kubermatic · mohamed-rafraf · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025
diff --git a/hack/ci/run-api-e2e.sh b/hack/ci/run-api-e2e.sh
@@ -46,31 +46,31 @@ export KUBERMATIC_LDAP_LOGIN="[email protected]"
 export KUBERMATIC_LDAP_PASSWORD="foo"
 
 # Append Dex configuration with ldap connector
-cat << EOF >> hack/ci/testdata/oauth_values.yaml
-  connectors:
-  - type: ldap
-    name: OpenLDAP
-    id: ldap
-    config:
-      host: openldap.${LDAP_NAMESPACE}.svc.cluster.local:389
-      insecureNoSSL: true
-      bindDN: cn=admin,dc=example,dc=org
-      bindPW: admin
-      usernamePrompt: Email Address
-      userSearch:
-        baseDN: ou=People,dc=example,dc=org
-        filter: "(objectClass=person)"
-        username: mail
-        idAttr: DN
-        emailAttr: mail
-        nameAttr: cn
-      groupSearch:
-        baseDN: ou=Groups,dc=example,dc=org
-        filter: "(objectClass=groupOfNames)"
-        userMatchers:
-          - userAttr: DN
-            groupAttr: member
-        nameAttr: cn
+cat << EOF >> hack/ci/testdata/dex_values.yaml
+    connectors:
+    - type: ldap
+      name: OpenLDAP
+      id: ldap
+      config:
+        host: openldap.${LDAP_NAMESPACE}.svc.cluster.local:389
+        insecureNoSSL: true
+        bindDN: cn=admin,dc=example,dc=org
+        bindPW: admin
+        usernamePrompt: Email Address
+        userSearch:
+          baseDN: ou=People,dc=example,dc=org
+          filter: "(objectClass=person)"
+          username: mail
+          idAttr: DN
+          emailAttr: mail
+          nameAttr: cn
+        groupSearch:
+          baseDN: ou=Groups,dc=example,dc=org
+          filter: "(objectClass=groupOfNames)"
+          userMatchers:
+            - userAttr: DN
+              groupAttr: member
+          nameAttr: cn
 EOF
 
 retry 2 kubectl create ns ${LDAP_NAMESPACE}

diff --git a/hack/ci/setup-kubermatic-in-kind.sh b/hack/ci/setup-kubermatic-in-kind.sh
@@ -60,7 +60,7 @@ export KUBERMATIC_YAML="${KUBERMATIC_YAML:-hack/ci/testdata/kubermatic.yaml}"
 export KUBERMATIC_API_ENDPOINT="http://localhost:8080"
 
 # Tell the Go tests what dummy account we configure for the e2e tests.
-export KUBERMATIC_DEX_VALUES_FILE=$(realpath hack/ci/testdata/oauth_values.yaml)
+export KUBERMATIC_DEX_VALUES_FILE=$(realpath hack/ci/testdata/dex_values.yaml)
 export KUBERMATIC_OIDC_LOGIN="[email protected]"
 export KUBERMATIC_OIDC_PASSWORD="password"
 
@@ -147,7 +147,7 @@ telemetry:
 EOF
 
 # append custom Dex configuration
-cat hack/ci/testdata/oauth_values.yaml >> $HELM_VALUES_FILE
+cat hack/ci/testdata/dex_values.yaml >> $HELM_VALUES_FILE
 
 # to potentially make use of the EE images, we need to authenticate to quay.io first
 retry 5 docker login -u "$QUAY_IO_USERNAME" -p "$QUAY_IO_PASSWORD" quay.io

diff --git a/hack/ci/testdata/dex_values.yaml b/hack/ci/testdata/dex_values.yaml
@@ -0,0 +1,71 @@
+# Copyright 2025 The Kubermatic Kubernetes Platform contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file is not just a Helm values.yaml, but also used by the e2e test for constructing
+# a matching OIDC client for fetching an access token. The file is also used by the dashboard
+# when setting up Kubermatic, so the configuration must match.
+# NB: Our Go code does not load the default values.yaml, so especially for the ingress
+# config you cannot rely on defaults.
+
+dex:
+  replicaCount: 2
+  ingress:
+
+    enabled: true
+    className: "nginx"
+    hosts:
+      - host: "dex.dex"
+        paths:
+          - path: /dex
+            pathType: ImplementationSpecific
+    tls: []
+  config:
+    issuer: http://dex.dex:5556/dex
+    expiry:
+      signingKeys: "6h"
+      idTokens: "24h"
+    oauth2:
+      skipApprovalScreen: true
+      responseTypes:
+        - code
+        - token
+        - id_token
+    storage:
+      type: kubernetes
+      config:
+        inCluster: true
+    frontend:
+      issuer: dex
+      dir: /srv/dex/web
+      logoURL: theme/logo.svg
+      theme: light
+    enablePasswordDB: true
+    staticClients:
+    - id: kubermatic
+      name: Kubermatic
+      secret: BDZleMTgqON5kiJybIBZM4Si
+      RedirectURIs:
+      # used by Kubermatic's tests
+      - http://localhost:8000
+      # used by the dashboard
+      - http://localhost:8000/projects
+    staticPasswords:
+    - email: "[email protected]"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "roxy"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5468"
+    - email: "[email protected]"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "roxy-admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5469"
diff --git a/hack/ci/testdata/kubermatic.yaml b/hack/ci/testdata/kubermatic.yaml
@@ -44,6 +44,6 @@ spec:
     dockerTag: '__DASHBOARD_VERSION__'
   # Dex integration
   auth:
-    tokenIssuer: "http://dex.oauth:5556/dex"
+    tokenIssuer: "http://dex.dex:5556/dex"
     issuerRedirectURL: "http://localhost:8000"
     serviceAccountKey: "__SERVICE_ACCOUNT_KEY__"
diff --git a/hack/ci/testdata/oauth_values.yaml b/hack/ci/testdata/oauth_values.yaml
diff --git a/modules/api/pkg/test/e2e/utils/dex/helm.go b/modules/api/pkg/test/e2e/utils/dex/helm.go
@@ -39,7 +39,7 @@ type helmValues struct {
 	} `yaml:"dex"`
 }
 
-// NewClientFromHelmValues is a helper for e2e tests, reading the hack/ci/testdata/oauth_values.yaml
+// NewClientFromHelmValues is a helper for e2e tests, reading the hack/ci/testdata/dex_values.yaml
 // to provide a matching OIDC client. We use this instead of spreading the client ID etc.
 // in tons of shell scripts and env vars.
 func NewClientFromHelmValues(valuesFile string, clientID string, log *zap.SugaredLogger) (*Client, error) {

diff --git a/modules/web/hack/e2e/fixtures/dex_values.yaml b/modules/web/hack/e2e/fixtures/dex_values.yaml
@@ -0,0 +1,64 @@
+# Copyright 2025 The Kubermatic Kubernetes Platform contributors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dex:
+  replicaCount: 2
+  ingress:
+    enabled: true
+    className: "nginx"
+    hosts:
+      - host: "dex.dex"
+        paths:
+          - path: /dex
+            pathType: ImplementationSpecific
+    tls: []
+  config:
+    issuer: http://dex.dex:5556/dex
+    expiry:
+      signingKeys: "6h"
+      idTokens: "24h"
+    oauth2:
+      skipApprovalScreen: true
+      responseTypes:
+        - code
+        - token
+        - id_token
+    storage:
+      type: kubernetes
+      config:
+        inCluster: true
+    frontend:
+      issuer: dex
+      dir: /srv/dex/web
+      logoURL: theme/logo.svg
+      theme: light
+    enablePasswordDB: true
+    staticClients:
+    - id: kubermatic
+      name: Kubermatic
+      secret: BDZleMTgqON5kiJybIBZM4Si
+      RedirectURIs:
+      # used by Kubermatic's tests
+      - http://localhost:8000
+      # used by the dashboard
+      - http://localhost:8000/projects
+    staticPasswords:
+    - email: "[email protected]"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "roxy"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5468"
+    - email: "[email protected]"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "roxy-admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5469"
diff --git a/modules/web/hack/e2e/fixtures/kubermatic.yaml b/modules/web/hack/e2e/fixtures/kubermatic.yaml
@@ -31,6 +31,6 @@ spec:
     replicas: 0
   # Dex integration
   auth:
-    tokenIssuer: "http://dex.oauth:5556/dex"
+    tokenIssuer: "http://dex.dex:5556/dex"
     issuerRedirectURL: "http://localhost:8000"
     serviceAccountKey: "__SERVICE_ACCOUNT_KEY__"
diff --git a/modules/web/hack/e2e/fixtures/oauth_values.yaml b/modules/web/hack/e2e/fixtures/oauth_values.yaml
diff --git a/modules/web/hack/e2e/setup-kubermatic-in-kind.sh b/modules/web/hack/e2e/setup-kubermatic-in-kind.sh
@@ -82,7 +82,7 @@ kubermaticOperator:
 EOF
 
 # append custom Dex configuration
-cat $WEB_MODULE_ROOT/hack/e2e/fixtures/oauth_values.yaml >> $HELM_VALUES_FILE
+cat $WEB_MODULE_ROOT/hack/e2e/fixtures/dex_values.yaml >> $HELM_VALUES_FILE
 
 # prepare to run kubermatic-installer
 KUBERMATIC_CONFIG="$(mktemp)"
@@ -114,7 +114,7 @@ nginx:
 EOF
 
 # append custom Dex configuration
-cat $REPO_ROOT/hack/ci/testdata/oauth_values.yaml >> $HELM_VALUES_FILE
+cat $REPO_ROOT/hack/ci/testdata/dex_values.yaml >> $HELM_VALUES_FILE
 
 # The alias makes it easier to access the port-forwarded Dex inside the Kind cluster;
 # the token issuer cannot be localhost:5556, because pods inside the cluster would not
@@ -215,7 +215,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: dex-nodeport
-  namespace: oauth
+  namespace: dex
 spec:
   type: NodePort
   ports: