-
Maarten de Waard authoredVerified7fcbfb4b
Helm chart
Single sign-on adds an Authentication server to your k8s cluster, that can be used by applications within your cluster and by external applications to log in your users.
This chart also includes a minimalistic user-panel, which can be used to create new users, assign roles to users and grant users access to applications.
Prerequisites
- Kubernetes 1.13+ with Beta APIs enabled
- helm 2.14.3+
- ORY helm chart repository installed
helm repo add ory https://k8s.ory.sh/helm/charts && helm repo update
Configuration
You can configure the chart by changing the default values in the ./values.yaml file.
The following table lists the configurable parameters of the single sign-on chart and their
default values. Values in bold letters need to be changed for Routing and TLS to work.
Please also replace all the variables that have the value YouReallyNeedToChangeThis to strong
passwords.
This table lists the variables you are most likely to change. Take a look at the
values.yaml file to see more configuration options available.
| Parameter | Description | Default |
|---|---|---|
consentProvider.image.repository |
Name of image repository to be used for consent provider | open.greenhost.net:4567/stackspin/single-sign-on/consent_provider |
consentProvider.image.tag |
Release version of consent provider image | main |
loginProvider.image.repository |
Name of image repository to be used for login provider | open.greenhost.net:4567/stackspin/single-sign-on/login_provider |
loginProvider.image.tag |
Release version of login provider image | main |
singleSignOnHost |
FQDN of the openID Connect / oAuth2 server | sso.stackspin.example.net |
userpanel.ingress.host |
FQDN of the userpanel | admin.stackspin.example.net |
userbackend.username |
Username of the admin user | admin |
userbackend.password |
Password of the admin user | YouReallyNeedToChangeThis |
userbackend.email |
Email address of the admin user | admin@example.net |
userbackend.postgres.password |
Root pw of the psql DB | postgres |
hydra.hydra.config.urls.self.issuer |
Base URI of the oAuth server | https://sso.stackspin.example.net |
hydra.hydra.config.urls.login |
URI that will be used for the login page | https://sso.stackspin.example.net/login |
hydra.hydra.config.urls.consent |
URI that will be used for permission checks | https://sso.stackspin.example.net/consent |
hydra.hydra.config.secrets.system |
Secret that is used to generate secure tokens | YouReallyNeedToChangeThis |
oAuthClients |
A list of clients that need to be registered after installation. See Registering clients for more info | user-panel configuration (Change the clientSecret!) |
Registering clients
To use OpenID Connect or oAuth you need to set up an oAuth Client for every
application that needs to authenticate it's users. Setting up a client happens
in two steps: registering the client with single-sign-on, and configuring the
client application.
The oAuthClients variable in values.yaml contains an array of client configurations. For
each of these configurations, a Job will be created during the helm installation that will
do the necessary Hydra API calls to create that client. Note, however, that you still need to
configure your application to be able to use SSO
to log in.
The oAuthClients variable is an array with objects. One object should be made for each
application that will use the SSO server. Each client will also be shown in the user-panel
application, so users know where to find them. This example configures the user-panel
application:
# The name of the oauth client that needs to be the same as the application name in your
# application configuration
clientName: user-panel
# The secret the client uses to authenticate
clientSecret: "YouReallyNeedToChangeThis"
# The url the browser will be redirected to by Hydra when the authentication process is
# completed
redirectUri: "https://admin.stackspin.example.net/callback"
# A list of scopes the client needs access to
scopes: "openid profile email stackspin_roles"
# A url that is displayed in the user-panel for the user to navigate to the application
clientUri: "https://admin.stackspin.example.net"
# Point to a logo for the application that will be displayed in the user-panel
clientLogoUri: "https://admin.stackspin.example.net/favicon.ico"
# Set the method that the oAUth client uses to authenticate agains the oAuth server i.e. to
# retrieve tokens or userinfo
tokenEndpointAuthMethod: "client_secret_basic"
# Resource types the client is allowed to use to perform authentication and userinfo requests
responseTypes:
- "token"
# Specifies the methods the client can use to retrieve access tokens from the oAuth server
grantTypes:
- "implicit"Installing and uninstalling the Chart
To install the chart with the realease name single-sign-on first clone the repository,
and then run helm install.
$ git clone https://open.greenhost.net/stackspin/single-sign-on
$ cd single-sign-on/helmchart/single-sign-on/
$ helm install -n single-sign-on .The last command will deploy the single sign-on components on your server and applies a default configuration. You should change the default configuration before running the command. The configuration section lists all configuration parameters.
In case you already ran the install command, you can uninstall the deployment by executing:
$ helm list # [OPTIONAL] - Lists all deployed releases
$ helm delete single-sign-on --purgeWARNING: Executing the
deletecommand with thepurgeflag will delete all data that is related to the applications. Don't run this command in a production environment if you are not absolutely sure that you have a restorable backup of your data.