

    kubectl config use-context my-management-cluster-admin@my-management-cluster
  2. Create a namespace named tanzu-system-auth in your management cluster for the authentication service.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/01-namespace.yaml
  3. Create the Dex service

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/02-service.yaml
  4. Get the hostname of the load balancer of the Dex service.

    kubectl get svc dexsvc -n tanzu-system-auth -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'
  5. Open 03-certs-selfsigned.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/03-certs-selfsigned.yaml
  6. Replace <DEX_SVC_LB_HOSTNAME> with the hostname of the load balancer of the Dex service, from the previous step.
  7. Create the self-signed certificate.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/03-certs-selfsigned.yaml
  8. Open Dex configuration map file, 04-cm.yaml, in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/04-cm.yaml
  9. Update 04-cm.yaml with information about your load balancer and OIDC provider.

    • Replace <DEX_SVC_LB_HOSTNAME> with the hostname of the load balancer of the Dex service.
    • Replace <OIDC_IDP_URL> with the IP or DNS address of the your OIDC provider, for example an Okta server.
  10. Apply the configuration map to the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/04-cm.yaml
  11. Configure Role-Based Access Control (RBAC).

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/05-rbac.yaml
  12. Create a secret file from the provided example.

    cp tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.example tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.yaml
  13. Open the OIDC secret file in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.yaml
  14. Replace <CLIENT_ID> and <CLIENT_SECRET> with Base64 values client_id and secret that you obtain from your OIDC provider.

    For example, if your provider is Okta, log in to Okta, create a Web application, and select the Client Credentials options in order to get a client_id and secret.

  15. Pass the secret to the cluster.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-0-secret.yaml
  16. Create the Dex deployment.

    kubectl apply -f tkg-extensions-v1.0.0/authentication/dex/aws/oidc/06-deployment.yaml
  17. Run kubectl get pods --namespace tanzu-system-auth to see the pod that is running the Dex service.

    The service is running in a pod with a name similar to dex-6849555c67-bqmpd.

What to Do Next

Deploy an Authentication-Enabled Cluster, that has an embedded OIDC endpoint that can connect to your OIDC provider.

check-circle-line exclamation-circle-line close-line
Scroll to top icon