{"id":13604500,"url":"https://github.com/gini/dexter","last_synced_at":"2025-04-04T07:06:37.474Z","repository":{"id":41081461,"uuid":"129801152","full_name":"gini/dexter","owner":"gini","description":"dexter is a Kubernetes OIDC helper with as much automation as possible","archived":false,"fork":false,"pushed_at":"2025-03-17T12:18:43.000Z","size":3707,"stargazers_count":165,"open_issues_count":12,"forks_count":28,"subscribers_count":8,"default_branch":"master","last_synced_at":"2025-03-28T06:07:25.468Z","etag":null,"topics":["go","golang","google","kubernetes","oauth2","oidc"],"latest_commit_sha":null,"homepage":"https://blog.gini.net/frictionless-kubernetes-openid-connect-integration-f1c356140937","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gini.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-16T20:25:57.000Z","updated_at":"2025-02-11T13:24:27.000Z","dependencies_parsed_at":"2024-01-16T23:28:51.731Z","dependency_job_id":"fb90a19b-fb1d-4e86-bf08-ffda3727a93d","html_url":"https://github.com/gini/dexter","commit_stats":{"total_commits":76,"total_committers":13,"mean_commits":5.846153846153846,"dds":0.5,"last_synced_commit":"61982e305668bfee5771f483c2c0e5f0ca2bbab5"},"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gini%2Fdexter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gini%2Fdexter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gini%2Fdexter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gini%2Fdexter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gini","download_url":"https://codeload.github.com/gini/dexter/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247135144,"owners_count":20889421,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","google","kubernetes","oauth2","oidc"],"created_at":"2024-08-01T19:00:46.829Z","updated_at":"2025-04-04T07:06:37.447Z","avatar_url":"https://github.com/gini.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# dexter\n\n`dexter` is a OIDC (OpenId Connect) helper to create a hassle-free Kubernetes login experience powered by Google or Azure as Identity Provider.\nAll you need is a properly configured Google or Azure client ID \u0026 secret.\n\n## Supported identity providers\n\n| Identity Provider  | State    |\n|--------------------|----------|\n|  Google            | complete |\n|  Microsoft Azure   | complete |\n\n## Authentication Flow\n\n`dexter` will open a new browser tag/window and redirect you to your configured Idp. The only interaction you have is the login at your provider and your k8s config is updated automatically.\n\n![dexter flow](/assets/dexter_flow.png?raw=true \"dexter flow\")\n\n## See dexter in action\n\n![dexter in action](/assets/dexter.gif?raw=true \"dexter in action\")\n\n## OIDCProvider Configuration\n\nEach OpenID Connect provider requires some configuration. This basic\ndescription may not be all you have to do but it worked at the time of\nwriting.\n\n### Google\n\n  - Open [console.developers.google.com](https://console.developers.google.com)\n  - Create new credentials\n    - OAuth Client ID\n    - Web Application\n    - Authorized redirect URIs: http://127.0.0.1:64464/callback\n\n### Microsoft Azure\n\n  - Open [portal.azure.com](https://portal.azure.com)\n  - Go to Appregistrations and create a new app\n    - Enter reply URI http://127.0.0.1:64464/callback\n    - Create secret key\n    - Collect  application ID (client ID)\n\n### Auto pilot configuration\n\n`dexter` also support auto pilot mode. If your existing kubectl context uses one of the supported Identity Providers, `dexter` will try to use extract the OIDC data from kubeconfig.\n\n## Installation\n\nYou can download a prebuilt version from the [Github release section](https://github.com/gini/dexter/releases) or build it yourself.\nThe easiest way to get everything set up correctly (e.g. ldflags) is to use [goreleaser](https://goreleaser.com).\n\n```\n# cd DEXTER_SOURCE\n# goreleaser release --snapshot --clean\n• releasing...\n• loading config file       file=.goreleaser.yml\n• loading environment variables\n• getting and validating git state\n   • building...               commit=377677a03da17461acf7775519518fb3336e6753 latest tag=v0.4.1\n   • pipe skipped              error=disabled during snapshot mode\n• parsing tag\n• running before hooks\n   • running                   hook=go mod tidy\n• setting defaults\n• snapshotting\n   • building snapshot...      version=0.4.2-next\n• checking distribution directory\n   • --rm-dist is set, cleaning it up\n• loading go mod information\n• build prerequisites\n• writing effective config file\n   • writing                   config=dist/config.yaml\n• building binaries\n   • building                  binary=dist/dexter_darwin_arm64/dexter\n   • building                  binary=dist/dexter_darwin_amd64/dexter\n   • building                  binary=dist/dexter_linux_amd64/dexter\n• universal binaries\n   • creating from 2 binaries  binary=dist/dexter_darwin_all/dexter\n• archives\n   • creating                  archive=dist/dexter_0.4.2-next_Linux_x86_64.tar.gz\n   • creating                  archive=dist/dexter_0.4.2-next_Darwin_all.tar.gz\n• calculating checksums\n• storing release metadata\n   • writing                   file=dist/artifacts.json\n   • writing                   file=dist/metadata.json\n• release succeeded after 8.18s\n```\n\nCheck `./dist` for the build that matches your platform.\n\n### Embed credentials and template\n\nYou can also customize the build and embed client credentails and a default kubectl config into the binary. Again, using `goreleaser` for the build is the easiest approach.\nClient credentials are embedded automatically when you set two environment variables.\n\n```\nCLIENT_ID=abc123.apps.googleusercontent.com\nCLIENT_SECRET=mySecret\n```\n\nYou can streamline your user experience even more by also specifying a default provider. `dexter auth` will then run the specified provider.\nValid choices are `google` and `azure`.\n\n```\nDEFAULT_PROVIDER=google\n```\n\nIf you want to to change the default config template that is deployed when there is no config on the system you have to replace the contents of `./tmpl/kube-config.yaml` with your valid kubectl configuration.\nThis can come in handy if you want to pre-populate clusters and certificates.\n\n```\napiVersion: v1\nclusters:\n- cluster:\n    certificate-authority-data: XXX\n    server: https://stage.cluster:6443\n  name: stage\n- cluster:\n    certificate-authority-data: YYY\n    server: https://production.cluster:6443\n  name: production\ncontexts:\n- context:\n    cluster: stage\n    user: {{ .User }}\n  name: stage\n- context:\n    cluster: production\n    user: {{ .User }}\n  name: production\ncurrent-context: stage\nkind: Config\npreferences: {}\n```\n\nPlease make sure that you have `{{ .User }}` in all contexts that need you want to enrich with the OIDC account you are about to configure.\n\n## Run dexter\n\nRun `dexter` without a command to access the help screen/intro.\n\n```\n❯ ./dexter\n    .___               __\n  __| _/____ ___  ____/  |_  ___________\n / __ |/ __ \\\\  \\/  /\\   __\\/ __ \\_  __ \\\n/ /_/ \\  ___/ \u003e    \u003c  |  | \\  ___/|  | \\/\n\\____ |\\___  \u003e__/\\_ \\ |__|  \\___  \u003e__|\n     \\/    \\/      \\/           \\/\n\ndexter is a authentication helper for Kubernetes that does the heavy\nlifting for SSO (Single Sign On) for Kubernetes.\n\nUsage:\n  dexter [command]\n\nAvailable Commands:\n  auth        Authenticate with OIDC provider\n  help        Help about any command\n  version     Print the version number of dexter\n\nFlags:\n  -h, --help          help for dexter\n      --timeout int   Timeout for HTTP requests to OIDC providers (default 2)\n  -v, --verbose       verbose output\n\nUse \"dexter [command] --help\" for more information about a command.\n```\n\nRunning `dexter auth [Idp]` will start the authentication process.\n\n```\n ❯ ./dexter auth --help\nUse a provider sub-command to authenticate against your identity provider of choice.\nFor details go to: https://gini.net/en/blog/frictionless-kubernetes-openid-connect-integration/\n\nUsage:\n  dexter auth [flags]\n  dexter auth [command]\n\nAvailable Commands:\n  azure       Authenticate with the Microsoft Azure Identity Provider\n  google      Authenticate with the Google Identity Provider\n\nFlags:\n  -c, --callback string        Callback URL. The listen address is dreived from that. (default \"http://127.0.0.1:64464/callback\")\n  -i, --client-id string       Google clientID (default \"REDACTED\")\n  -s, --client-secret string   Google clientSecret (default \"REDACTED\")\n  -d, --dry-run                Toggle config overwrite\n  -h, --help                   help for auth\n  -k, --kube-config string     Overwrite the default location of kube config (default \"/Users/dkerwin/.kube/config\")\n  -t, --kube-template          Use the embedded template when there is no kubectl configuration (default true)\n  -u, --kube-username string   Username identifier in the kube config\n  -f, --write-email string     Write user email to the specified file for use with other tooling\n\nGlobal Flags:\n  -v, --verbose   verbose output\n\nUse \"dexter auth [command] --help\" for more information about a command.\n```\n\n## Contribution Guidelines\n\nIt's awesome that you consider contributing to `dexter` and it's really simple. Here's how it's done:\n\n  - fork repository on Github\n  - create a topic/feature branch\n  - push your changes\n  - update documentation if necessary\n  - open a pull request\n\n## Authors \u0026 Contributors\n\nInitial code was written by [Daniel Kerwin](mailto:daniel@gini.net) \u0026 David González Ruiz\n\nContributors (in alphabetical order):\n-   https://github.com/andrewsav-bt\n-   https://github.com/cblims\n-   https://github.com/Lujeni\n-   https://github.com/pussinboots\n-   https://github.com/tillepille\n\nThank you so much!\n\n## Acknowledgements\n\n`dexter` was inspired by this [blog post series](https://thenewstack.io/tag/Kubernetes-SSO-series) by [Joel Speed](https://thenewstack.io/author/joel-speed/), [Micah Hausler's k8s-oidc-helper\n](https://github.com/micahhausler/k8s-oidc-helper) \u0026 [CoreOS dex](https://github.com/coreos/dex).\n\n## License\n\nMIT License. See [License](/LICENSE) for full text.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgini%2Fdexter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgini%2Fdexter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgini%2Fdexter/lists"}