The procedure in this topic describes how to deploy Dex on a Tanzu Kubernetes Grid management cluster that is running in vSphere, and connect it to an LDAP server.



  1. Navigate to the bundle of Tanzu Kubernetes Grid extension manifests and open the file tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/02-certs-selfsigned.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/02-certs-selfsigned.yaml
  2. Modify 02-certs-selfsigned.yaml with information about your management cluster.

    Replace <MGMT_CLUSTER_IP1> and <MGMT_CLUSTER_IP2> with the IP addresses of the control plane nodes for your management cluster. Remove the row for <MGMT_CLUSTER_IP2> if your management cluster has a single node control plane. Add more rows if your control plane has more than two nodes.

  3. Open the Dex configuration map file tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/03-cm.yaml in a text editor.

    For example, use vi to edit the file.

    vi tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/03-cm.yaml
  4. Modify 03-cm.yaml with information about your management cluster and LDAP server.

    • Replace <MGMT_CLUSTER_IP> with the IP address of one of the control plane nodes of your management cluster.
    • If the LDAP server is listening on the default port 636, which is the secured configuration, replace <LDAP_HOST> with the IP or DNS address of your LDAP server. If the LDAP server is listening on any other port, replace <LDAP_HOST> with the address and port of the LDAP server, for example or
    • If your LDAP server is configured to listen on an unsecured connection, uncomment insecureNoSSL: true. Note that such connections are not recommended as they send credentials in plain text over the network.
    • Update the userSearch and groupSearch parameters with your LDAP server configuration.
  5. Set the context of kubectl to the context of your management cluster.

    For example, if your cluster is named my-cluster, run the following command.

    kubectl config use-context my-cluster-admin@my-cluster
  6. Apply all of the YAML files in the tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap folder to your management cluster, in order.

    1. Create a namespace named tanzu-system-auth in your management cluster for the authentication service.
      kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/01-namespace.yaml
    2. Generate a self-signed certificate.
      kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/02-certs-selfsigned.yaml
    3. Deploy your LDAP configuration.
      kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/03-cm.yaml
    4. Configure Role-Based Access Control (RBAC):
      kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/04-rbac.yaml
    5. Deploy Dex.
      kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/05-deployment.yaml
    6. Create Dex NodePort service.
      kubectl apply -f tkg-extensions-v1.1.0/authentication/dex/vsphere/ldap/06-service.yaml
  7. Run kubectl get pods -A to list all of the pods running in the management cluster.

    You should see the Dex service running in a pod with a name similar to dex-6849555c67-bqmpd.

What to Do Next

Deploy an Authentication-Enabled Cluster, that has an embedded OIDC endpoint that can connect to your LDAP server.

check-circle-line exclamation-circle-line close-line
Scroll to top icon