A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
The auth-url and auth-signin annotations allow you to use an external
authentication provider to protect your Ingress resources.
Sample:
...
metadata:
name: application
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
...This example will show you how to deploy oauth2_proxy
into a Kubernetes cluster and use it to protect the Sample App using oidc as oAuth2 provider
- Create a rbac role in kubernetes cluster.
kubectl create -f rbac.yaml- Install nginx ingress controller by helm
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm repo update
helm install nginx-ingress stable/nginx-ingress --namespace default --set controller.replicaCount=2 --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
- Install the Sample App
kubectl create -f app.yaml- Configure oauth2_proxy values in the file
oidc.yamlwith the values:
- OAUTH2_PROXY_PROVIDER
<OAuth provider ie: google, azure, keycloak, oidc, nextcloud, digitalocean> - OAUTH2_PROXY_CLIENT_ID with the oauth
<Client ID> - OAUTH2_PROXY_CLIENT_SECRET with the oauth
<Client Secret> - OAUTH2_PROXY_COOKIE_SECRET with value of
docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));' - OAUTH2_PROXY_REDIRECT_URL with oauth
<the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"> - OAUTH2_PROXY_OIDC_ISSUER_URL with oauth
<the OpenID Connect issuer URL. ie: "https://xyz.okta.com/oauth2/default"> - OAUTH2_PROXY_UPSTREAM with oauth
<the http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path> - OAUTH2_PROXY_COOKIE_SECURE with oauth
<Default value 'True' for https, For http configuration it should be 'False'> - OAUTH2_PROXY_COOKIE_DOMAIN with oauth
<an optional cookie domain to force cookies to (ie: .yourcompany.com)> - OAUTH2_PROXY_COOKIE_WHITELIST_DOMAIN
<allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)> - OAUTH2_PROXY_COOKIE_NAME
<the name of the cookie that the oauth_proxy creates | default: "_oauth2_proxy"> - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
<will skip sign-in-page to directly reach the next step: oauth/start | default: "false">
- Customize the contents of the file
ingress-route.yaml:
Create TLS
kubectl create secret tls tls.oidc.example.com --namespace default --key privkey1.pem --cert fullchain1.pemReplace tls.oidc.example.com with a Secret with a valid SSL certificate.
Replace oidc.example.com with your valid FDQN.
- Deploy the oauth2 proxy and the ingress rules running:
$ kubectl create -f oidc.yaml,ingress-route.yamlTest the oauth integration accessing the configured URL, like https://oidc.example.com