Before you can apply an
AuthServer you an issuer URI. This issuer URI is the entry point for its clients and their end-users. It needs to be reachable by clients, end-users and the AppSSO operator. Therefore, we need to configure a
Service and a form of ingress for the
AuthServer to receive traffic.
It is essential to configure Ingress with HTTPS. An authorization server is a critical piece of your security. Using plain HTTP is discouraged.
🙇🏻 This section benefits from your input. Please, share feedback in our Slack channel #app-sso.
To create a
Service for an
AuthServer it must select the authorization server’s
Deployment and configure ports as follows:
--- apiVersion: v1 kind: Service metadata: name: my-authserver # please, edit namespace: authservers # please, edit spec: selector: app.kubernetes.io/part-of: my-authserver # replace this with your AuthServer's name app.kubernetes.io/component: authorization-server ports: - port: 80 targetPort: 8080
Once you have configured ingress with HTTPS for this
Service you should have an issuer URI you can use for your
spec: issuerURI: https://my-authserver.my-domain
If everything goes well, the
IssuerURIReady condition in
AuthServer.status.conditions will have
status: "True". If not, it will tell you why.
If you need to configure a plain HTTP issuer URI, see unsafe configuration
If you are deploying your
Service with kapp make sure to set the following annotation to avoid that kapp amends