Skip to main content
Version: 22.2

GitHub SSO Setup

info

This feature requires an Enterprise license. To upgrade, contact Redpanda sales.

Integrating Redpanda Console with GitHub allows your users to use their GitHub identities to sign-in to Console. This guide assumes you already have a GitHub account and permissions to create Applications within your organization.

Create an OpenID connect application

Follow this GitHub guide to create an OAuth application at GitHub. You can create the OAuth application either under your personal account or under any organization you have admin access to. As you follow the guide to create the GitHub OAuth app, use the following inputs when you are asked for it:

note

Below configurations assume that you want to host Redpanda Console so that it would be accessible via https://console.yourcompany.com.

  • Application name: Any descriptive name for your specific Console deployment (for example Console Analytics Prod)
  • Homepage URL: https://console.yourcompany.com
  • Authorization callback URL: https://console.yourcompany.com/login/callbacks/github
  • Enable device flow: False / Not selected
login:
enabled: true

# jwtSecret is a random string of at least 10 characters that must be the same for all Console instances.
# This string is used to sign and validate the user session JSON Web Tokens (JWT).
# If this string changes, logged-in Console users will be logged out and will have to initiate a
# new session by logging in again.
jwtSecret: ""

github:
enabled: true
clientId: ""
# ClientSecret is sensitive. You can provide this config also via the
# the environment variable LOGIN_GITHUB_CLIENTSECRET
clientSecret: ""
# The directory config is only required if you want to use GitHub
# teams in your role bindings. Described further in the next section.
# directory:
# personalAccessToken: ""

RBAC GitHub teams sync

If you want to bind roles to GitHub teams from an organization you have to setup a personal access token in GitHub, so that Redpanda console can retrieve groups and their memberships using the GitHub API. The personal access token has to be created on an account that has permissions to view groups in your desired GitHub organization. Follow this guide to create the personal access token. When you select the scopes and permissions make sure to include read:org and user:email.

login:
github:
# The directory config is only required if you want to use GitHub
# teams in your role bindings.
directory:
personalAccessToken: ""

Define role-bindings

When you set up the GitHub login configuration, you can bind GitHub users or groups to roles. Following is a sample role binding:

roleBindings:
- metadata:
name: Developers
subjects:
- kind: group
provider: GitHub
name: console-developers # GitHub team name
organization: redpanda-data # GitHub organization name
- kind: user
provider: GitHub
name: weeco # GitHub handle
roleName: editor