How to use OAuth2 Proxy for central authentication
source link: https://blog.codecentric.de/en/2021/06/how-to-use-oauth2-proxy-for-central-authentication/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
How to use OAuth2 Proxy for central authentication
06/08/21 by Christian Zunker
This blog post will show you how to use one central OAuth2 Proxy (see the official page) as authentication proxy for multiple services inside your Kubernetes Cluster.
The default example on how to secure a service with Nginx and OAuth2 Proxy shows you how to secure one service. To achieve this, it uses two Ingress objects for the service to be secured. If you plan to secure multiple services with the same OAuth provider, you end up with a lot of Ingress objects. Another problem of this setup is that it is not supported by most Helm charts. Most Helm charts only allow you to create one Ingress object. You would have to set up the service via its Helm chart and then add somehow the additional Ingress object needed by OAuth2 Proxy.
One central authentication service for multiple services
This post will show you how you can achieve the same with one central OAuth2 Proxy Ingress. I used the official Helm chart for OAuth2 Proxy (see https://github.com/oauth2-proxy/manifests) to install the proxy. The Helm chart allows you to define an Ingress:
ingress: enabled: true path: / hosts: - oauth.example.com annotations: kubernetes.io/ingress.class: external tls: - secretName: tls-cert hosts: - oauth.example.com
As the OAuth2 Proxy documentation explains how to set up the different authentication providers, I will focus on the Ingress setup here.
The above values result in this Ingress object:
apiVersion: networking.k8s.io/v1 kind: Ingress name: oauth2-proxy spec: rules: - host: oauth.example.com http: paths: - backend: serviceName: oauth2-proxy servicePort: 80 path: / tls: - hosts: - oauth.example.com secretName: tls-cert
This Ingress will handle all authentication request as we will see in the next Ingress definition. For the service you want to secure, add the below annotations to the Ingress:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: external nginx.ingress.kubernetes.io/auth-signin: https://oauth.example.com/oauth2/start nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.auth-namespace.svc.cluster.local/oauth2/auth name: alertmanager spec: rules: - host: alertmanager.example.com http: paths: - backend: serviceName: alertmanager servicePort: 9093 path: / pathType: ImplementationSpecific tls: - hosts: - alertmanager.example.com secretName: tls-cert
The `auth-sigin` redirects any needed login to the OAuth2 Proxy Ingress.
The `auth-url` annotation can access the OAuth2 Proxy internally via its service to verify a submitted token.
The OAuth2 Proxy will handle the authentication and later redirect you to the protected service again.
An additional advantage of this setup is, that you only need to specify one valid redirect URL in your OIDC client. OAuth2 Proxy will handle the service specific redirects.
Conclusion
This post showed you how to secure multiple services with just one central OAuth2 Proxy. I hope this helps you to reduce the complexity of your cluster and also limit the number of resources consumed.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK