SSO / OAuth2 overhaul

We’ve completely updated our cluster’s Single-Sign-On setup, adding new features and fixing some long-standing bugs. What has changed:

DEX, which we use as a single Identity Service for all authentication within the cluster, has been separated from our Kubesignin deployment. This allows us to do more granular deployments and update each component separately (eg. Kubesignin is not used for EKS clusters). We’re using the upstream chart to deploy the latest version of DEX (2.17.0).

Previously we deployed a separate Keycloak proxy per dashboard (Kubernetes, Prometheus, Grafana, …) to provide an authentication layer. This has now been simplified and we’re using a single oauth2_proxy deployment to provide the necessary authentication via DEX.

Grafana has it’s own authentication system, so instead of going through the oauth2_proxy, it connects directly to DEX.

As a result of these changes, we have the following benefits:

  • Configure other DEX connectors than the default GitHub we offered before. Let us know if you want to use for example GitLab or BitBucket to authenticate. Supported connectors are listed here:
  • Refresh tokens are properly handled, so once logged in you shouldn’t be requested to login again when your access token expires. This means for example that you can leave a dashboard running to display useful information in the office
  • Total resource usage of the SSO system has reduced

Actions to take

As of time of writing, customer clusters have not been updated yet. This is a breaking change, as during the upgrade it won’t be possible to properly authenticate as a user: kubectl and dashboards will not be available for an estimated duration of ~30 minutes.

As usual we’ll start with updating staging clusters first, to get a better view how long the actual upgrade process takes. We’ll contact each customer before the rollout to make sure interuptions are as minimal as possible.