From 80698e499a66ed0787fe64c8d41f94f140927fe7 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Thu, 19 Feb 2026 20:16:55 -0800 Subject: [PATCH] Switch Dex storage from Kubernetes CRD to sqlite3 The Kubernetes CRD storage backend crashes on k3s due to a Go URL parsing bug with the in-cluster API address. sqlite3 with emptyDir avoids the k8s API entirely and is sufficient for single-replica Dex. Also removes now-unnecessary RBAC resources (ServiceAccount, ClusterRole, ClusterRoleBinding). Co-Authored-By: Claude Opus 4.6 --- argocd/manifests/dex/clusterrole.yaml | 12 ------------ argocd/manifests/dex/clusterrolebinding.yaml | 13 ------------- argocd/manifests/dex/deployment.yaml | 5 ++++- argocd/manifests/dex/external-secret.yaml | 4 ++-- argocd/manifests/dex/kustomization.yaml | 3 --- argocd/manifests/dex/serviceaccount.yaml | 6 ------ 6 files changed, 6 insertions(+), 37 deletions(-) delete mode 100644 argocd/manifests/dex/clusterrole.yaml delete mode 100644 argocd/manifests/dex/clusterrolebinding.yaml delete mode 100644 argocd/manifests/dex/serviceaccount.yaml diff --git a/argocd/manifests/dex/clusterrole.yaml b/argocd/manifests/dex/clusterrole.yaml deleted file mode 100644 index 76811df..0000000 --- a/argocd/manifests/dex/clusterrole.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: dex -rules: - - apiGroups: ["dex.coreos.com"] - resources: ["*"] - verbs: ["*"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create"] diff --git a/argocd/manifests/dex/clusterrolebinding.yaml b/argocd/manifests/dex/clusterrolebinding.yaml deleted file mode 100644 index 53ffefa..0000000 --- a/argocd/manifests/dex/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: dex -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: dex -subjects: - - kind: ServiceAccount - name: dex - namespace: dex diff --git a/argocd/manifests/dex/deployment.yaml b/argocd/manifests/dex/deployment.yaml index afddb09..ba02856 100644 --- a/argocd/manifests/dex/deployment.yaml +++ b/argocd/manifests/dex/deployment.yaml @@ -14,7 +14,6 @@ spec: labels: app: dex spec: - serviceAccountName: dex containers: - name: dex image: registry.ops.eblu.me/blumeops/dex:v1.0.0-nix @@ -25,6 +24,8 @@ spec: - name: config mountPath: /etc/dex/cfg readOnly: true + - name: data + mountPath: /var/dex livenessProbe: httpGet: path: /healthz @@ -48,3 +49,5 @@ spec: - name: config secret: secretName: dex-config + - name: data + emptyDir: {} diff --git a/argocd/manifests/dex/external-secret.yaml b/argocd/manifests/dex/external-secret.yaml index e654e77..3b9e685 100644 --- a/argocd/manifests/dex/external-secret.yaml +++ b/argocd/manifests/dex/external-secret.yaml @@ -17,9 +17,9 @@ spec: config.yaml: | issuer: https://dex.ops.eblu.me storage: - type: kubernetes + type: sqlite3 config: - inCluster: true + file: /var/dex/dex.db web: http: 0.0.0.0:5556 oauth2: diff --git a/argocd/manifests/dex/kustomization.yaml b/argocd/manifests/dex/kustomization.yaml index fea126f..cffcba8 100644 --- a/argocd/manifests/dex/kustomization.yaml +++ b/argocd/manifests/dex/kustomization.yaml @@ -3,9 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: dex resources: - - serviceaccount.yaml - - clusterrole.yaml - - clusterrolebinding.yaml - external-secret.yaml - deployment.yaml - service.yaml diff --git a/argocd/manifests/dex/serviceaccount.yaml b/argocd/manifests/dex/serviceaccount.yaml deleted file mode 100644 index 70fc335..0000000 --- a/argocd/manifests/dex/serviceaccount.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: dex - namespace: dex