diff --git a/charts/dex.yaml b/charts/dex.yaml
new file mode 100644
index 0000000000..5f49f2f6ab
--- /dev/null
+++ b/charts/dex.yaml
@@ -0,0 +1,102 @@
+image: '{%- endraw -%}{{ build_image_name(\"dex\", False) }}{%- raw -%}'
+
+nodeSelector:
+  node-role.kubernetes.io/master: ''
+
+tolerations:
+  - key: "node-role.kubernetes.io/bootstrap"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/master"
+    operator: "Exists"
+    effect: "NoSchedule"
+  - key: "node-role.kubernetes.io/infra"
+    operator: "Exists"
+    effect: "NoSchedule"
+
+replicas: 2
+
+# grpc support
+grpc: false
+
+# https termination by dex itself
+https: false
+
+ports:
+  web:
+    containerPort: 5556
+    servicePort: 32000
+  # grpc:
+    # containerPort: 5000
+    # servicePort: 35000
+
+service:
+  type: ClusterIP
+
+ingress:
+  enabled: true
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: '/$2'
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    kubernetes.io/ingress.class: "nginx-control-plane"
+  path: /dex(/|$)(.*)
+  hosts:
+    - null
+  tls: []
+  #  - secretName: dex-example-tls <ROOT CERT AND ROOT KEY KUBERNETES SECRET>
+  #    hosts:
+  #      - dex.example.com
+
+certs:
+  web:
+    create: false
+  grpc:
+    create: false
+
+rbac:
+  create: false
+
+serviceAccount:
+  create: true
+  name:
+
+# ensure dex pods are running only on master nodes
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: "node-role.kubernetes.io/master"
+          operator: "Exists"
+
+config:
+  issuer: http://127.0.0.1:5556/dex
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+  logger:
+    level: debug
+  web:
+    # port is taken from ports section above
+    address: 0.0.0.0
+    # tlsCert: /etc/dex/tls/https/server/tls.crt
+    # tlsKey: /etc/dex/tls/https/server/tls.key
+  connectors: {}
+
+  oauth2:
+    alwaysShowLoginScreen: false
+    skipApprovalScreen: true
+
+  expiry:
+    signingKeys: "6h"
+    idTokens: "24h"
+
+  enablePasswordDB: true
+  staticPasswords:
+    - email: "oidc_admin@metalk8s.com"
+      # bcrypt hash of the string "password"
+      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+      username: "oidc_admin"
+      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
\ No newline at end of file
diff --git a/salt/metalk8s/addons/dex/deployed/chart.sls b/salt/metalk8s/addons/dex/deployed/chart.sls
new file mode 100644
index 0000000000..b9a492ae32
--- /dev/null
+++ b/salt/metalk8s/addons/dex/deployed/chart.sls
@@ -0,0 +1,117 @@
+#!jinja | kubernetes kubeconfig=/etc/kubernetes/admin.conf&context=kubernetes-admin@kubernetes
+{%- from "metalk8s/repo/macro.sls" import build_image_name with context %}
+
+{% raw %}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  labels: {app.kubernetes.io/instance: dex, app.kubernetes.io/managed-by: salt, app.kubernetes.io/name: dex,
+    app.kubernetes.io/part-of: metalk8s, app.kubernetes.io/version: 2.19.0, helm.sh/chart: dex-2.4.0,
+    heritage: metalk8s}
+  name: dex
+  namespace: metalk8s-auth
+stringData: {config.yaml: "issuer: http://127.0.0.1:5556/dex\nstorage:\n  config:\n\
+    \    inCluster: true\n  type: kubernetes\n  \nlogger:\n  level: debug\n  \nweb:\n\
+    \  http: 0.0.0.0:5556\noauth2: \n  alwaysShowLoginScreen: false\n  skipApprovalScreen:\
+    \ true\n  \nenablePasswordDB: true\nstaticPasswords:\n- email: oidc_admin@metalk8s.com\n\
+    \  hash: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W\n  userID:\
+    \ 08a8684b-db88-4b73-90a9-3cd1661f5466\n  username: oidc_admin\n\nexpiry:\n  idTokens:\
+    \ 24h\n  signingKeys: 6h\n  "}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels: {app.kubernetes.io/instance: dex, app.kubernetes.io/managed-by: salt, app.kubernetes.io/name: dex,
+    app.kubernetes.io/part-of: metalk8s, app.kubernetes.io/version: 2.19.0, helm.sh/chart: dex-2.4.0,
+    heritage: metalk8s}
+  name: dex
+  namespace: metalk8s-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels: {app.kubernetes.io/instance: dex, app.kubernetes.io/managed-by: salt, app.kubernetes.io/name: dex,
+    app.kubernetes.io/part-of: metalk8s, app.kubernetes.io/version: 2.19.0, helm.sh/chart: dex-2.4.0,
+    heritage: metalk8s}
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  ports:
+  - {name: http, port: 32000, targetPort: http}
+  selector: {app.kubernetes.io/instance: dex, app.kubernetes.io/name: dex}
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels: {app.kubernetes.io/component: dex, app.kubernetes.io/instance: dex, app.kubernetes.io/managed-by: salt,
+    app.kubernetes.io/name: dex, app.kubernetes.io/part-of: metalk8s, app.kubernetes.io/version: 2.19.0,
+    helm.sh/chart: dex-2.4.0, heritage: metalk8s}
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  replicas: 2
+  selector:
+    matchLabels: {app.kubernetes.io/component: dex, app.kubernetes.io/instance: dex,
+      app.kubernetes.io/name: dex}
+  strategy:
+    rollingUpdate: {maxSurge: 0, maxUnavailable: 1}
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations: {checksum/config: cc44f447f0852cf1fa2392514513413350ad3fc213ee16cc10481e0c0ae7bb29}
+      labels: {app.kubernetes.io/component: dex, app.kubernetes.io/instance: dex,
+        app.kubernetes.io/name: dex}
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - {key: node-role.kubernetes.io/master, operator: Exists}
+      containers:
+      - command: [/usr/local/bin/dex, serve, /etc/dex/cfg/config.yaml]
+        env: []
+        image: '{%- endraw -%}{{ build_image_name("dex", False) }}{%- raw -%}:v2.19.0'
+        imagePullPolicy: IfNotPresent
+        name: main
+        ports:
+        - {containerPort: 5556, name: http, protocol: TCP}
+        resources: null
+        volumeMounts:
+        - {mountPath: /etc/dex/cfg, name: config}
+      nodeSelector: {node-role.kubernetes.io/master: ''}
+      serviceAccountName: dex
+      tolerations:
+      - {effect: NoSchedule, key: node-role.kubernetes.io/bootstrap, operator: Exists}
+      - {effect: NoSchedule, key: node-role.kubernetes.io/master, operator: Exists}
+      - {effect: NoSchedule, key: node-role.kubernetes.io/infra, operator: Exists}
+      volumes:
+      - name: config
+        secret:
+          defaultMode: 420
+          items:
+          - {key: config.yaml, path: config.yaml}
+          secretName: dex
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations: {kubernetes.io/ingress.class: nginx-control-plane, nginx.ingress.kubernetes.io/backend-protocol: HTTP,
+    nginx.ingress.kubernetes.io/rewrite-target: /$2, nginx.ingress.kubernetes.io/use-regex: 'true'}
+  labels: {app.kubernetes.io/instance: dex, app.kubernetes.io/managed-by: salt, app.kubernetes.io/name: dex,
+    app.kubernetes.io/part-of: metalk8s, app.kubernetes.io/version: 2.19.0, helm.sh/chart: dex-2.4.0,
+    heritage: metalk8s}
+  name: dex
+  namespace: metalk8s-auth
+spec:
+  rules:
+  - host: null
+    http:
+      paths:
+      - backend: {serviceName: dex, servicePort: 32000}
+        path: /dex(/|$)(.*)
+
+{% endraw %}
diff --git a/salt/metalk8s/addons/dex/deployed/init.sls b/salt/metalk8s/addons/dex/deployed/init.sls
new file mode 100644
index 0000000000..ce1664144f
--- /dev/null
+++ b/salt/metalk8s/addons/dex/deployed/init.sls
@@ -0,0 +1,3 @@
+include:
+- .namespace
+- .chart