Issuer URI

Before you can apply an AuthServer you an issuer URI. This issuer URI is the entry point for its clients and their end-users. It needs to be reachable by clients, end-users and the AppSSO operator. Therefore, we need to configure a Service and a form of ingress for the AuthServer to receive traffic.

It is essential to configure Ingress with HTTPS. An authorization server is a critical piece of your security. Using plain HTTP is discouraged.

🙇🏻‍ This section benefits from your input. Please, share feedback in our Slack channel #app-sso.

Configure a Service for AuthServer

To create a Service for an AuthServer it must select the authorization server’s Deployment and configure ports as follows:

---
apiVersion: v1
kind: Service
metadata:
  name: my-authserver # please, edit
  namespace: authservers # please, edit
spec:
  selector:
    app.kubernetes.io/part-of: my-authserver # replace this with your AuthServer's name
    app.kubernetes.io/component: authorization-server
  ports:
    - port: 80
      targetPort: 8080

Once you have configured ingress with HTTPS for this Service you should have an issuer URI you can use for your Authserver:

spec:
  issuerURI: https://my-authserver.my-domain

If everything goes well, the IssuerURIReady condition in AuthServer.status.conditions will have status: "True". If not, it will tell you why.

If you need to configure a plain HTTP issuer URI, see unsafe configuration

Caveat when using kapp

If you are deploying your Service with kapp make sure to set the following annotation to avoid that kapp amends spec.selector:

kapp.k14s.io/disable-default-label-scoping-rules: ""
check-circle-line exclamation-circle-line close-line
Scroll to top icon