How to use OAuth2 Proxy for central authentication

No Comments

This blog post will show you how to use one central OAuth2 Proxy (see the official page) as authentication proxy for multiple services inside your Kubernetes Cluster.

The default example on how to secure a service with Nginx and OAuth2 Proxy shows you how to secure one service. To achieve this, it uses two Ingress objects for the service to be secured. If you plan to secure multiple services with the same OAuth provider, you end up with a lot of Ingress objects. Another problem of this setup is that it is not supported by most Helm charts. Most Helm charts only allow you to create one Ingress object. You would have to set up the service via its Helm chart and then add somehow the additional Ingress object needed by OAuth2 Proxy.

One central authentication service for multiple services

This post will show you how you can achieve the same with one central OAuth2 Proxy Ingress. I used the official Helm chart for OAuth2 Proxy (see https://github.com/oauth2-proxy/manifests) to install the proxy. The Helm chart allows you to define an Ingress:

ingress:
  enabled: true
  path: /
  hosts:
    - oauth.example.com
  annotations:
    kubernetes.io/ingress.class: external
  tls:
    - secretName: tls-cert
      hosts:
        - oauth.example.com

As the OAuth2 Proxy documentation explains how to set up the different authentication providers, I will focus on the Ingress setup here.

The above values result in this Ingress object:

apiVersion: networking.k8s.io/v1
kind: Ingress
  name: oauth2-proxy
spec:
  rules:
  - host: oauth.example.com
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 80
        path: /
  tls:
  - hosts:
    - oauth.example.com
    secretName: tls-cert

This Ingress will handle all authentication request as we will see in the next Ingress definition. For the service you want to secure, add the below annotations to the Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: external
    nginx.ingress.kubernetes.io/auth-signin: https://oauth.example.com/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.auth-namespace.svc.cluster.local/oauth2/auth
  name: alertmanager
spec:
  rules:
  - host: alertmanager.example.com
    http:
      paths:
      - backend:
          serviceName: alertmanager
          servicePort: 9093
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - alertmanager.example.com
    secretName: tls-cert

The `auth-sigin` redirects any needed login to the OAuth2 Proxy Ingress.
The `auth-url` annotation can access the OAuth2 Proxy internally via its service to verify a submitted token.

The OAuth2 Proxy will handle the authentication and later redirect you to the protected service again.

An additional advantage of this setup is, that you only need to specify one valid redirect URL in your OIDC client. OAuth2 Proxy will handle the service specific redirects.

Conclusion

This post showed you how to secure multiple services with just one central OAuth2 Proxy. I hope this helps you to reduce the complexity of your cluster and also limit the number of resources consumed.

Christian Zunker is creating and operating distributed software systems and infrastructures. In his current role as a Senior Consultant Cloud Technologies, he builds and runs cloud-based systems for cc cloud GmbH and its customers.

Comment

Your email address will not be published. Required fields are marked *