To defence the internal web or resources use Oauth2 proxy
To protect the some internal web resources we can use Oauth2 proxy to integration many identity tools for example: gitlab, github, Open ID, OpenLDAP and so on
Get the Oauth2-proxy helm chat package
1# add the oauth2-pxory helm repo url
2helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
3# decompression the tar package
4tar -xzvf oauth2-proxy-6.10.1.tgz
5# move to chats sub directory
6mv oauth2-proxy /terraform/iac/charts
The oauth2-proxy config
1resource "helm_release" "oauth2-proxy" {
2 name = "oauth2-proxy"
3 chart = "./charts/oauth2-proxy"
4 namespace = "default"
5
6 values = [
7 <<-EOF
8 config:
9 existingSecret: "oauth2-proxy"
10 cookieName: "oauth2"
11 configFile: |-
12 provider="oidc"
13 email_domains=["*"]
14 redirect_url="https://oauth2.test.com/oauth2/callback"
15 oidc_issuer_url="https://dex-oidc.test.com"
16 upstreams=["http://myui:2802/", "http://test2.other:3000/demo/"]
17 insecure_oidc_allow_unverified_email="true"
18 pass_authorization_header="true"
19 pass_access_token="true"
20 pass_basic_auth="true"
21 set_authorization_header="true"
22 custom_sign_in_logo = "https://img.test.com/test.png"
23 provider_display_name = "GitLab login"
24 banner="GitLab"
25 skip_auth_regex=["\\.css$", "\\.js$", "\\.woff2$", "\\.svg$", "\\.png$", "\\.ico$", "\\.json"]
26 image:
27 repository: "myregistory.com/oauth2-proxy/oauth2-proxy"
28 tag: "v7.4.0"
29 serviceAccount:
30 enabled: false
31 ingress:
32 enabled: true
33 path: /
34 annotations:
35 kubernetes.io/ingress.class: nginx
36 hosts:
37 - oauth2-login.test.com
38 EOF
39 ]
40}
Oauth2-proxy provide the access apis
{HostUrl}/oauth2/userinfo{HostUrl}/oauth2/sign_in{HostUrl}/oauth2/sign_out
Oauth2 proxy values template
1config:
2 cookieSecret: "XXXXXXXXXXXXXXXX" # https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#generating-a-cookie-secret
3 # cookieName: "_oauth2_proxy" # Name of the cookie that oauth2-proxy creates, if not set defaults to "_oauth2_proxy"
4 configFile: |-
5 email_domains = [ "*" ] # Restrict to these E-Mail Domains, a wildcard "*" allows any email
6alphaConfig:
7 enabled: true
8 providers:
9 - clientID: # IdP Client ID
10 clientSecret: # IdP Client Secret
11 id: oidc-istio
12 provider: oidc # We use the generic 'oidc' provider
13 loginURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/auth
14 redeemURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/token
15 profileURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/userinfo
16 validateURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/userinfo
17 scope: "openid email profile groups"
18 allowedGroups:
19 - admins # List all groups managed at our your IdP which should be allowed access
20 # - infrateam
21 # - anothergroup
22 oidcConfig:
23 emailClaim: email. # Name of the clain in JWT containing the E-Mail
24 groupsClaim: groups # Name of the claim in JWT containing the Groups
25 userIDClaim: email # Name of the claim in JWT containing the User ID
26 skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it
27 issuerURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>
28 jwksURL: https://<keycloak-domain>/identity/auth/realms/<keycloak-realm>/protocol/openid-connect/certs
29 upstreamConfig:
30 upstreams:
31 - id: static_200
32 path: /
33 static: true
34 staticCode: 200
35 # Headers that should be added to responses from the proxy
36 injectResponseHeaders: # Send this headers in responses from oauth2-proxy
37 - name: X-Auth-Request-Preferred-Username
38 values:
39 - claim: preferred_username
40 - name: X-Auth-Request-Email
41 values:
42 - claim: email
43extraArgs:
44 cookie-secure: "false"
45 cookie-domain: ".example.com" # Replace with your base domain
46 cookie-samesite: lax
47 cookie-expire: 12h # How long our Cookie is valid
48 auth-logging: true # Enable / Disable auth logs
49 request-logging: true # Enable / Disable request logs
50 standard-logging: true # Enable / Disable the standart logs
51 show-debug-on-error: true # Disable in production setups
52 skip-provider-button: true # We only have one provider configured (Keycloak)
53 silence-ping-logging: true # Keeps our logs clean
54 whitelist-domain: ".example.com" # Replace with your base domain
Integration the nginx ingress to authentication
- Add the annanotations to ingress resources
1nginx.ingress.kubernetes.io/auth-response-headers: Authorization
2nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.int.testing.com/oauth2/start?rd=https://$host$request_uri"
3nginx.ingress.kubernetes.io/auth-url: https://oauth2.int.testing.com/oauth2/auth
4nginx.ingress.kubernetes.io/configuration-snippet: |
5 proxy_set_header X-Auth-Request-Redirect $request_uri;
- The oauth2-proxy config look like following this
1# strip the upstreams, the oauth2-proxy don't proxy any upstreams, can as authentication backend only, through pass the `rd` parameters to redirect
2# when authorization is completed
3# upstreams=["http://app.namespace:8080/"]
4whitelist_domains=[".sufix.text.com"]
5cookie_domains=[".sufix.text.com"]
Reference resources
- (Oauth2-proxy config example)[https://github.com/oauth2-proxy/oauth2-proxy/blob/6cc7da8993cf81dc0aae475edfd1632fd74d7818/contrib/oauth2-proxy.cfg.example]
- (Official docs)[https://oauth2-proxy.github.io/oauth2-proxy/docs/]
- (integration the DEX identity)[https://github.com/dexidp/dex]
- (Single proxy multiple sub domain to authentication)[https://www.digitalocean.com/community/tutorials/how-to-protect-private-kubernetes-services-behind-a-github-login-with-oauth2_proxy]
- (OAuth from First Principles)[https://stack-auth.com/blog/oauth-from-first-principles]