-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document OIDC settings for popular IDPs #346
Comments
Great resource, thank you @nitrocode for putting this together. One caveat, the service template today doesn't allow for port names and will error on usage of a string (i.e |
Good call @ri-roee. If you have a better working configuration, please post it because I have a feeling I may run into that same issue soon. |
Not a great workaround but I basically took your code and converted it into a resource "kubernetes_ingress_v1" "webhook_ingress" {
metadata {
name = "atlantis-webhook"
namespace = local.atlantis_ns
annotations = {
"alb.ingress.kubernetes.io/actions.github-ipv4-webhooks" = "{\"forwardConfig\":{\"targetGroups\":[{\"serviceName\":\"atlantis\",\"servicePort\":\"80\",\"weight\":100}]},\"type\":\"forward\"}"
"alb.ingress.kubernetes.io/actions.github-ipv6-webhooks" = "{\"forwardConfig\":{\"targetGroups\":[{\"serviceName\":\"atlantis\",\"servicePort\":\"80\",\"weight\":100}]},\"type\":\"forward\"}"
"alb.ingress.kubernetes.io/certificate-arn" = <cert-here>
"alb.ingress.kubernetes.io/conditions.github-ipv4-webhooks" = "[{\"field\":\"source-ip\",\"sourceIpConfig\":{\"values\":[\"192.30.252.0/22\",\"185.199.108.0/22\",\"140.82.112.0/20\",\"143.55.64.0/20\"]}}]"
"alb.ingress.kubernetes.io/conditions.github-ipv6-webhooks" = "[{\"field\":\"source-ip\",\"sourceIpConfig\":{\"values\":[\"2a0a:a440::/29\",\"2606:50c0::/32\"]}}]"
"alb.ingress.kubernetes.io/group.name" = "atlantis"
"alb.ingress.kubernetes.io/group.order" = "1"
"alb.ingress.kubernetes.io/scheme" = "internet-facing"
"alb.ingress.kubernetes.io/ssl-redirect" = "443"
"alb.ingress.kubernetes.io/target-type" = "ip"
"external-dns.alpha.kubernetes.io/hostname" = "<domain here>"
"kubernetes.io/ingress.class" = "alb"
}
}
spec {
rule {
http {
path {
backend {
service {
name = "github-ipv4-webhooks"
port {
name = "use-annotation"
}
}
}
path_type = "ImplementationSpecific"
}
path {
backend {
service {
name = "github-ipv6-webhooks"
port {
name = "use-annotation"
}
}
}
path_type = "ImplementationSpecific"
}
}
}
}
}
|
For instance, okta.
I have this ingress group setup for aws load balancer controller which is handy to allow oidc authentication directly to the atlantis load balancer
One `Ingress` for the webhooks, part of a single `IngressGroup`
One `Ingress` for oidc, part of a single `IngressGroup`
Hope that helps someone in the future
The text was updated successfully, but these errors were encountered: