Configure Okta authentication

Kloudfuse supports Okta integrations for customers who use it for authorization. To enable SSO with OKTA, follow these steps:

Set up OKTA account

Follow the directions in OAuth2 Proxy documentation for OpenID Connect Provider > Okta.

Create a config map specification

In the kfuse namespace, create a config map specification.

Be sure to replace the DNS host and account values, and note the ConfigMap name.

apiVersion: v1
data:
  oauth2_proxy.cfg: |
    custom_templates_dir = "/data/custom-templates"
    display_htpasswd_form = "true"
    email_domains = [ "*" ]
    cookie_secure = "true"
    provider = "oidc"
    redirect_url = "https://<REPLACE_DNS_HOST>/oauth2/callback"
    oidc_issuer_url = "https://<REPLACE_OKTA_ACCOUNT_ID>.okta.com/oauth2/default"

kind: ConfigMap
metadata:
  annotations:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: kfuse-auth-okta-config
yaml

Create kfuse-auth-okta secret

Generate a cookie secret:

python3 -c 'import base64,secrets,string; print(base64.b64encode(bytes("".join(secrets.choice(string.ascii_letters + string.punctuation + string.digits) for i in range(32)), "utf-8")).decode())'

In the kfuse namespace, create a kfuse-auth-okta secret.

Use base64-encoded values of client id and client secret.

apiVersion: v1
data:
  client-secret: <base 64 encoded client secret>
  client-id: <base 64 encoded client id>
  cookie-secret: <base 64 encoded cookie secret>
kind: Secret
metadata:
  name: kfuse-auth-okta
type: Opaque
yaml

Update custom-values.yaml file

Update cusm-values.yaml file to include the config map and secrets:

kfuse-auth:
  oauth2-proxy:
    config:
      existingSecret: "kfuse-auth-okta"
      existingConfig: "kfuse-auth-okta-config"
yaml