docs: reference sso helm chart in README about sso HOT 13 OPEN

@jwhitcraft I made a write up on this here - https://medium.com/@while1eq1/single-sign-on-for-internal-apps-in-kubernetes-using-google-oauth-sso-2386a34bc433

As well as provided example yamls here - #67

from sso.

Now that there is a good example for K8S I'll start working on a helm chart. It will probably end up in the incubator on https://github.com/helm/charts

from sso.

@jwhitcraft @while1eq1 I got a chart started. It could use some playing around with to cut the edges off.

I got it working :). I'm curious if I can remove the need for the SSO-Proxy if I use an NGINX ingress as shown in this tutorial using OAuthProxy.

from sso.

@jwhitcraft @while1eq1 the one question I have is can we do this with out the sso-proxy and instead leverage an nginx-ingress? It seems feasible to me from reading this tutorial using OAuth2_Proxy: https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth

This is actually pretty likely to work: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/

from sso.

Thank you for opening this issue @jwhitcraft. While we are definitely open to adding variations to our quick start, we don't have any experience with Helm in our organization, so we aren't in the best place to write about this in our quick start guide. I am going to to leave this issue open for anyone who does and would like to contribute!

from sso.

I can probably tackle this.

from sso.

I got this up and running in k8s successfully today. Im in the process of writing a post on how I did it. It should be finished tomorrow or the next day. It will include all the kubernetes manifests that I made to make it happen.

from sso.

@Freyert the nginx part only helps you to route unauthenticated users to the application (sso-proxy) that will handle oauth, it does not do oauth itself.

from sso.

@krishofmans right, so it fulfills the same role as sso-proxy, but needs the sso-auth component to validate. The proxy can be replaced by anything that supports redirecting to sso-auth?

from sso.

@Freyert and @while1eq1 - Thank you for the documentation and helm chart. I'm going to fork it and make an attempt to get it working in my dev cluster. If I can get it working I may steal some of the documentation from the @while1eq1 article and place it in a README.md.

I'm excited to use a double-oauth proxy. This will keep me from manually maintaining every endpoint callback URL in the google admin panel.

from sso.

Initial pull request has been created on the official helm charts repo by Dario: helm/charts#8157

from sso.

Given that this is currently being developed in the helm repo, I've repurposed this issue to update our sso docs here to reference the availability of said helm chart, once it lands.

Thanks everyone!

from sso.

@Freyert I think the main problem with using nginx-ingress is that you won't have the extra headers such as X-Forwarded-Groups and so on that sso-proxy provides.

So I suppose that if you need some of the features provided by nginx-ingress (for example the modsecurity firewall), then you need to use both proxies.

from sso.