sso-operator
Single Sign-On Kubernetes operator for dex, which can provision, expose and manage a SSO proxy for a Kubernetes service.
Prerequisites
The operator requires the dex identity provider and the cert-manager to be installed into the cluter.
You can install them using this helm chart, which pre-configures the GitHub connector
, and uses the cert-manager
to issue certificates for dex gRPC API.
Before starting the installation, you have to create a GitHub OAuth App which has as callback
https://DEX_DOMAIN/callback URL.
Now you can proceed with the installation as follows:
helm upgrade -i --namespace <NAMESAPCE> --wait --timeout 600 dex \
--set domain="<DEX_DOMAIN>" \
--set connectors.github.config.clientID="<CLIENT_ID>" \
--set connectors.github.config.clientSecret="<CLIENT_SECRET>" \
--set connectors.github.config.orgs={ORG1,ORG2} \
.
The web endpoint of dex has to be publicly exposed and secured with TLS. You can do this pretty easy, if you have the Jenkins X installed into your cluster.
By executing the command:
jx upgrade ingress
You can select TLS and provide your DEX_DOMAIN
and email. This command will configure the ingress controller to fetch automatically the TLS certificate from a Let's Encrypt CA server.
Installation
Using Jenkins X
You can import this project into your Jenkins X platform:
jx import --url https://github.com/jenkins-x/sso-operator.git
At this stage, Jenkins X will deploy automatically the operator into your staging environment. After deployment, you can see the applications details with:
jx get apps
Skaffold and Helm
The operator can be also installed using skaffold and helm as follows:
export VERSION=latest
export DOCKER_REGISTRY=<YOUR DOCKER REGISTRY>
export KUBERNETES_NAMESPACE=<YOUR NAMESPACE>
make install-helm
Enable SSO
After installing the operator, you can enable Single Sign-On for any Kubernetes service by creating a SSO custom resource.
Let's start by creating a basic Go http service with Jenkins X:
jx create quickstart -l Go --name golang-http
Within a few minutes, the service should be running in your staging environment. You can view the Kubernetes service created for it with:
kubectl get svc -n jx-staging
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
golang-http ClusterIP 10.15.250.117 <none> 80/TCP 1m
sso-operator ClusterIP 10.15.244.220 <none> 80/TCP 6m
You can enable now the Single Sign-On for this service by creating a custom resource as follows:
cat <<EOF | kubectl create -f -
apiVersion: "jenkins.io/v1"
kind: "SSO"
metadata:
name: "sso-golang-http"
namespace: jx-staging
spec:
oidcIssuerUrl: "https://dex.jx-staging.example.com"
upstreamService: "golang-http"
forwardToken: false
domain: "example.com"
certIssuerName: "letsencrypt-prod"
cookieSpec:
name: "sso-golang-http"
expire: "168h"
refresh: "60m"
secure: true
httpOnly: true
proxyImage: "cosmincojocar/oauth2_proxy"
proxyImageTag: "latest"
proxyResources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 80m
memory: 128Mi
EOF
Note: You will have to update oidcIssuerUrl and domain with your specific values.
A SSO proxy will be automatically created by the operator and publicly exposed under your domain with TLS enabled. You can see the proxy URL with:
kubectl get ingress -n jx-staging
NAME HOSTS ADDRESS PORTS AGE
sso-golang-http sso-golang-http.jx-staging.example.com 104.155.7.81 80, 443 37m
You can open now the https://sso-golang-http.jx-staging.example.com
URL in a browser and check if Single Sign-On works with your GitHub user.