Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document OIDC settings for popular IDPs #346

Open
nitrocode opened this issue Jan 12, 2024 · 3 comments
Open

Document OIDC settings for popular IDPs #346

nitrocode opened this issue Jan 12, 2024 · 3 comments
Labels
documentation Improvements or additions to documentation

Comments

@nitrocode
Copy link
Member

nitrocode commented Jan 12, 2024
edited
Loading

For instance, okta.

I have this ingress group setup for aws load balancer controller which is handy to allow oidc authentication directly to the atlantis load balancer

One `Ingress` for the webhooks, part of a single `IngressGroup` 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # only needed if using a group
    alb.ingress.kubernetes.io/group.name: atlantis
    alb.ingress.kubernetes.io/group.order: "1"
    # These are all needed
    alb.ingress.kubernetes.io/actions.github-ipv4-webhooks: '{"forwardConfig":{"targetGroups":[{"serviceName":"atlantis","servicePort":"4141","weight":100}]},"type":"forward"}'
    alb.ingress.kubernetes.io/actions.github-ipv6-webhooks: '{"forwardConfig":{"targetGroups":[{"serviceName":"atlantis","servicePort":"4141","weight":100}]},"type":"forward"}'
    alb.ingress.kubernetes.io/certificate-arn: <snip>
    alb.ingress.kubernetes.io/conditions.github-ipv4-webhooks: '[{"field":"source-ip","sourceIpConfig":{"values":["192.30.252.0/22","185.199.108.0/22","140.82.112.0/20","143.55.64.0/20"]}}]'
    alb.ingress.kubernetes.io/conditions.github-ipv6-webhooks: '[{"field":"source-ip","sourceIpConfig":{"values":["2a0a:a440::/29","2606:50c0::/32"]}}]'
    alb.ingress.kubernetes.io/inbound-cidrs: 0.0.0.0/0
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    external-dns.alpha.kubernetes.io/hostname: atlantis.org.com
    kubernetes.io/ingress.class: alb
  creationTimestamp: "2024-01-12T18:06:03Z"
  finalizers:
  - group.ingress.k8s.aws/atlantis
  generation: 1
  name: atlantis-webhooks
  namespace: atlantis
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: github-ipv4-webhooks
            port:
              name: use-annotation
        pathType: ImplementationSpecific
  - http:
      paths:
      - backend:
          service:
            name: github-ipv6-webhooks
            port:
              name: use-annotation
        pathType: ImplementationSpecific
One `Ingress` for oidc, part of a single `IngressGroup` 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # only needed if using a group
    alb.ingress.kubernetes.io/group.name: atlantis
    alb.ingress.kubernetes.io/group.order: "2"
    # These are all needed
    alb.ingress.kubernetes.io/auth-idp-oidc: '{"authorizationEndpoint":"https://org.okta.com/oauth2/v1/authorize","issuer":"https://org.okta.com","secretName":"atlantis-oidc","tokenEndpoint":"https://org.okta.com/oauth2/v1/token","userInfoEndpoint":"https://org.okta.com/oauth2/v1/userinfo"}'
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
    alb.ingress.kubernetes.io/auth-scope: openid profile
    alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie
    alb.ingress.kubernetes.io/auth-session-timeout: "86400"
    alb.ingress.kubernetes.io/auth-type: oidc
    alb.ingress.kubernetes.io/certificate-arn: <snip>
    alb.ingress.kubernetes.io/inbound-cidrs: 0.0.0.0/0
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    external-dns.alpha.kubernetes.io/hostname: atlantis.org.com
    kubernetes.io/ingress.class: alb
  creationTimestamp: "2024-01-12T18:11:42Z"
  finalizers:
  - group.ingress.k8s.aws/atlantis
  generation: 2
  name: atlantis-oidc
  namespace: default
spec:
  defaultBackend:
    service:
      name: atlantis
      port:
        number: 4141

Hope that helps someone in the future
@GMartinez-Sisti GMartinez-Sisti added the documentation Improvements or additions to documentation label Mar 24, 2024
@ri-roee
Copy link

ri-roee commented May 1, 2024

Great resource, thank you @nitrocode for putting this together.

One caveat, the service template today doesn't allow for port names and will error on usage of a string (i.e use-annotations). The helm chart needs to be amended to allow this configuration before relevant documentation is added

@nitrocode
Copy link
Member Author

Good call @ri-roee. If you have a better working configuration, please post it because I have a feeling I may run into that same issue soon.

@ri-roee
Copy link

ri-roee commented May 2, 2024
edited by nitrocode
Loading

Not a great workaround but I basically took your code and converted it into a kubernetes_ingress_v1 TF object:

resource "kubernetes_ingress_v1" "webhook_ingress" {
  metadata {
    name      = "atlantis-webhook"
    namespace = local.atlantis_ns
    annotations = {
      "alb.ingress.kubernetes.io/actions.github-ipv4-webhooks"    = "{\"forwardConfig\":{\"targetGroups\":[{\"serviceName\":\"atlantis\",\"servicePort\":\"80\",\"weight\":100}]},\"type\":\"forward\"}"
      "alb.ingress.kubernetes.io/actions.github-ipv6-webhooks"    = "{\"forwardConfig\":{\"targetGroups\":[{\"serviceName\":\"atlantis\",\"servicePort\":\"80\",\"weight\":100}]},\"type\":\"forward\"}"
      "alb.ingress.kubernetes.io/certificate-arn"                 = <cert-here>
      "alb.ingress.kubernetes.io/conditions.github-ipv4-webhooks" = "[{\"field\":\"source-ip\",\"sourceIpConfig\":{\"values\":[\"192.30.252.0/22\",\"185.199.108.0/22\",\"140.82.112.0/20\",\"143.55.64.0/20\"]}}]"
      "alb.ingress.kubernetes.io/conditions.github-ipv6-webhooks" = "[{\"field\":\"source-ip\",\"sourceIpConfig\":{\"values\":[\"2a0a:a440::/29\",\"2606:50c0::/32\"]}}]"
      "alb.ingress.kubernetes.io/group.name"                      = "atlantis"
      "alb.ingress.kubernetes.io/group.order"                     = "1"
      "alb.ingress.kubernetes.io/scheme"                          = "internet-facing"
      "alb.ingress.kubernetes.io/ssl-redirect"                    = "443"
      "alb.ingress.kubernetes.io/target-type"                     = "ip"
      "external-dns.alpha.kubernetes.io/hostname"                 = "<domain here>"
      "kubernetes.io/ingress.class"                               = "alb"
    }
  }

  spec {
    rule {
      http {
        path {
          backend {
            service {
              name = "github-ipv4-webhooks"
              port {
                name = "use-annotation"
              }
            }
          }
          path_type = "ImplementationSpecific"
        }

        path {
          backend {
            service {
              name = "github-ipv6-webhooks"
              port {
                name = "use-annotation"
              }
            }
          }
          path_type = "ImplementationSpecific"

        }
      }
    }
  }
}

@nitrocode nitrocode changed the title Document oidc settings for popular idps Document oidc settings for popular IDPs Jun 12, 2024
@nitrocode nitrocode changed the title Document oidc settings for popular IDPs Document OIDC settings for popular IDPs Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nitrocode @GMartinez-Sisti @ri-roee