How to configure SSO for temporal in helm chart

how do you pass web config using helm? seems like there is helm misconfiguration?

@ruslan here GitHub - temporalio/web: Temporal Web UI we have the config for local setup and i searched but cant find the helm chart supporting files for web config.
Can u please point me to the web config for using helm

@Harshwardhan_Kakra follow up

i’ve asked few folks who know better about helm chart, might have a response here.
Also since this is a helm charts question, i would expect helm documentation to describe how to pass files. This might unblock you

@Ruslan thank you kindly please provide us as soon as possible.

have found out about this as an example: here is how a similar file mounting is done but for temporal server configuration:

As for Web, you can follow the above, create a config file with your SSO values and mount them at the deploy step.
Also if you are willing to contribute, would be great if you send a PR for the Web helm charts

@Ruslan let us try to finish and will definitely contribute.

1 Like

Hi @Ruslan actually we tried with way but it’s not working actually. Can you suggest some other way.

could you elaborate on not working, do you mean changing the helm configuration to provide a config to temporal web didn’t work for you? It doesn’t create a config file, or it creates though doesn’t pass to the web?

Also, by another way to configure, do you mean to use helm through not exactly a similar way to how it is done with temporal config How to configure SSO for temporal in helm chart - #23 by Ruslan ?

@Ruslan

Web-config.yaml

Values.yaml

Web-deployment.yaml

@ruslan actually we tried with this but still sso is not working can u please tell us any other way rather than Sso to secure temporal web UI using helm

Yeah the values are passing through the config map and it’s getting mounted also but sso not working

@ruslan can u please help us to resolve this issue.

to summarize:

  • when you provide Auth configs and spin up Web UI locally, SSO does work right
  • when deploying using Helm Charts, you are sure that the config is being mounted?
  • however the SSO in this case doesn’t work?

Could you describe in more details what you mean by doesn’t work

  • does the Web automatically redirect you to the SSO page?
    • If it does redirect, then the config seems was mounted and the ‘auth.enabled’ was read.
  • if it does redirect and you then follow the SSO login button, what happens then?
  • what logs do you see in the Web’s container?

Btw seems there is a misspelling in one of the config values. auth.providers.labelsauth.providers.label (singular)

@ruslan

  1. SSo works locally

  2. Yes when deploying using Helm Charts, you are sure that the config is being mounted.

  3. SSo not working

  4. Web do not automatically redirect us to the SSO page.

  5. Tried changing this to lable [ auth.providers.label] still same issue

@Ruslan kindly also tell us is there any other way that we can secure the temporal web UI which is running in cluster

seems either the config.yml file is not being found or the contents not read

I’m thinking to add more logs so that when the Web starts up it clearly tells what is going on. E.g whether a config.yml file is found? Log the contents of the config.yml so you can verify your values are passed or not etc

I can then send a docker image with a commit tag so you could check out what exactly the issue is from the Web logs. Does this sound good to you?

There is a quick way to disable write operations performed from the UI (though for proper security the server itself needs to be secured). To disable write operations (and also remove eg. Terminate button), you can set TEMPORAL_PERMIT_WRITE_API to false. Any users that have access to the Web will still be able to read the data though, just not terminate using the UI

if you mean another way to configure auth, config.yml is the only way to configure it

@Ruslan
I can then send a docker image with a commit tag so you could check out what exactly the issue is from the Web logs. Does this sound good to you?

Yes please send the docker image with commit tag which we can use for testing purpose.
Also, can you let us know that nginx based authentication will work in either case.