how do I add SSO to knoflux

[Andy Anderson]

I want to use a Public cloud instance of konflux ci to build and test my images from opensource repos. My guess is that I could reuse user1 as read-only and user2 as admin user. I would like to use SSO an use GH as a provider whereby users in a certain group can have admin access and all others can read-only.

Any help you can provide here would be great.

Andy

[Adam Kaplan]

Konflux is powered by Kubernetes, and relies on its RBAC system for permission management. Kubernetes does not provide a user identity provider (i.e. something that provides "Sign in with GitHub" capability), so it is up to you to pick one that suits your needs [1]. I have seen many folks in the Kubernetes community use dex [2] or Keycloak [3] for this purpose.

Best of luck!

[1] https://kubernetes.io/docs/concepts/security/hardening-guide/authentication-mechanisms/

[2] https://dexidp.io/docs/guides/kubernetes/

[3] https://www.keycloak.org/getting-started/getting-started-kube

--
You received this message because you are subscribed to the Google Groups "Konflux CI" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konflux+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/konflux/e498c99d-187c-41af-a819-2511fd201cf9n%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Adam Kaplan

He/Him

Principal Software Engineer

Red Hat

100 E. Davie Street

adam....@redhat.com    

[Andy Anderson]

Thank you for the help Adam. I got the sso working. Now I need a way to put the user in viewer mode when they login. I have tried to assign viewer cluster-role to system:authenticated group but that does not work. Any ideas on how to assign a user as viewer on initial login?

[Andy Anderson]

Adam, I got dex connected to GH. Works fine.

next step here:

I want all sys auth to get viewer access. 

I can this works fine for individual users:

     kubectl create rolebinding andy-test-rb-konflux --clusterrole konflux-viewer-user-actions --user andy@********.com -n user-ns1

it does not work if I try to use a group:

     kubectl create rolebinding read-user-ns1 --clusterrole=konflux-viewer-user-actions --group=system:authenticated -n user-ns1

any clues on how to get this to give viewer to an authenticated user?

Thanks,

Andy

On Monday, August 4, 2025 at 10:55:50 AM UTC-4 Adam Kaplan wrote:

[Andrew Anderson]

Adam,

Thanks for your response. Dex is installed with konflux ci. That is why I have posed my question. So we could reconfigure dex to use GH as provider?

Thanks,

Andy

[Brian Cook]

You should be able to do it with:

kubectl create rolebinding konflux-viewer-binding \
  --clusterrole=konflux-viewer-user-actions \
  --group=system:authenticated \
  --namespace=foo

This feature which is about to merge will give the ability to do the same thing from the UI.

-Brian

[and...@gmail.com]

That didn’t work for me. That’s what I tried. I’ll check the pr though and try again with Kubectl. 

Andy

On Aug 5, 2025, at 9:27 PM, Brian Cook <bc...@redhat.com> wrote:



[Andy Anderson]

any other ideas?

[Ralph Bean]

I found a clue! The nginx config in the fedora deployment of konflux has this patch: https://gitlab.com/fedora/infrastructure/konflux/infra-deployments/-/blob/main/components/konflux-ui/production/patches/with_nginx_initcontainer_cmd.yaml

Notice the `proxy_set_header Impersonate-Group`

--
You received this message because you are subscribed to the Google Groups "Konflux CI" group.
To unsubscribe from this group and stop receiving emails from it, send an email to konflux+u...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/konflux/45047215-653d-49ce-ba1b-980dbfee27aen%40googlegroups.com.

[Andrew Anderson]

Ralph,

I was able to add this to the configmap. Now just need someone to test it.

Thanks,

Andy

[Andrew Anderson]

Ralph,

It appears that this fix worked. Thank you. I do not know where it should be written up, but it would be good to let others know somehow. 

Andy

[Ralph Bean]

Awesome, thanks for confirming. Perhaps the best place is in a new dedicated README.md in the dependencies/dex dir in the konflux-ci/konflux-ci repo, and then an additional line that links to that file from the README.md at the root of konflux-ci/konflux-ci down under the user management section, near the bottom.