Comments (13)
@jwhitcraft I made a write up on this here - https://medium.com/@while1eq1/single-sign-on-for-internal-apps-in-kubernetes-using-google-oauth-sso-2386a34bc433
As well as provided example yamls here - #67
from sso.
Now that there is a good example for K8S I'll start working on a helm chart. It will probably end up in the incubator on https://github.com/helm/charts
from sso.
@jwhitcraft @while1eq1 I got a chart started. It could use some playing around with to cut the edges off.
I got it working :). I'm curious if I can remove the need for the SSO-Proxy if I use an NGINX ingress as shown in this tutorial using OAuthProxy.
from sso.
@jwhitcraft @while1eq1 the one question I have is can we do this with out the sso-proxy
and instead leverage an nginx-ingress
? It seems feasible to me from reading this tutorial using OAuth2_Proxy: https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth
This is actually pretty likely to work: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
from sso.
Thank you for opening this issue @jwhitcraft. While we are definitely open to adding variations to our quick start, we don't have any experience with Helm in our organization, so we aren't in the best place to write about this in our quick start guide. I am going to to leave this issue open for anyone who does and would like to contribute!
from sso.
I can probably tackle this.
from sso.
I got this up and running in k8s successfully today. Im in the process of writing a post on how I did it. It should be finished tomorrow or the next day. It will include all the kubernetes manifests that I made to make it happen.
from sso.
@Freyert the nginx part only helps you to route unauthenticated users to the application (sso-proxy) that will handle oauth, it does not do oauth itself.
from sso.
@krishofmans right, so it fulfills the same role as sso-proxy
, but needs the sso-auth
component to validate. The proxy can be replaced by anything that supports redirecting to sso-auth
?
from sso.
@Freyert and @while1eq1 - Thank you for the documentation and helm chart. I'm going to fork it and make an attempt to get it working in my dev cluster. If I can get it working I may steal some of the documentation from the @while1eq1 article and place it in a README.md.
I'm excited to use a double-oauth proxy. This will keep me from manually maintaining every endpoint callback URL in the google admin panel.
from sso.
Initial pull request has been created on the official helm charts repo by Dario: helm/charts#8157
from sso.
Given that this is currently being developed in the helm repo, I've repurposed this issue to update our sso docs here to reference the availability of said helm chart, once it lands.
Thanks everyone!
from sso.
@Freyert I think the main problem with using nginx-ingress
is that you won't have the extra headers such as X-Forwarded-Groups
and so on that sso-proxy
provides.
So I suppose that if you need some of the features provided by nginx-ingress
(for example the modsecurity firewall), then you need to use both proxies.
from sso.
Related Issues (20)
- go get github.com/buzzfeed/sso failed
- error loading in config from env vars HOT 2
- Update quickstart example to work with current kubernetes versions HOT 1
- Broken link in docs HOT 1
- Unable to use Forward Proxy in SSO Auth for oauth token HOT 11
- Inconsistent validation logic between init and refresh HOT 2
- Upgrading to latest build - provider.url expecting a map - still documented as a string - unsure what env to set HOT 1
- Upgraded to 2.x build - and getting HTTP 421: Misdirected Request HOT 3
- Create Updated Docker Image HOT 7
- TestSignatureRoundTripDecoding Error HOT 2
- publish multi-arch images HOT 2
- Getting 404 from authenticator when trying to login with Google HOT 1
- Invalid redirect parameter | HTTP 400 when starting Google sign_in HOT 4
- Can the proxy be used for TCP forwarding?
- Unable to use HTTP/HTTPS Proxy with SSO Proxy & Auth
- Document preserve_host option in `sso_config.md`
- Dockerimage outdated and has many security erratas/cve HOT 1
- SSO not working on Kubernetes
- Is this project still maintained? HOT 3
- ..........
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sso.