github.com/caos/orbos@v1.5.14-0.20221103111702-e6cd0cea7ad4/docs/boom/sso-examples.md (about)

     1  # Examples to use SSO
     2  
     3  This yaml-parts are only examples and there are alot of additional configurations possible, but they should desplay the most used cases.
     4  
     5  First-of, all application have to have an DNS-record which can be defined as followed, as an example with grafana:
     6  
     7  ```yaml
     8  apiVersion: boom.caos.ch/v1beta1
     9  kind: Toolset
    10  metadata:
    11    name: caos
    12    namespace: caos-system
    13  spec:
    14    grafana:
    15      deploy: true
    16      network:
    17        domain: grafana.example.caos.ch
    18        email: "hi@caos.ch"
    19        acmeAuthority: "https://acme-staging-v02.api.letsencrypt.org/directory"
    20  ```
    21  
    22  the same for argocd:
    23  ```yaml
    24    argocd:
    25      deploy: true
    26      network:
    27        domain: argocd.example.caos.ch
    28        email: "hi@caos.ch"
    29        acmeAuthority: "https://acme-staging-v02.api.letsencrypt.org/directory"
    30  ```
    31  
    32  # Grafana
    33  
    34  In the IDP used for auth there has to be a registered client with clientID and clientSecret, whereas there also has to be a registered redirectURI. This redirectURI should be *domain-for-grafana*/login/*id*, for example with google: "https://grafana.example.caos.ch/login/google".
    35  
    36  All configuration for SSO is under the "auth"-attribute, whereas the domain has to be set correctly so that the redirect works correctly:
    37  
    38  ```yaml  
    39  apiVersion: boom.caos.ch/v1beta1
    40  kind: Toolset
    41  metadata:
    42    name: caos
    43    namespace: caos-system
    44  spec:
    45    grafana:
    46      deploy: true
    47      auth:
    48  ```
    49  
    50  ## Google
    51  
    52  The use google as IDP there is the possbility to limit the allowed hosted-domains:
    53  
    54  ```yaml
    55        google:
    56          existingClientIDSecret: 
    57            name: google-auth
    58            key: client_id
    59          existingClientSecretSecret: 
    60            name: google-auth
    61            key: client_secret
    62          allowedDomains:
    63          - caos.ch
    64  ```
    65  
    66  ## Gitlab
    67  
    68  The use google as IDP there is the possbility to limit the allowed groups:
    69  
    70  ```yaml
    71        gitlab:
    72          existingClientIDSecret: 
    73            name: gitlab-auth
    74            key: client_id
    75          existingClientSecretSecret: 
    76            name: gitlab-auth
    77            key: client_secret
    78          allowedGroups:
    79          - caos
    80  ```
    81  
    82  ## Github
    83  
    84  The use google as IDP there is the possbility to limit the allowed organizations:
    85  
    86  ```yaml
    87        github:
    88          existingClientIDSecret: 
    89            name: github-auth
    90            key: client_id
    91          existingClientSecretSecret: 
    92            name: github-auth
    93            key: client_secret
    94          allowedOrganizations:
    95          - caos
    96  ```
    97  
    98  ## GenericOIDC
    99  
   100  To use any generic OIDC as IDP:
   101  
   102  ```yaml
   103        genericOAuth:
   104          existingClientIDSecret: 
   105            name: oidc-auth
   106            key: client_id
   107          existingClientSecretSecret: 
   108            name: oidc-auth
   109            key: client_secret
   110          scopes:
   111            - openid
   112            - profile
   113            - email
   114          authURL:
   115          tokenURL:
   116          apiURL:
   117          allowedDomains:
   118            - mycompany.com 
   119            - mycompany.org
   120  ```
   121  
   122  # Argocd
   123  
   124  In the IDP used for auth there has to be a registered client with clientID and clientSecret, whereas there also has to be a registered redirectURI. This redirectURI should be *domain-for-argocd*/login/*id*, for example with google: "https://argocd.example.caos.ch/api/dex/callback".
   125  
   126  All configuration for SSO is under the "auth"-attribute:
   127  
   128  ```yaml  
   129  apiVersion: boom.caos.ch/v1beta1
   130  kind: Toolset
   131  metadata:
   132    name: caos
   133    namespace: caos-system
   134  spec:
   135    Argocd:
   136      deploy: true
   137      auth:
   138  ```
   139  
   140  ## Google
   141  
   142  The use google as IDP there is the possbility to limit the allowed hosted-domains:
   143  
   144  ```yaml
   145        google:
   146          id: google
   147          name: google
   148          config:
   149            existingClientIDSecret:
   150              name: google-auth
   151              key: client_id
   152            existingClientSecretSecret:
   153              name: google-auth
   154              key: client_secret
   155            hostedDomains:
   156            - caos.ch
   157  ```
   158  
   159  ## Gitlab
   160  
   161  The use google as IDP there is the possbility to limit the allowed groups:
   162  
   163  ```yaml
   164        gitlab:
   165          id: gitlab
   166          name: gitlab
   167          config:
   168            existingClientIDSecret:
   169              name: gitlab-auth
   170              key: client_id
   171            existingClientSecretSecret:
   172              name: gitlab-auth
   173              key: client_secret
   174            groups:
   175            - caos
   176  ```
   177  
   178  ## Github
   179  
   180  The use google as IDP there is the possbility to limit the allowed organizations:
   181  
   182  ```yaml
   183        github:
   184          id: github
   185          name: github
   186          config:
   187            existingClientIDSecret:
   188              name: github-auth
   189              key: client_id
   190            existingClientSecretSecret:
   191              name: github-auth
   192              key: client_secret
   193            orgs:
   194            - name: caos
   195  ```
   196  
   197  
   198  ## OIDC
   199  
   200  To use any generic OIDC as IDP:
   201  
   202  ```yaml
   203        oidc:
   204          Name: unique
   205          Issuer: test
   206          existingClientIDSecret:
   207            name: oidc-auth
   208            key: client_id
   209          existingClientSecretSecret:
   210            name: oidc-auth
   211            key: client_secret
   212          RequestedScopes:
   213            - openid
   214            - profile
   215            - email
   216        # optional
   217          RequestedIDTokenClaims:
   218            groups: 
   219              essential: true
   220  ```