KKP 2.27+: Fix & Improve Dex Configuration Docu

[toschneck]

After the change to the upstream DEX charts, finding the correct DEX config gots even harder then before. See migration guide:

Additional to it the docu is

• outdated and references old values structure
  • https://docs.kubermatic.com/kubermatic/main/installation/install-kkp-ce/#prepare-configuration - Invalid values:
    
  • Example Values charts/values.example.ee.yaml

Besides of the wrong config the above screenshoted docu part is very hard to read and hard to understand for newbies to get started with KKP. In general I would prefer:

• We ship KKP with sane defaults, e.g. directly preconfigured DEX with static admin user / PW
• Docu is showing working example configuration of the combination of values.yaml + KubermaticConfiguration object. Delivered examples charts/ + KKP set defaults docs/zz_XXX files somehow is not really mentioned, and could be included better.

---

Copy of working example config of our demo environment

values.yaml

# DEX Config
# ====== oauth via DEX ======
### Following https://docs.kubermatic.com/kubermatic/v2.27/installation/upgrading/upgrade-from-2.26-to-2.27/#migration-procedure
# Tell the KKP installer to install the new dex Chart into the
# "dex" namespace, instead of the old oauth Chart.
useNewDexChart: true
dex:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  ingress:
    hosts:
      # Required: host must be set; usually this is the same
      # host as is used for the KKP Dashboard, but it can be
      # any other name.
      - host: demo.kubermatic.io
        paths:
          - path: /dex
            pathType: ImplementationSpecific
    tls:
      - secretName: dex-tls
        hosts:
          # Required: must include at least the host chosen above.
          - demo.kubermatic.io
  config:
    issuer: https://demo.kubermatic.io/dex
    connectors:
      - type: github
        id: github
        name: GitHub
        config:
          clientID: xxxx-secret-from-github-xxxx
          clientSecret: xxxx-secret-from-github-xxxx
          redirectURI: https://demo.kubermatic.io/dex/callback
          orgs:
            - name: kubermatic
      - type: google
        id: google
        name: Google
        config:
          clientID: xxxx-secret-from-google-xxxx
          clientSecret: xxxx-secret-from-google-xxxx
          redirectURI: https://demo.kubermatic.io/dex/callback
          hostedDomains:
            - kubermatic.com
            - kubermatic.training
      - type: oidc
        id: keycloak
        name: E-Mail (external)
        config:
          issuer: https://kck.demo.kubermatic.io/realms/external
          clientID: xxxx-secret-from-keycloak-xxxx
          clientSecret: xxxx-secret-from-keycloak-xxxx
          redirectURI: https://demo.kubermatic.io/dex/callback
          scopes:
          - profile
          - email
          - groups
          insecureSkipEmailVerified: true
          insecureEnableGroups: true
          userIDKey: email
          userNameKey: email
    staticClients:
      - id: kubermatic
        name: Kubermatic
        secret: xxxx-kubermatic-generated-sec-xxxx
        RedirectURIs:
          - https://demo.kubermatic.io
          - https://demo.kubermatic.io/clusters
          - https://demo.kubermatic.io/projects
        #OIDC account
      - id: kubermaticIssuer
        name: KubermaticIssuer
        secret: xxxx-kubermatic-generated-sec-xxxx
        RedirectURIs:
          - https://demo.kubermatic.io/api/v1/kubeconfig
          - https://demo.kubermatic.io/api/v2/dashboard/login
          - https://demo.kubermatic.io/api/v2/kubeconfig/secret
      - id: grafana
        name: grafana
        secret: xxxx-generated-xxxx
        RedirectURIs:
          - https://grafana.demo.kubermatic.io/oauth/callback
      - id: prometheus
        name: prometheus
        secret: xxxx-generated-xxxx
        RedirectURIs:
          - https://prometheus.demo.kubermatic.io/oauth/callback
      - id: alertmanager
        name: alertmanager
        secret: xxxx-generated-xxxx
        RedirectURIs:
          - https://alertmanager.demo.kubermatic.io/oauth/callback
      # mla seed "dc-seed"
      - id: mla-grafana
        name: mla-grafana
        secret: xxxx-generated-xxxx
        RedirectURIs:
          - https://grafana.dc-seed.demo.kubermatic.io/oauth/callback
      - id: mla-alertmanager
        name: mla-alertmanager
        secret: xxxx-generated-xxxx
        RedirectURIs:
          - https://alertmanager.dc-seed.demo.kubermatic.io/oauth/callback

kubermatic-config.yaml

apiVersion: kubermatic.k8c.io/v1
kind: KubermaticConfiguration
metadata:
  name: kubermatic
  namespace: kubermatic
spec:
  auth:
    clientID: kubermatic
    issuerClientID: kubermaticIssuer
    issuerClientSecret: xxxx-kubermatic-generated-sec-xxxx  #same values as in dex
    issuerCookieKey: xxxx-generated-xxxx
    issuerRedirectURL: https://demo.kubermatic.io/api/v1/kubeconfig
    serviceAccountKey: xxxx-generated-xxxx
    tokenIssuer: https://demo.kubermatic.io/dex

  ingress:
    certificateIssuer:
      kind: ClusterIssuer
      name: letsencrypt-prod
    domain: demo.kubermatic.io

[toschneck]

Additional we should also docu better as second option to use directly keycloak instead of dex, see #1515

[inventx-florian]

As an extra info here. For the static username and password (staticPasswords field) to work in dex you also have to set this field: enablePasswordDB: true in the config e.g.:

dex:
  config:
    enablePasswordDB: true

Docs

[mohamed-rafraf]

/assign

[ahmedwaleedmalik]

This has been partially done against kubermatic/kubermatic#14618. The improvement part for our dex examples is something that can be implemented in the future against this ticket.