Sysdig user authentication with Google OAuth for on-premise installations

Google supports OAuth 2.0 to allow users to login to third party applications such as Sysdig using Google credentials. Sysdig integrates seamlessly with Google to allow users to create and then login to their Sysdig account. By default the configured user will be a non-admin user.

Steps to enable Google OAuth for on-premises installations

Step 1:

The Sysdig Cloud on-prem installation has to have a DNS name associated. Google does not support applications that do not have an associated DNS name. For the examples that follow DNS_NAME refers to the DNS name that will be configured for the API servers.

Step 2:

To begin, obtain OAuth 2.0 client credentials from the Google API Console.

First go to the Credentials Section of the API console. Followed by going to the OAuth consent screen

 

After hitting Save, the next step is to create the appropriate credentials for the Sysdig application. To do that click on Credentials as shown here.

 

Select OAuth client ID as shown here.

Next we will tell Google the necessary configuration for the user.

Besides the name the 2 parameters to be configured are

Authorized Javascript origins (https://DNS_NAME:API_PORT)

Authorized redirect URIs (https://DNS_NAME:API_PORT/api/oauth/google/auth)

When you hit create you should see the following page

 

Step 3:

Take the client ID and the client secret from the step above and use it to configure Sysdig Cloud

In the Sysdig Cloud admin console:

Alternately for Kubernetes installations get the current configuration (you can use also a versioned one if you have it):

kubectl get configmap sysdigcloud-config --namespace sysdigcloud -o yaml > current_config.yaml
cp current_config.yaml new_config.yaml

Edit new_config.yaml and add the new parameters for the Google OAuth alongside existing config under “data”:

  # Optional: Sysdig Cloud Google OAuth Client ID
  sysdigcloud.google.oauth.client.id: ""
  # Optional: Sysdig Cloud Google OAuth Client Secret
  sysdigcloud.google.oauth.client.secret: ""

Apply the new config file with:

kubectl replace -f new_config.yaml --namespace sysdigcloud
Have more questions? Submit a request