What you’ll implement
The notes mirror the lesson flow so you can scan, copy, and revisit the important decisions quickly.
Moving Beyond Manual Users
In the last video, we deployed Teleport and created a manual admin user. That’s fine for development, but not for production. Today we’re setting up GitHub as our identity provider so every user authenticates through SSO and gets a short-lived certificate tied to their real identity.
GitHub SSO with Teleport
For the Teleport Community Edition, the supported provider is GitHub — perfect for developers. Enterprise users can also use OIDC and SAML connectors for Okta, Azure AD, Google Workspace, and other identity providers.
The flow is simple:
- User runs
tsh loginto authenticate with Teleport - It opens a browser for GitHub authentication
- Teleport issues a short-lived certificate
- User can
tsh kube lsto list available clusters and start working
GitOps Configuration
We configure everything the GitOps way using Teleport’s operator and custom resource definitions:
- Enable the Teleport operator in the Helm release
- Create a GitHub connector CRD with client ID, secret, and team-to-role mappings
- Define Teleport roles (access and editor) as custom resources
GitHub teams map directly to Teleport roles — anyone in the Rawkode Academy organization gets read access, platform team members get editor access.
CLI Access
Once configured, tsh login --proxy=rawkode.cloud --auth github authenticates via browser, and you’re in. tsh kube ls shows available clusters, and kubectl works seamlessly through Teleport’s proxy — no kubeconfig files needed.