{"id":17168502,"url":"https://github.com/ccojocar/sso-operator","last_synced_at":"2025-08-12T17:42:45.120Z","repository":{"id":54791888,"uuid":"142002954","full_name":"ccojocar/sso-operator","owner":"ccojocar","description":"Single Sign-On Kubernetes operator for Dex identity provider","archived":false,"fork":false,"pushed_at":"2023-02-20T08:19:55.000Z","size":425,"stargazers_count":77,"open_issues_count":7,"forks_count":20,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-02T06:23:32.518Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ccojocar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-23T11:07:30.000Z","updated_at":"2025-01-03T21:47:19.000Z","dependencies_parsed_at":"2024-06-18T21:43:51.724Z","dependency_job_id":"13e00755-3c6f-4b31-bb7a-2d71f236de91","html_url":"https://github.com/ccojocar/sso-operator","commit_stats":{"total_commits":196,"total_committers":14,"mean_commits":14.0,"dds":"0.16326530612244894","last_synced_commit":"aae776ace592d516559b2f162961fc0c570d02de"},"previous_names":["jenkins-x/sso-operator"],"tags_count":113,"template":false,"template_full_name":null,"purl":"pkg:github/ccojocar/sso-operator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ccojocar%2Fsso-operator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ccojocar%2Fsso-operator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ccojocar%2Fsso-operator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ccojocar%2Fsso-operator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ccojocar","download_url":"https://codeload.github.com/ccojocar/sso-operator/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ccojocar%2Fsso-operator/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270108536,"owners_count":24528763,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-12T02:00:09.011Z","response_time":80,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-14T23:12:04.584Z","updated_at":"2025-08-12T17:42:45.087Z","avatar_url":"https://github.com/ccojocar.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sso-operator\n\nSingle Sign-On Kubernetes [operator](https://coreos.com/operators/) for [dex](https://github.com/coreos/dex), which can provision, expose and manage a [SSO proxy](https://github.com/oauth2-proxy/oauth2-proxy) for a Kubernetes service. \n\n## Architecture\n\n![architecture](images/architecture.png?row=true)\n\n## Installation \n\n### Using Jenkins X\n\nYou can install the operator and its dependencies with [Jenkins X](https://jenkins-x.io/). The only requirement is to have already allocated a DNS domain for your ingress controller.\n\n\nYou can execute the command bellow and then follow the wizard steps:\n\n```\njx create addon sso \n```\n\n### Using Helm \n\n#### Prerequisites\n\nThe operator requires the [dex](https://github.com/dexidp/dex) identity provider and the [cert-manager](https://github.com/jetstack/cert-manager) version `v.0.6.0` to be installed into your cluster. \nYou can install `dex`using following [helm chart](https://github.com/jenkins-x/dex/tree/master/charts/dex), which pre-configures the `GitHub connector`, and uses the `cert-manager` service to retrieve \nthe TLS certificates for dex gRPC API.\n\nBefore starting the installation, you have to create a [GitHub OAuth App](https://github.com/settings/applications/new) which should have  as `callback` the *https://DEX_DOMAIN/callback* URL.\n\nYou can install the `dex` chart as follows:\n```\nhelm upgrade -i --namespace \u003cNAMESAPCE\u003e --wait --timeout 600 dex \\\n         --set domain=\"\u003cDEX_DOMAIN\u003e\" \\\n         --set connectors.github.config.clientID=\"\u003cCLIENT_ID\u003e\" \\ \n         --set connectors.github.config.clientSecret=\"\u003cCLIENT_SECRET\u003e\" \\\n         --set connectors.github.config.orgs={ORG1,ORG2} \\\n         .\n```\n\nThe web endpoints provided by `dex` IdP have to be publicly exposed and secured with TLS. You can do  this pretty easy, if you have the [Jenkins X](https://jenkins-x.io/) installed into your cluster.\n\nJust executing the command:\n\n```\njx upgrade ingress \n```\n\nYou can select TLS and provide your `DEX_DOMAIN` and email. This command will configure the ingress controller to fetch automatically the TLS certificate from Let's Encrypt CA server.\n\n#### Install the operator\n\nFirst, you will need to add the jenkins-x chart repository to your helm repositories:\n```sh\nhelm repo add jenkins-x http://chartmuseum.jenkins-x.io\nhelm repo update\n```\n\nYou can now install the chart with:\n```\nhelm install --namespace \u003cNAMESPACE\u003e --set dex.grpcHost=dex.\u003cDEX_NAMESPACE\u003e --name sso-operator jenkins-x/sso-operator \n```\n\n## Enable Single Sign-On for a service \n\nAfter installing the operator, you can enable Single Sign-On for any Kubernetes service by creating a SSO custom resource. \n\nLet's start by creating a basic Go http service with Jenkins X:\n\n```\njx create quickstart -l Go --name golang-http\n```\n\nWithin a few minutes, the service should be running in your staging environment. You can view the Kubernetes service created for it with:\n\n```\nkubectl get svc -n jx-staging\n\nNAME           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)           AGE\ngolang-http    ClusterIP   10.15.250.117   \u003cnone\u003e        80/TCP            1m\nsso-operator   ClusterIP   10.15.244.220   \u003cnone\u003e        80/TCP            6m\n```\n\nYou can enable now the Single Sign-On for this service by creating a custom resource as follows:\n\n```yaml\ncat \u003c\u003cEOF | kubectl create -f -\napiVersion: \"jenkins.io/v1\"\nkind: \"SSO\"\nmetadata:\n  name: \"sso-golang-http\"\n  namespace: jx-staging\nspec:\n  oidcIssuerUrl: \"https://dex.jx-staging.example.com\"\n  upstreamService: \"golang-http\"\n  forwardToken: false\n  domain: \"example.com\"\n  certIssuerName: \"letsencrypt-prod\"\n  urlTemplate: \"{{.Service}}.{{.Namespace}}.{{.Domain}}\"\n  cookieSpec:\n    name: \"sso-golang-http\"\n    expire: \"168h\"\n    refresh: \"60m\"\n    secure: true\n    httpOnly: true\n  proxyImage: \"quay.io/pusher/oauth2_proxy\"\n  proxyImageTag: \"v3.2.0\"\n  proxyResources:\n    limits:\n      cpu: 100m\n      memory: 256Mi\n    requests:\n      cpu: 80m\n      memory: 128Mi\nEOF\n```\n\n__Note:__ You will have to update *oidcIssuerUrl* and *domain* with your specific values.\n\nA SSO proxy will be automatically created by the operator and publicly exposed under your domain with TLS enabled. You can see the proxy URL with:\n\n```\nkubectl get ingress -n jx-staging\nNAME              HOSTS                                                             ADDRESS        PORTS     AGE\nsso-golang-http   sso-golang-http.jx-staging.example.com                            104.155.7.81   80, 443   37m\n```\n\nYou can open now the `https://sso-golang-http.jx-staging.example.com` URL in a browser and check if Single Sign-On works with your GitHub user.\n\n## Extra configuration options\n\n\nYou may want to skip the exposecontroller step if you are creating the ingress rules for your application yourself.  Here you can use the `skipExposeService` config.\n```yaml\ncat \u003c\u003cEOF | kubectl create -f -\napiVersion: \"jenkins.io/v1\"\nkind: \"SSO\"\nmetadata:\n  name: \"sso-golang-http\"\n  namespace: jx-staging\nspec:\n  skipExposeService: true\n\n  ...\n```\n\nIf you want to pull the proxyImage from a private registry you can set the `proxyImagePullSecret` config.\n```yaml\ncat \u003c\u003cEOF | kubectl create -f -\napiVersion: \"jenkins.io/v1\"\nkind: \"SSO\"\nmetadata:\n  name: \"sso-golang-http\"\n  namespace: jx-staging\nspec:\n  proxyImagePullSecret: \"private-registry-secret\"\n\n  ...\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccojocar%2Fsso-operator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fccojocar%2Fsso-operator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fccojocar%2Fsso-operator/lists"}