sso
sso copied to clipboard
buzzfeed
docs: reference sso helm chart in README
Is your feature request related to a problem? Please describe.
To make this easier to use, it would be great if there was a Helm Chart or a guide for getting this up and running on Kubernetes
Thanks,
Thank you for opening this issue @jwhitcraft. While we are definitely open to adding variations to our quick start, we don't have any experience with Helm in our organization, so we aren't in the best place to write about this in our quick start guide. I am going to to leave this issue open for anyone who does and would like to contribute!
I got this up and running in k8s successfully today. Im in the process of writing a post on how I did it. It should be finished tomorrow or the next day. It will include all the kubernetes manifests that I made to make it happen.
@jwhitcraft I made a write up on this here - https://medium.com/@while1eq1/single-sign-on-for-internal-apps-in-kubernetes-using-google-oauth-sso-2386a34bc433
As well as provided example yamls here - https://github.com/buzzfeed/sso/pull/67
Now that there is a good example for K8S I'll start working on a helm chart. It will probably end up in the incubator on https://github.com/helm/charts
@jwhitcraft @while1eq1 I got a chart started. It could use some playing around with to cut the edges off.
I got it working :). I'm curious if I can remove the need for the SSO-Proxy if I use an NGINX ingress as shown in this tutorial using OAuthProxy.
@jwhitcraft @while1eq1 the one question I have is can we do this with out the sso-proxy and instead leverage an nginx-ingress? It seems feasible to me from reading this tutorial using OAuth2_Proxy: https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth
This is actually pretty likely to work: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
@Freyert the nginx part only helps you to route unauthenticated users to the application (sso-proxy) that will handle oauth, it does not do oauth itself.
@krishofmans right, so it fulfills the same role as sso-proxy, but needs the sso-auth component to validate. The proxy can be replaced by anything that supports redirecting to sso-auth?
@Freyert and @while1eq1 - Thank you for the documentation and helm chart. I'm going to fork it and make an attempt to get it working in my dev cluster. If I can get it working I may steal some of the documentation from the @while1eq1 article and place it in a README.md.
I'm excited to use a double-oauth proxy. This will keep me from manually maintaining every endpoint callback URL in the google admin panel.
Initial pull request has been created on the official helm charts repo by Dario: https://github.com/helm/charts/pull/8157
Given that this is currently being developed in the helm repo, I've repurposed this issue to update our sso docs here to reference the availability of said helm chart, once it lands.
Thanks everyone!
@Freyert I think the main problem with using nginx-ingress is that you won't have the extra headers such as X-Forwarded-Groups and so on that sso-proxy provides.
So I suppose that if you need some of the features provided by nginx-ingress (for example the modsecurity firewall), then you need to use both proxies.
