Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Kloudfuse platform supports OKTA integration for customers who use OKTA based authorization within their organization. To enable it, please follow these steps.

  • Setup okta account per https://oauth2-proxy.github.io/oauth2-proxy/docs7.3.x/configuration/oauth_provider/#okta

  • Create a config map specification as follows in kfuse namespace replacing the DNS host and account (note the configmap name):

    Code Block
    apiVersion: v1
    data:
      oauth2_proxy.cfg: |
        custom_templates_dir = "/data/custom-templates"
        display_htpasswd_form = "true"
        email_domains = [ "*" ]
        cookie_secure = "true"
        provider = "oidc"
        redirect_url = "https://<REPLACE_DNS_HOST>/oauth2/callback"
        oidc_issuer_url = "https://<REPLACE_OKTA_ACCOUNT_ID>.okta.com/oauth2/default"
    
    kind: ConfigMap
    metadata:
      annotations:
      labels:
        app.kubernetes.io/managed-by: Helm
      name: kfuse-auth-okta-config
  • Create secret called kfuse-auth-okta in kfuse namespace. Use base64 encoded values of client-id and client-secret from above. To generate cookie secret, run:

    Code Block
    python3 -c 'import osbase64,secrets,base64string; print(base64.b64encode(os.urandom(bytes("".join(secrets.choice(string.ascii_letters + string.punctuation + string.digits) for i in range(32)), "utf-8")).decode())' 
    Code Block
    apiVersion: v1
    data:
      client-secret: <base 64 encoded client secret>
      client-id: <base 64 encoded client id>
      cookie-secret: <base 64 encoded cookie secret>
    kind: Secret
    metadata:
      name: kfuse-auth-okta
    type: Opaque
  • Update custom-values.yaml file to include following to refer to the config map and secrets we created.

    Code Block
    kfuse-auth:
      oauth2-proxy:
        config:
          existingSecret: "kfuse-auth-okta"
          existingConfig: "kfuse-auth-okta-config"

...