Before You Start #
- You must have the following enabled on your cluster:
- You must have an Okta account
- You should know the value of your
proxy.host
setting in your Helmvalues.yaml
file
How to Enable Okta as an IdP #
1. Create an App on Okta #
- Log in to Okta.
- Navigate to Applications > Applications.
- Select Create App Integration.
- Choose the
OIDC - OpenID Connect
sign-in method. - Choose the
Web Application
application type. - Click Next.
- Name the application, such as Pachyderm.
- Navigate to General Settings > Grant Type and check the following:
- Authorization Code
- Refresh Token
- Navigate to Sign-in Redirect URIs and input the following:
https://<your.proxy.host.value>/dex/callback
- Navigate to Assignments and select your preferred Controlled Access policy.
- Click Save.
2. Define Helm Config #
The following steps add the OIDC section to your Helm chart. When an upstream IdP is successfully added to the list, Pachyderm’s default MockIdP is disabled automatically. You can add multiple IdPs to upstreamIDPs
.
- Navigate to your
values.yamls
file or obtain your current Helmvalues.yaml
overrides:helm get values pachyderm > values.yaml
- Add the following section:
{
"oidc": {
"upstreamIDPs": [
{
"type": "oidc",
"id": "okta",
"name": "Okta",
"config": {
"issuer": "https://trial-1839456.okta.com/",
"clientID": "0oa74mh2scJf29qOD697",
"clientSecret": "VNwbzOBltNcaotD2CU5iRyTuqOPpwLR-RC16ai7wakta95W00p7X5HYkEgS_5UWH",
"redirectURI": "https://<proxy.host.value.com>/dex/callback",
"insecureEnableGroups": true,
"insecureSkipEmailVerified": true,
"insecureSkipIssuerCallbackDomainCheck": false
}
}
]
}
}
oidc:
upstreamIDPs:
- type: oidc
id: okta
name: Okta
config:
issuer: https://trial-1839456.okta.com/
clientID: 0oa74mh2scJf29qOD697
clientSecret: VNwbzOBltNcaotD2CU5iRyTuqOPpwLR-RC16ai7wakta95W00p7X5HYkEgS_5UWH
redirectURI: https://<proxy.host.value.com>/dex/callback
insecureEnableGroups: true
insecureSkipEmailVerified: true
insecureSkipIssuerCallbackDomainCheck: false
Note that Pachyderm’s YAML format is a simplified version of Dex’s sample config.
- Update the following attributes:
Field | Description |
---|---|
issuer | The Okta App’s domain URL, found under Sign On > OpenID Connect ID Token; must have https:// . |
clientID | The Okta App’s client ID, found under General > Client Credentials. |
clientSecret | The Okta App’s client secret, found under General > Client Secrets. |
redirectURI | A combination of your proxy host value and /dex/callback . For example, https://console.pachdemo.com/dex/callback . |
- Save your changes and upgrade your cluster:
helm upgrade pachyderm pachyderm/pachyderm -f values.yaml
Alternatively, you can create a secret containing your dex connectors (Key: upstream-idps) and reference its name in the field oidc.upstreamIDPsSecretName.
3. Login #
The users registered with your IdP are now ready to Log in to Pachyderm
Troubleshooting #
PachD CrashLoopBackOff #
If you encounter a CrashLoopBackOff
error after running the kubectl get pods
command, it’s likely that one of the following needs to be fixed:
- your
issuer
value is incorrect (sometimes it needs a trailing slash/
, it should match exactly what you see in Okta). - you have an unexpected field such as
version
in the config sectionoidc.updstreamIDPs entry
.
Example Error in PachD Pod logs
You can obtain your pod logs by running: kubectl logs <pachd-pod-name> > logs.txt
create connector with ID: "okta": unable to open connector: failed to get provider: oidc: issuer did not match the issuer returned by provider, expected "https://trial-1839456.okta.com/" got "https://trial-1839456.okta.com"
Okta QR Code / Login Link Doesn’t Work #
You may need to download the Okta Verify app on your mobile device and scan the QR code through the app log in.