KalmSingleSignOn Config
SingleSignOnConfig defines the configurations of SSO.
A typical SingleSignOnConfig for a Kalm-Cloud cluster would look as follows:
apiVersion: core.kalm.dev/v1alpha1
kind: SingleSignOnConfig
metadata:
name: sso
namespace: kalm-system
spec:
domain: foobar.kalm.dev
idTokenExpirySeconds: 300
issuer: https://kalm.dev/oidc
issuerClientId: W67pe2..LQ01wf1p
issuerClientSecret: -oR5lZmbgERGz9F2..YQYE0J561mRYQ
It configures its OIDC provider by assigning issuer as https://kalm.dev/oidc, it also set the client id and client secret in the spec.
SingleSignOnConfig
| Name | Type | Description | Required |
|---|---|---|---|
| issuer | string | The base path of dex and the external name of the OpenID Connect service. | Domain or issuer can't be blank at the same time. |
| jwksUri | string | JWKS endpoint used to verify JWT tokens | |
| domain | string | kalm dex oidc provider domain | Domain or issuer can't be blank at the same time. |
| useHttp | bool | Default scheme is https, this flag is to change it to http | False |
| port | *int | port of kalm dex oidc provider | False |
| showApproveScreen | bool | ||
| alwaysShowLoginScreen | bool | ||
| connectors | DexConnector [] | Dex connectors config | Connectors and TemporaryUser can't be blank at the same time. |
| temporaryUser | *TemporaryDexUser | Temporary Dex user, mainly used for bootstrapping setup of Kalm. | Connectors and TemporaryUser can't be blank at the same time. |
| externalEnvoyExtAuthz | *ExtAuthzEndpoint | Create service entry if the ext_authz service is running out of istio mesh | False |
| idTokenExpirySeconds | *uint32 | expiry of idToken in seconds | False |
DexConnector
| Name | Type | Description | Required |
|---|---|---|---|
| type | string | type of Connector, currently support: github and gitlab | True |
| id | string | id of dex connector | True |
| name | string | name of dex connector | True |
| config | *runtime.RawExtension | config for dex connector | True |
TemporaryDexUser
| Name | Type | Description | Required |
|---|---|---|---|
| username | string | True | |
| passowrdHash | string | bcrypt hash of the password | True |
| userId | string | True | |
| string | True |
ExtAuthzEndpoint
| Name | Type | Description | Required |
|---|---|---|---|
| host | string | host of endpoint | True |
| port | int | port of endpoint | True |
| scheme | string | http or https | True |