Hello world protected wy SSO new generation (Pomerium)

tip

Click here to see our documentation for the SSO new Generation (Pomerium).

Prerequisites

To run this onboarding tutorial, we should first have:

• a k8saas cluster deployed

info

To ask and set up your own cluster, look at the section Getting Started.

warning

Your cluster must have Pomerium installed. Please ask the support team to install it using Thales postit portal.

And downloaded the following files:

• aks-helloworld-pomerium.yaml
• pomerium-ingress.yaml

Tutorial

This application is a simple website application, with a SSO policy that only allows the thalesdigital.io domain.

Get your credentials

note

The cluster name and the resource group name are the same within k8saas.

az aks get-credentials  --name "$K8SAAS_RESOURCE_NAME"  --resource-group "$K8SAAS_RESOURCE_NAME"
kubelogin convert-kubeconfig -l azurecli

Update DNS zone

You will need to update the file pomerium-ingress.yaml with the right DNS zone and at the same time we will change the host to be sure it's unique and not interfering with another project.

Look and replace:

spec:
  ingressClassName: pomerium
  rules:
  - host: <VALUE_TO_CHANGE>.demo-pomerium.<DNS_ZONE>
...
  tls:
  - hosts:
    - <VALUE_TO_CHANGE>.demo-pomerium.<DNS_ZONE>

With the DNS zone information that was in the onboarding email sent to you. If you do not have this information you can always run this:

kubectl get ingress -n monitoring

It should return something like this:

NAME                          CLASS   HOSTS                                                             ADDRESS         PORTS     AGE
prometheus-operator-grafana   nginx   grafana.k8saas-rbo-sandbox.eu.k8saas.thalesdigital.io        20.50.218.145   80, 443   389d

Now with the information from the previous command, update pomerium-ingress.yaml with the right information. Here we've replaced hello-world-ingress with rbo-sandbox-hw to be unique like suggested earlier.

spec:
  ingressClassName: pomerium
  rules:
  - host: rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io
...
  tls:
  - hosts:
    - rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io

Deploy the application

Deploy the application, composed of :

• a kubernetes Deployment object: which spin up the application pod (container) and make sure it's up and running at all time;
• a kubernetes Service object: which exposes the pod internally.

Using the following command will start an hello world pod

kubectl apply -f aks-helloworld-pomerium.yaml --namespace customer-namespaces

# look at your pods
kubectl get pods -n customer-namespaces
# NAME                                  READY   STATUS    RESTARTS   AGE
# aks-helloworld-one-56c7b8d79d-sm4c6   2/2     Running   0          10m

Expose the application

The second file deploys a kubernetes Ingress object that binds the application to a DNS domain: e.g. rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io.

And there is a SSO policy that only allows requests from the domain thalesdigital.io.

Use the command:

kubectl apply -f pomerium-ingress.yaml --namespace customer-namespaces

Now, open a browser and consult your application: e.g. https://rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io

If you are not sure of your hostname you can run this command:

kubectl get ingress -n customer-namespaces

tip

Thanks to Pomerium and the SSO policy, you'll be asked to identify yourself and will be only allowed if you domain is thalesdigital.io

Remove your test

$ kubectl delete -f aks-helloworld-pomerium.yaml --namespace customer-namespaces
$ kubectl delete -f pomerium-ingress.yaml --namespace customer-namespaces