From a2188bebf1e609a6b47e6f4c6f245977684c096c Mon Sep 17 00:00:00 2001 From: Daniel Dao Date: Mon, 6 Nov 2017 14:40:25 +0000 Subject: [PATCH] add documentation for etcd storage This adds references to etcd storage, including: - only supports etcd v3 - list of options and their meanings when connecting to etcd cluster --- Documentation/storage.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/Documentation/storage.md b/Documentation/storage.md index 7c2abae8..91ae7eca 100644 --- a/Documentation/storage.md +++ b/Documentation/storage.md @@ -4,6 +4,38 @@ Dex requires persisting state to perform various tasks such as track refresh tok Storage breaches are serious as they can affect applications that rely on dex. Dex saves sensitive data in its backing storage, including signing keys and bcrypt'd passwords. As such, transport security and database ACLs should both be used, no matter which storage option is chosen. +## Etcd + +Dex supports persisting state to [etcd v3](https://github.com/coreos/etcd). + +An example etcd configuration is using these values: + +``` +storage: + type: etcd + config: + # list of etcd endpoints we should connect to + endpoints: + - http://localhost:2379 + namespace: my-etcd-namespace/ +``` + +Etcd storage can be customized further using the following options: + +* `endpoints`: list of etcd endpoints we should connect to +* `namespace`: etcd namespace to be set for the connection. All keys created by + etcd storage will be prefixed with the namespace. This is useful when you + share your etcd cluster amongst several applications. Another approach for + setting namespace is to use [etcd proxy](https://coreos.com/etcd/docs/latest/op-guide/grpc_proxy.html#namespacing) +* `username`: username for etcd authentication +* `password`: password for etcd authentication +* `ssl`: ssl setup for etcd connection + * `serverName`: ensures that the certificate matches the given hostname the + client is connecting to. + * `caFile`: path to the ca + * `keyFile`: path to the private key + * `certFile`: path to the certificate + ## Kubernetes custom resource definitions (CRDs) __NOTE:__ CRDs are only supported by Kubernetes version 1.7+.