dex:
  config:
    issuer: https://dex.khuedoan.com
    storage:
      type: kubernetes
      config:
        inCluster: true
    oauth2:
      skipApprovalScreen: true
    connectors:
      - type: oidc
        id: kanidm
        name: Kanidm
        config:
          clientID: $KANIDM_CLIENT_ID
          clientSecret: $KANIDM_CLIENT_SECRET
          redirectURI: https://dex.khuedoan.com/callback
          issuer: https://auth.khuedoan.com/oauth2/openid/dex
          # TODO https://github.com/dexidp/dex/pull/3188
          # enablePKCE: true
          scopes:
            - openid
            - profile
            - email
            - groups
    staticClients:
      - id: grafana-sso
        name: Grafana
        redirectURIs:
          - 'https://grafana.khuedoan.com/login/generic_oauth'
        secretEnv: GRAFANA_SSO_CLIENT_SECRET
      - id: gitea
        name: Gitea
        redirectURIs:
          - 'https://git.khuedoan.com/user/oauth2/Dex/callback'
        secretEnv: GITEA_CLIENT_SECRET
  envFrom:
    - secretRef:
        name: dex-secrets
  ingress:
    enabled: true
    className: nginx
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: &host dex.khuedoan.com
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: dex-tls-certificate
        hosts:
          - *host