Deployment in GCP with Google Identity

This document assumes the use of the following:

• Cloud provider: Google Cloud Platform (GCP)
• Kubernetes service: Google Kubernetes Engine (GKE)
• Ingress Controller: GKE Ingress Controller
• Identity Provider (IdP): Google Identity (Google Workspace)
• (Optional) cert-manager (to manage TLS certificates)
• (Optional) ExternalDNS (to synchronize ingresses with the DNS service)

Configuring Patronus AI to use Google Identity as an Identity Provider

Configuring Google Identity

• Go to Google Cloud Console, select your project and navigate to APIs & Services > Credentials.

• Click on Create Credentials and select OAuth client ID.

• If prompted, configure the OAuth consent screen first:

  • Select Internal for user type (if using Google Workspace) or External for other cases
  • Fill in the required application information
  • Add the necessary scopes (email, profile, openid)
  • Save and continue

• Back in the credentials creation:

  • Select Web application as the application type

  • Add a name for your OAuth client

  • Under Authorized redirect URIs, add the following:

    • https://<PATRONUS_APP_HOST>
    • https://<PATRONUS_APP_HOST>/oauth2/auth

    For example:

    • https://app.example.com
    • https://app.example.com/oauth2/auth

• Click Create button.

• After creation, you'll see your Client ID and Client Secret. Copy both values to a secure location.

Configuring the Helm chart

Once you have configured Google Identity OAuth, configure the values.yaml file with these values and apply the changes:

nginx:
  enabled: true
  ingress:
    enabled: true
    hostname: <PATRONUS_APP_HOST>
    ingressClassName: gce
    annotations:
      cert-manager.io/cluster-issuer: <CERT_MANAGER_CLUSTER_ISSUER>
    tls: true
    extraTls:
      - hosts:
        - <PATRONUS_APP_HOST>
        secretName: <PATRONUS_APP_TLS_CERT>
 
vouch:
  enabled: true
  config:
    vouch:
      domains:
        - <PATRONUS_DOMAIN>
      post_logout_redirect_uris:
        - https://<PATRONUS_APP_HOST>
    oauth:
      provider: oidc
      # Google Cloud Console -> APIs & Services -> Credentials -> OAuth 2.0 Client IDs -> Client ID
      client_id: <CLIENT_ID>
      # Google Cloud Console -> APIs & Services -> Credentials -> OAuth 2.0 Client IDs -> Client Secret
      client_secret: <CLIENT_SECRET>
      auth_url: https://accounts.google.com/o/oauth2/v2/auth?prompt=select_account%20consent
      token_url: https://oauth2.googleapis.com/token
      user_info_url: https://openidconnect.googleapis.com/v1/userinfo
      callback_urls:
        - https://<PATRONUS_APP_HOST>/oauth2/auth
 
patronus-backend:
  ## Configuration example for Google IdP
  authConfig:
    # Google Identity OpenID Connect issuer
    idp_domain: accounts.google.com
    # Google Cloud Console -> APIs & Services -> Credentials -> OAuth 2.0 Client IDs -> Client ID
    audience: <CLIENT_ID>
 
patronus-app:
  ingress:
    enabled: false
  appConfig:
    AUTH_STRATEGY: "idp-proxy"
    APP_BASE_URL: https://<PATRONUS_APP_HOST>
    BACKEND_API_PUBLIC_URL: https://<PATRONUS_BACKEND_API_HOST>

Configuring Admin Portal

Go to Admin Portal. In Accounts, create a new one with the following:

• Account Name: <ACCOUNT_NAME>
• Owner Email: <YOUR_EMAIL>
• Sign In Strategy: Domain
• Sign In Domain: <YOUR_DOMAIN>
• Limits Enabled: disabled

Then go to System Authentication and add a mapping.

• Account: <YOUR_NEWLY_CREATED_ACCOUNT>
• Claim JSON-path: $.aud
• Match Claim Value: <CLIENT_ID>
• Grant Role: Owner/Member

Change the Claim JSON-path and Match Claim Value to suit your needs.

External documentation:

• Google Kubernetes Engine (GKE)
• GKE Ingress for HTTP(S) Load Balancing
• Google Identity Platform
• Google OAuth 2.0 Documentation
• Vouch configuration example

← Back to Self Hosting Guide