This topic explains how to update Dex settings on a running management cluster.

Update Dex Settings

The Pinniped core package, or add-on, uses Dex for LDAP identity providers. For OIDC identity providers, Dex is not used. If you want to update a setting that starts with dex. in the values.yaml section of the Pinniped secret for the management cluster, you must perform the following steps:

  1. Identify the dex. setting or settings that you want to update. See the table in Update the values.yaml Section.
  2. Retrieve the Pinniped secret for the management cluster as described in Update the values.yaml Section.
  3. In the Pinniped secret, update the dex. setting or settings that you identified above and follow the steps below:

    1. Set the dex.dns.INFRASTRUCTURE-PROVIDER.ipAddresses and dex.config.dns.INFRASTRUCTURE-PROVIDER.dnsNames array configuration settings. These fields can be set to arrays with any single, non-empty entry, for example, 0.0.0.0, as they are updated automatically.
    2. Set the pinniped.upstream_oidc_issuer_url configuration setting to a non-empty string starting with https. For example, https://0.0.0.0. This field is updated automatically later.
    3. Set the dex.config.staticClients array configuration setting to have a single entry. This setting can be any map with at least the name, id, and secret keys, for example, {name: "example-name", id: "example-id", secret: "example-secret"}, as it is updated automatically.
    4. Add the following overlay to the Pinniped secret:

      #@ load("@ytt:overlay", "overlay")
      #@overlay/match by=overlay.subset({"metadata": {"name" : "upstream-oidc-identity-provider"}})
      ---
      metadata:
        annotations:
          #@overlay/remove
          kapp.k14s.io/update-strategy: always-replace
      
  4. Apply the Pinniped secret.

  5. Restart the tanzu-system-auth namespace in the management cluster after you apply the Pinniped secret. To restart the namespace, you can delete the Namespace and wait for the pinniped App to recreate it. You may need to restart the pinniped-post-deploy-job Job in the pinniped-supervisor Namespace after you apply the Pinniped secret. To do this, you can delete the Job and wait for the pinniped App to recreate it.
check-circle-line exclamation-circle-line close-line
Scroll to top icon