Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ccojocar/sso-operator

Single Sign-On Kubernetes operator for Dex identity provider
https://github.com/ccojocar/sso-operator

Last synced: 2 months ago
JSON representation

Single Sign-On Kubernetes operator for Dex identity provider

Host: GitHub
URL: https://github.com/ccojocar/sso-operator
Owner: ccojocar
License: apache-2.0
Created: 2018-07-23T11:07:30.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2023-02-20T08:19:55.000Z (almost 2 years ago)
Last Synced: 2024-10-15T23:12:03.983Z (3 months ago)
Language: Go
Homepage:
Size: 415 KB
Stars: 78
Watchers: 10
Forks: 20
Open Issues: 7
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# sso-operator

Single Sign-On Kubernetes [operator](https://coreos.com/operators/) for [dex](https://github.com/coreos/dex), which can provision, expose and manage a [SSO proxy](https://github.com/oauth2-proxy/oauth2-proxy) for a Kubernetes service.

## Architecture

![architecture](images/architecture.png?row=true)

## Installation

### Using Jenkins X

You can install the operator and its dependencies with [Jenkins X](https://jenkins-x.io/). The only requirement is to have already allocated a DNS domain for your ingress controller.

You can execute the command bellow and then follow the wizard steps:

```
jx create addon sso
```

### Using Helm

#### Prerequisites

The operator requires the [dex](https://github.com/dexidp/dex) identity provider and the [cert-manager](https://github.com/jetstack/cert-manager) version `v.0.6.0` to be installed into your cluster.
You can install `dex`using following [helm chart](https://github.com/jenkins-x/dex/tree/master/charts/dex), which pre-configures the `GitHub connector`, and uses the `cert-manager` service to retrieve
the TLS certificates for dex gRPC API.

Before starting the installation, you have to create a [GitHub OAuth App](https://github.com/settings/applications/new) which should have as `callback` the *https://DEX_DOMAIN/callback* URL.

You can install the `dex` chart as follows:
```
helm upgrade -i --namespace --wait --timeout 600 dex \
--set domain="" \
--set connectors.github.config.clientID="" \
--set connectors.github.config.clientSecret="" \
--set connectors.github.config.orgs={ORG1,ORG2} \
.
```

The web endpoints provided by `dex` IdP have to be publicly exposed and secured with TLS. You can do this pretty easy, if you have the [Jenkins X](https://jenkins-x.io/) installed into your cluster.

Just executing the command:

```
jx upgrade ingress
```

You can select TLS and provide your `DEX_DOMAIN` and email. This command will configure the ingress controller to fetch automatically the TLS certificate from Let's Encrypt CA server.

#### Install the operator

First, you will need to add the jenkins-x chart repository to your helm repositories:
```sh
helm repo add jenkins-x http://chartmuseum.jenkins-x.io
helm repo update
```

You can now install the chart with:
```
helm install --namespace --set dex.grpcHost=dex. --name sso-operator jenkins-x/sso-operator
```

## Enable Single Sign-On for a service

After installing the operator, you can enable Single Sign-On for any Kubernetes service by creating a SSO custom resource.

Let's start by creating a basic Go http service with Jenkins X:

```
jx create quickstart -l Go --name golang-http
```

Within a few minutes, the service should be running in your staging environment. You can view the Kubernetes service created for it with:

```
kubectl get svc -n jx-staging

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
golang-http ClusterIP 10.15.250.117 80/TCP 1m
sso-operator ClusterIP 10.15.244.220 80/TCP 6m
```

You can enable now the Single Sign-On for this service by creating a custom resource as follows:

```yaml
cat <