Dex Provider: Installation & Configuration
Installation and Configuration
Installation
TypeScript/JavaScript
Install the provider using npm:
npm install @kotaicode/pulumi-dex
Go
Install the provider using go get (fetches the Go module at sdk/go; the package import path is .../sdk/go/dex):
go get github.com/kotaicode/pulumi-dex/sdk/go
Python
Install the provider using pip:
pip install pulumi-dex
Provider Binary
The provider binary is automatically downloaded by Pulumi when you use the provider. If you need to install it manually:
pulumi plugin install resource dex v0.1.0
Or download from GitHub Releases.
Configuration
The provider requires configuration to connect to your Dex gRPC API.
Required Configuration
host(string): Dex gRPC host and port (e.g.,dex.example.com:5557)
Optional Configuration
caCert(string, secret): PEM-encoded CA certificate for validating Dex’s TLS certificateclientCert(string, secret): PEM-encoded client certificate for mTLS authenticationclientKey(string, secret): PEM-encoded private key for the client certificateinsecureSkipVerify(boolean): Skip TLS verification (development only, default:false)timeoutSeconds(number): Per-RPC timeout in seconds (default:5)
Configuration Examples
TypeScript
import * as dex from "@kotaicode/pulumi-dex";
import * as fs from "fs";
// Production configuration with mTLS
const provider = new dex.Provider("dex", {
host: "dex.example.com:5557",
caCert: fs.readFileSync("certs/ca.crt", "utf-8"),
clientCert: fs.readFileSync("certs/client.crt", "utf-8"),
clientKey: fs.readFileSync("certs/client.key", "utf-8"),
timeoutSeconds: 10,
});
// Development configuration (insecure)
const devProvider = new dex.Provider("dex-dev", {
host: "localhost:5557",
insecureSkipVerify: true,
});
Go
import (
"github.com/kotaicode/pulumi-dex/sdk/go/dex"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"os"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
caCert, _ := os.ReadFile("certs/ca.crt")
clientCert, _ := os.ReadFile("certs/client.crt")
clientKey, _ := os.ReadFile("certs/client.key")
provider, err := dex.NewProvider(ctx, "dex", &dex.ProviderArgs{
Host: pulumi.String("dex.example.com:5557"),
CaCert: pulumi.String(string(caCert)),
ClientCert: pulumi.String(string(clientCert)),
ClientKey: pulumi.String(string(clientKey)),
TimeoutSeconds: pulumi.Int(10),
})
if err != nil {
return err
}
// Use provider...
return nil
})
}
Python
import pulumi_dex as dex
# Production configuration
provider = dex.Provider("dex",
host="dex.example.com:5557",
ca_cert=open("certs/ca.crt").read(),
client_cert=open("certs/client.crt").read(),
client_key=open("certs/client.key").read(),
timeout_seconds=10
)
# Development configuration
dev_provider = dex.Provider("dex-dev",
host="localhost:5557",
insecure_skip_verify=True
)
Environment Variables
You can also configure the provider using environment variables, though you’ll still need to create a provider instance in your Pulumi program:
export DEX_HOST="dex.example.com:5557"
export DEX_CA_CERT="$(cat certs/ca.crt)"
export DEX_CLIENT_CERT="$(cat certs/client.crt)"
export DEX_CLIENT_KEY="$(cat certs/client.key)"
export DEX_TIMEOUT_SECONDS="10"
Then reference them in your code:
const provider = new dex.Provider("dex", {
host: process.env.DEX_HOST!,
caCert: process.env.DEX_CA_CERT,
clientCert: process.env.DEX_CLIENT_CERT,
clientKey: process.env.DEX_CLIENT_KEY,
timeoutSeconds: parseInt(process.env.DEX_TIMEOUT_SECONDS || "5"),
});
Dex Setup Requirements
Enable gRPC API
Ensure your Dex instance has the gRPC API enabled. In your Dex configuration:
grpc:
addr: 0.0.0.0:5557
tlsCert: /etc/dex/tls/grpc-server.crt
tlsKey: /etc/dex/tls/grpc-server.key
tlsClientCA: /etc/dex/tls/grpc-client-ca.crt
Enable Connector CRUD (for connector management)
For managing connectors via the API, Dex must be started with:
DEX_API_CONNECTORS_CRUD=true dex serve config.yaml
Or in your deployment:
env:
- name: DEX_API_CONNECTORS_CRUD
value: "true"
Network Access
Ensure your Pulumi program can reach Dex’s gRPC endpoint:
- Default port:
5557 - Protocol: gRPC (HTTP/2)
- For production: Use TLS/mTLS
Local development and testing
To build, generate SDKs, and test against a local Dex instance:
Build the provider and generate schema/SDKs (from repo root):
make build make generate-schema # writes schema.json from the built binary (needs Pulumi CLI) make generate-sdks # generates TypeScript, Go, and Python SDKs from schema.jsonInstall the provider so Pulumi can find it:
make installOr manually:
pulumi plugin install resource dex v0.1.0 --file bin/pulumi-resource-dexStart local Dex (Docker required):
make dex-upRun the TypeScript example:
cd examples/typescript npm install pulumi stack init dev # or pulumi stack select dev pulumi preview pulumi up # confirm with yesSee
examples/typescript/TESTING.mdfor more detail and troubleshooting.Test the Go SDK (optional). In a separate Go project:
go mod init myapp go get github.com/kotaicode/pulumi-dex/sdk/goThen use
import "github.com/kotaicode/pulumi-dex/sdk/go/dex"in your Pulumi program. To test against the provider repo before publishing, use areplacein yourgo.mod:replace github.com/kotaicode/pulumi-dex/sdk/go => /path/to/pulumi-provider-dex/sdk/goStop Dex when done:
make dex-down(from repo root).
Security Best Practices
- Use TLS/mTLS in Production: Never use
insecureSkipVerify: truein production - Protect Secrets: Use Pulumi secrets for sensitive configuration:
const provider = new dex.Provider("dex", { host: "dex.example.com:5557", clientKey: pulumi.secret(fs.readFileSync("certs/client.key", "utf-8")), }); - Restrict Network Access: Limit access to Dex’s gRPC API to trusted networks/IPs
- Rotate Certificates: Regularly rotate mTLS certificates
- Monitor Access: Monitor Dex logs for unauthorized access attempts
Troubleshooting
Connection Errors
Error: failed to connect to Dex
- Verify Dex is running and gRPC API is enabled
- Check network connectivity to Dex host:port
- Verify firewall rules allow gRPC traffic
Error: certificate verify failed
- Ensure CA certificate matches Dex’s certificate chain
- Check certificate expiration dates
- For development, use
insecureSkipVerify: true(not recommended for production)
Authentication Errors
Error: authentication failed
- Verify client certificate and key are correct
- Ensure client certificate is signed by Dex’s trusted CA
- Check that mTLS is properly configured on both sides
Timeout Errors
Error: context deadline exceeded
- Increase
timeoutSecondsif operations are slow - Check network latency to Dex
- Verify Dex is not overloaded
Next Steps
- See Resource Documentation for available resources
- Check Examples for complete working examples
- Review Dex Documentation for Dex-specific configuration
