How to configure SSO for temporal in helm chart

Community Support
21

i’ve asked few folks who know better about helm chart, might have a response here.
Also since this is a helm charts question, i would expect helm documentation to describe how to pass files. This might unblock you

22

@Ruslan thank you kindly please provide us as soon as possible.

23

have found out about this as an example: here is how a similar file mounting is done but for temporal server configuration:

As for Web, you can follow the above, create a config file with your SSO values and mount them at the deploy step.
Also if you are willing to contribute, would be great if you send a PR for the Web helm charts

24

@Ruslan let us try to finish and will definitely contribute.

1 Like
25

Hi @Ruslan actually we tried with way but it’s not working actually. Can you suggest some other way.

26

could you elaborate on not working, do you mean changing the helm configuration to provide a config to temporal web didn’t work for you? It doesn’t create a config file, or it creates though doesn’t pass to the web?

Also, by another way to configure, do you mean to use helm through not exactly a similar way to how it is done with temporal config How to configure SSO for temporal in helm chart - #23 by Ruslan ?

27

@Ruslan

Web-config.yaml

IMG-20211005-WA0006
IMG-20211005-WA00061170×671 86 KB

Values.yaml

IMG-20211005-WA0009
IMG-20211005-WA0009893×388 38.3 KB

28

Web-deployment.yaml

IMG-20211005-WA0007
IMG-20211005-WA00071319×378 42.8 KB

29

@ruslan actually we tried with this but still sso is not working can u please tell us any other way rather than Sso to secure temporal web UI using helm

30

Yeah the values are passing through the config map and it’s getting mounted also but sso not working

IMG-20211005-WA0015
IMG-20211005-WA00151280×719 74.6 KB

31

@ruslan can u please help us to resolve this issue.

32

to summarize:

  • when you provide Auth configs and spin up Web UI locally, SSO does work right
  • when deploying using Helm Charts, you are sure that the config is being mounted?
  • however the SSO in this case doesn’t work?

Could you describe in more details what you mean by doesn’t work

  • does the Web automatically redirect you to the SSO page?
    • If it does redirect, then the config seems was mounted and the ‘auth.enabled’ was read.
  • if it does redirect and you then follow the SSO login button, what happens then?
  • what logs do you see in the Web’s container?

Btw seems there is a misspelling in one of the config values. auth.providers.labelsauth.providers.label (singular)

33

@ruslan

  1. SSo works locally

  2. Yes when deploying using Helm Charts, you are sure that the config is being mounted.

  3. SSo not working

  4. Web do not automatically redirect us to the SSO page.

  5. Tried changing this to lable [ auth.providers.label] still same issue

34

@Ruslan kindly also tell us is there any other way that we can secure the temporal web UI which is running in cluster

35

seems either the config.yml file is not being found or the contents not read

I’m thinking to add more logs so that when the Web starts up it clearly tells what is going on. E.g whether a config.yml file is found? Log the contents of the config.yml so you can verify your values are passed or not etc

I can then send a docker image with a commit tag so you could check out what exactly the issue is from the Web logs. Does this sound good to you?

36

There is a quick way to disable write operations performed from the UI (though for proper security the server itself needs to be secured). To disable write operations (and also remove eg. Terminate button), you can set TEMPORAL_PERMIT_WRITE_API to false. Any users that have access to the Web will still be able to read the data though, just not terminate using the UI

if you mean another way to configure auth, config.yml is the only way to configure it

37

@Ruslan
I can then send a docker image with a commit tag so you could check out what exactly the issue is from the Web logs. Does this sound good to you?

Yes please send the docker image with commit tag which we can use for testing purpose.
Also, can you let us know that nginx based authentication will work in either case.

38

opened a PR with a change. Once it is in the docker image is going to be available

39

Hi Ruslan

Actually now the Sso config is working thanks for your guidance soon we will contribute.

2 Likes
40

@Ruslan the SSO is working now
Thank you so much for support.

1 Like