All joking aside, SSO can be tricky to implement securely. Below, I’ll take you through the process I used to enable SSO for Prometheus with TLS from the ground up, on all internal and external facing services.
I leveraged Pomerium, a context and identity aware gateway similar to Google’s IAP tooling but free and open source. Additionally, Pomerium offers an Enterprise setup with advanced features for self-service, access controls, audit logs, and more.
I used Google as our identity provider to be able to apply Google Groups to our configuration—although this setup does not specifically make use of it. This process is almost entirely executed in Infrastructure as Code onto a Kubernetes cluster. I also used Github Actions to automate the process, which is documented here.
I started with an existing cluster hosted on Elastic Kubernetes Service (EKS) by AWS (cluster creation is outside the scope of this post).
I also created three SSM parameters out of band with the following keys:
The action is executed on workflow dispatch—and looks like this:
I could’ve optimized this by adding the cert-manager resources into Terraform, as there’s a cert-manager provider. However, I preferred to keep the certificates out of the Terraform state. This is because if there were any issues with the certificate order not getting fulfilled, it wouldn’t break my entire state. Ideally, that wouldn’t be an issue.
In the following example, change “email@example.com” to the email address you want to use to register with Let’s Encrypt.
I used the following Certificates and Issuer yamls:
IIt’s time for the Terraform. As you’ll see below, I did not include my tfvars files, as you’ll need to supply values for all the variables that relate to your environment in a dev.tfvars or prod.tfvars file. An incomplete dev.tfvars example would look like the following:
Fill in the variables in dev.tfvars as the variables.tf file requires.
The following file is the values file that was supplied to Prometheus. Make sure to swap in your IDP email domain into the allowed policy for the Pomerium Ingress Controller. If the email you use to log into Google is firstname.lastname@example.org, you would swap in “exampledomain.com” instead of “<< your IDP email domain here >>”.
The main.tf file provisions Route53 records with subdomains ops.yourdomain.com and ops.dev.yourdomain.com . Adjust these in the “locals” value as you see fit.
Notice that the Terraform points to the authenticate DNS record, as well as my custom DNS record for Prometheus to the Pomerium Proxy Load Balancer hostname.
That’s it! Once this is all applied, you should have a custom link to your Prometheus installation that prompts you for a Google account before redirecting you to the metrics landing page.
Have questions, thoughts, or feedback? Join the conversation in the Pomerium community.
Get in touch with our partnerships team to see how we can work together.
Sensible’s Weather Guarantees will protect Renwick Hotel guests’ vacation plans this spring
All learning involves risk to some extent. In order to grow, you have to do new things.
Tropical Storm Kay had the closest approach to San Diego since record-keeping began in 1949.