This blog post will show you how to use one central OAuth2 Proxy (see the official page ) as authentication proxy for multiple services inside your Kubernetes Cluster .
The default example on how to secure a service with Nginx and OAuth2 Proxy shows you how to secure one service. To achieve this, it uses two Ingress objects for the service to be secured. If you plan to secure multiple services with the same OAuth provider, you end up with a lot of Ingress objects. Another problem of this setup is that it is not supported by most Helm charts. Most Helm charts only allow you to create one Ingress object. You would have to set up the service via its Helm chart and then add somehow the additional Ingress object needed by OAuth2 Proxy.
One central authentication service for multiple services
This post will show you how you can achieve the same with one central OAuth2 Proxy Ingress. I used the official Helm chart for OAuth2 Proxy (see https://github.com/oauth2-proxy/manifests ) to install the proxy. The Helm chart allows you to define an Ingress:
ingress:
enabled: true
path: /
hosts:
- oauth.example.com
annotations:
kubernetes.io/ingress.class: external
tls:
- secretName: tls-cert
hosts:
- oauth.example.com
As the OAuth2 Proxy documentation explains how to set up the different authentication providers , I will focus on the Ingress setup here.
The above values result in this Ingress object:
apiVersion: networking.k8s.io/v1
kind: Ingress
name: oauth2-proxy
spec:
rules:
- host: oauth.example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /
tls:
- hosts:
- oauth.example.com
secretName: tls-cert
This Ingress will handle all authentication request as we will see in the next Ingress definition. For the service you want to secure, add the below annotations to the Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: external
nginx.ingress.kubernetes.io/auth-signin: https://oauth.example.com/oauth2/start
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.auth-namespace.svc.cluster.local/oauth2/auth
name: alertmanager
spec:
rules:
- host: alertmanager.example.com
http:
paths:
- backend:
serviceName: alertmanager
servicePort: 9093
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- alertmanager.example.com
secretName: tls-cert
The `auth-sigin` redirects any needed login to the OAuth2 Proxy Ingress.
The `auth-url` annotation can access the OAuth2 Proxy internally via its service to verify a submitted token.
The OAuth2 Proxy will handle the authentication and later redirect you to the protected service again.
An additional advantage of this setup is, that you only need to specify one valid redirect URL in your OIDC client. OAuth2 Proxy will handle the service specific redirects.
Conclusion
This post showed you how to secure multiple services with just one central OAuth2 Proxy. I hope this helps you to reduce the complexity of your cluster and also limit the number of resources consumed.
Was this post helpful?
More articles
fromChristian Zunker
9.8.2021 Your job at codecentric?
Jobs
Agile Developer und Consultant (w/d/m)
Alle Standorte
More articles in this subject area
Discover exciting further topics and let the codecentric world inspire you.
Gemeinsam bessere Projekte umsetzen.
Wir helfen deinem Unternehmen.
Du stehst vor einer großen IT-Herausforderung? Wir sorgen für eine maßgeschneiderte Unterstützung. Informiere dich jetzt.
Hilf uns, noch besser zu werden.
Wir sind immer auf der Suche nach neuen Talenten. Auch für dich ist die passende Stelle dabei.
Blog author
Christian Zunker
Do you still have questions? Just send me a message.
Do you still have questions? Just send me a message.