This topic explains how to update Dex settings on a running management cluster.
The Pinniped component uses Dex for LDAP identity providers. For OIDC identity providers, Dex is not used. If you want to update a setting that starts with dex. in the values.yaml section of the Pinniped secret for the management cluster, you must perform the following steps:
dex. setting or settings that you want to update. See the table in Update the values.yaml Section.In the Pinniped secret, update the dex. setting or settings that you identified above and follow the steps below:
dex.dns.INFRASTRUCTURE-PROVIDER.ipAddresses and dex.config.dns.INFRASTRUCTURE-PROVIDER.dnsNames array configuration settings. These fields can be set to arrays with any single, non-empty entry, for example, 0.0.0.0, as they are updated automatically.pinniped.upstream_oidc_issuer_url configuration setting to a non-empty string starting with https. For example, https://0.0.0.0. This field is updated automatically later.dex.config.staticClients array configuration setting to have a single entry. This setting can be any map with at least the name, id, and secret keys, for example, {name: "example-name", id: "example-id", secret: "example-secret"}, as it is updated automatically.Add the following overlay to the Pinniped secret:
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata": {"name" : "upstream-oidc-identity-provider"}})
---
metadata:
annotations:
#@overlay/remove
kapp.k14s.io/update-strategy: always-replace
Apply the Pinniped secret.
tanzu-system-auth namespace in the management cluster after you apply the Pinniped secret. To restart the namespace, you can delete the Namespace and wait for the pinniped App to recreate it. You may need to restart the pinniped-post-deploy-job Job in the pinniped-supervisor Namespace after you apply the Pinniped secret. To do this, you can delete the Job and wait for the pinniped App to recreate it.