Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Brigade / Brigade in 5 Minutes / 27 Jan 2022
Brigade / Brigade in 5 Minutes / 27 Jan 2022
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Brigade in 5 Minutes -- Episode 2 -- Authenticating with GitHub

Description

Our second episode dives into disabling the root user account and enabling users to authenticate using GitHub.

A

Hello brigadiers and welcome to another exciting installment of brigade in five minutes. If you've already seen our first installment you've seen the process of installing brigade with default options which are not at all suitable for production.

A

One of the things that makes those default options, particularly unsuited for production, is that they enable just one single root user account. So today we're going to walk through the relatively small amount of setup required for integrating brigade with a third party authentication provider. I'm going to start out by visiting our quick start documentation.

A

You can find it easily at quickstart.brigade.sh.

A

The first thing I'm going to do is copy the address of brigade's helm chart, including the version number over in my terminal, I'm going to type helm, inspect values and then I'll provide the url and version for the chart.

A

Then I'll redirect this output to a file called values, values.yaml we'll open it in our editor.

A

First, we're going to disable the root user account.

A

Next, under third party auth, we need to select a strategy. Github is what we'll be using today and perhaps we'll cover the other options in a future episode.

A

Scrolling down a little further we'll find and uncomment some options that are specific to the github authentication strategy.

A

In particular, it wants us to provide a client, id and client secret.

A

We'll hunt those down in just a moment, there's also an option here to restrict authentication only to members of designated github organizations, we're not going to use that option today.

A

Toward the bottom here we can enumerate the usernames of any users who should automatically be granted admin privileges, the first time they authenticate we'll add my own github handle to this list so that I'll automatically become a brigade admin. When I authenticate.

A

We're done with this file for the moment and we're going to switch back to our browser and visit my github settings page on this page select developer settings. Then oauth apps we're going to register a new application.

A

In the first text field, we need to provide a globally unique name for our application. I'm going to call it brigade in five minutes off demo.

A

Under the home page url field, you should put a url that can give users more information about the app. I think the brigade homepage at brigade.sh is about as informative a resource as we can provide.

A

Last, we need to provide an authentication callback url. This is the base of a brigade api server url. That github will redirect the user's browser to in order to complete the authentication process I'll be deploying brigade in a local kind. Cluster. That's already up and running. My plan is to forward traffic from local host port 8443 to the api server running inside my kind cluster.

A

No matter where your api server lives, the path should always be v2 session off now, we'll click register application.

A

Right away, we see a client id, which is one of the pieces of information that we needed to complete our configuration, we'll copy that and paste it into our values.yaml file.

A

We still need a client secret. We can create this by clicking generate a new client secret.

A

This is our one and only opportunity to obtain this value so copy it now and paste it into your configuration now that our configuration is complete, we'll hop back to the quick start and copy the installation command.

A

Now we're going to paste this command into our terminal and tack on the values, flag and point it at the configuration file. We just edited.

A

This deployment is going to take about two to five minutes to complete, so we'll pause, our recording here and resume when it completes. Okay, we're back and brigade is up and running. We can copy the port forwarding command straight out of the quick start and paste it into our terminal.

A

And now we can try logging in it's important to use the insecure flag, because for the moment we're using a self-signed certificate.

A

The command responds with the url that we can visit to complete the authentication process as a convenience, we can tack on the browse flag or simply dash b, and our default browser will take us right to the authentication page.

A

When we complete the authorization process, we're redirected to a splash page, this cert warning is to be expected because again we're using a self-signed certificate at the moment. So we can ignore this and we see our beautiful splash page. That says you are now logged in and may resume using the brigade cli back in our terminal. We can now type just about any brig command to verify that we are logged in we'll list users.

A

And as expected, we see my github handle here, because I am the only github user that has authenticated to this api server so far and with that we're done for today, we'll see you on the next installment of brigade in five minutes.