sso-operator

command module
v1.0.9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 30, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

README

sso-operator

Single Sign-On Kubernetes operator for dex, which can provision, expose and manage a SSO proxy for a Kubernetes service.

Prerequisites

The operator requires the dex identity provider and the cert-manager to be installed into the cluter. You can install them using this helm chart, which pre-configures the GitHub connector, and uses the cert-manager to issue certificates for dex gRPC API.

Before starting the installation, you have to create a GitHub OAuth App which has as callback https://DEX_DOMAIN/callback URL.

Now you can proceed with the installation as follows:

helm upgrade -i --namespace <NAMESAPCE> --wait --timeout 600 dex \
         --set domain="<DEX_DOMAIN>" \
         --set connectors.github.config.clientID="<CLIENT_ID>" \ 
         --set connectors.github.config.clientSecret="<CLIENT_SECRET>" \
         --set connectors.github.config.orgs={ORG1,ORG2} \
         .

The web endpoint of dex has to be publicly exposed and secured with TLS. You can do this pretty easy, if you have the Jenkins X installed into your cluster.

By executing the command:

jx upgrade ingress 

You can select TLS and provide your DEX_DOMAIN and email. This command will configure the ingress controller to fetch automatically the TLS certificate from a Let's Encrypt CA server.

Installation

Using Jenkins X

You can import this project into your Jenkins X platform:

jx import --url https://github.com/jenkins-x/sso-operator.git

At this stage, Jenkins X will deploy automatically the operator into your staging environment. After deployment, you can see the applications details with:

jx get apps
Skaffold and Helm

The operator can be also installed using skaffold and helm as follows:

export VERSION=latest
export DOCKER_REGISTRY=<YOUR DOCKER REGISTRY>
export KUBERNETES_NAMESPACE=<YOUR NAMESPACE>
make install-helm

Enable SSO

After installing the operator, you can enable Single Sign-On for any Kubernetes service by creating a SSO custom resource.

Let's start by creating a basic Go http service with Jenkins X:

jx create quickstart -l Go --name golang-http

Within a few minutes, the service should be running in your staging environment. You can view the Kubernetes service created for it with:

kubectl get svc -n jx-staging

NAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE
golang-http    ClusterIP   10.15.250.117   <none>        80/TCP            1m
sso-operator   ClusterIP   10.15.244.220   <none>        80/TCP            6m

You can enable now the Single Sign-On for this service by creating a custom resource as follows:

cat <<EOF | kubectl create -f -
apiVersion: "jenkins.io/v1"
kind: "SSO"
metadata:
  name: "sso-golang-http"
  namespace: jx-staging
spec:
  oidcIssuerUrl: "https://dex.jx-staging.example.com"
  upstreamService: "golang-http"
  forwardToken: false
  domain: "example.com"
  certIssuerName: "letsencrypt-prod"
  cookieSpec:
    name: "sso-golang-http"
    expire: "168h"
    refresh: "60m"
    secure: true
    httpOnly: true
  proxyImage: "cosmincojocar/oauth2_proxy"
  proxyImageTag: "latest"
  proxyResources:
    limits:
      cpu: 100m
      memory: 256Mi
    requests:
      cpu: 80m
      memory: 128Mi
EOF

Note: You will have to update oidcIssuerUrl and domain with your specific values.

A SSO proxy will be automatically created by the operator and publicly exposed under your domain with TLS enabled. You can see the proxy URL with:

kubectl get ingress -n jx-staging
NAME              HOSTS                                                             ADDRESS        PORTS     AGE
sso-golang-http   sso-golang-http.jx-staging.example.com                            104.155.7.81   80, 443   37m

You can open now the https://sso-golang-http.jx-staging.example.com URL in a browser and check if Single Sign-On works with your GitHub user.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
pkg
apis/jenkins.io/v1
Package v1 is the v1 version of the API.
Package v1 is the v1 version of the API.
client/clientset/versioned
This package has the automatically generated clientset.
This package has the automatically generated clientset.
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
This package has the automatically generated fake clientset.
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
This package contains the scheme of the automatically generated clientset.
client/clientset/versioned/typed/jenkins.io/v1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/jenkins.io/v1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
dex

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL