Document OIDC settings for popular IDPs #346
Description
For instance, okta.
I have this ingress group setup for aws load balancer controller which is handy to allow oidc authentication directly to the atlantis load balancer
One `Ingress` for the webhooks, part of a single `IngressGroup`
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# only needed if using a group
alb.ingress.kubernetes.io/group.name: atlantis
alb.ingress.kubernetes.io/group.order: "1"
# These are all needed
alb.ingress.kubernetes.io/actions.github-ipv4-webhooks: '{"forwardConfig":{"targetGroups":[{"serviceName":"atlantis","servicePort":"4141","weight":100}]},"type":"forward"}'
alb.ingress.kubernetes.io/actions.github-ipv6-webhooks: '{"forwardConfig":{"targetGroups":[{"serviceName":"atlantis","servicePort":"4141","weight":100}]},"type":"forward"}'
alb.ingress.kubernetes.io/certificate-arn: <snip>
alb.ingress.kubernetes.io/conditions.github-ipv4-webhooks: '[{"field":"source-ip","sourceIpConfig":{"values":["192.30.252.0/22","185.199.108.0/22","140.82.112.0/20","143.55.64.0/20"]}}]'
alb.ingress.kubernetes.io/conditions.github-ipv6-webhooks: '[{"field":"source-ip","sourceIpConfig":{"values":["2a0a:a440::/29","2606:50c0::/32"]}}]'
alb.ingress.kubernetes.io/inbound-cidrs: 0.0.0.0/0
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-redirect: "443"
external-dns.alpha.kubernetes.io/hostname: atlantis.org.com
kubernetes.io/ingress.class: alb
creationTimestamp: "2024-01-12T18:06:03Z"
finalizers:
- group.ingress.k8s.aws/atlantis
generation: 1
name: atlantis-webhooks
namespace: atlantis
spec:
rules:
- http:
paths:
- backend:
service:
name: github-ipv4-webhooks
port:
name: use-annotation
pathType: ImplementationSpecific
- http:
paths:
- backend:
service:
name: github-ipv6-webhooks
port:
name: use-annotation
pathType: ImplementationSpecificOne `Ingress` for oidc, part of a single `IngressGroup`
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
# only needed if using a group
alb.ingress.kubernetes.io/group.name: atlantis
alb.ingress.kubernetes.io/group.order: "2"
# These are all needed
alb.ingress.kubernetes.io/auth-idp-oidc: '{"authorizationEndpoint":"https://org.okta.com/oauth2/v1/authorize","issuer":"https://org.okta.com","secretName":"atlantis-oidc","tokenEndpoint":"https://org.okta.com/oauth2/v1/token","userInfoEndpoint":"https://org.okta.com/oauth2/v1/userinfo"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
alb.ingress.kubernetes.io/auth-scope: openid profile
alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie
alb.ingress.kubernetes.io/auth-session-timeout: "86400"
alb.ingress.kubernetes.io/auth-type: oidc
alb.ingress.kubernetes.io/certificate-arn: <snip>
alb.ingress.kubernetes.io/inbound-cidrs: 0.0.0.0/0
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-redirect: "443"
external-dns.alpha.kubernetes.io/hostname: atlantis.org.com
kubernetes.io/ingress.class: alb
creationTimestamp: "2024-01-12T18:11:42Z"
finalizers:
- group.ingress.k8s.aws/atlantis
generation: 2
name: atlantis-oidc
namespace: default
spec:
defaultBackend:
service:
name: atlantis
port:
number: 4141Hope that helps someone in the future