The default example on how to secure a service with Nginx and OAuth2 Proxy shows you how to secure one service. To achieve this, it uses two Ingress objects for the service to be secured. If you plan to secure multiple services with the same OAuth provider, you end up with a lot of Ingress objects. Another problem of this setup is that it is not supported by most Helm charts. Most Helm charts only allow you to create one Ingress object. You would have to set up the service via its Helm chart and then add somehow the additional Ingress object needed by OAuth2 Proxy.
One central authentication service for multiple services
This post will show you how you can achieve the same with one central OAuth2 Proxy Ingress. I used the official Helm chart for OAuth2 Proxy (see https://github.com/oauth2-proxy/manifests ) to install the proxy. The Helm chart allows you to define an Ingress:
ingress: enabled: true path: / hosts: - oauth.example.com annotations: kubernetes.io/ingress.class: external tls: - secretName: tls-cert hosts: - oauth.example.com
As the OAuth2 Proxy documentation explains how to set up the different authentication providers , I will focus on the Ingress setup here.
The above values result in this Ingress object:
apiVersion: networking.k8s.io/v1 kind: Ingress name: oauth2-proxy spec: rules: - host: oauth.example.com http: paths: - backend: serviceName: oauth2-proxy servicePort: 80 path: / tls: - hosts: - oauth.example.com secretName: tls-cert
This Ingress will handle all authentication request as we will see in the next Ingress definition. For the service you want to secure, add the below annotations to the Ingress:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: external nginx.ingress.kubernetes.io/auth-signin: https://oauth.example.com/oauth2/start nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.auth-namespace.svc.cluster.local/oauth2/auth name: alertmanager spec: rules: - host: alertmanager.example.com http: paths: - backend: serviceName: alertmanager servicePort: 9093 path: / pathType: ImplementationSpecific tls: - hosts: - alertmanager.example.com secretName: tls-cert
The `auth-sigin` redirects any needed login to the OAuth2 Proxy Ingress.
The `auth-url` annotation can access the OAuth2 Proxy internally via its service to verify a submitted token.
The OAuth2 Proxy will handle the authentication and later redirect you to the protected service again.
An additional advantage of this setup is, that you only need to specify one valid redirect URL in your OIDC client. OAuth2 Proxy will handle the service specific redirects.
This post showed you how to secure multiple services with just one central OAuth2 Proxy. I hope this helps you to reduce the complexity of your cluster and also limit the number of resources consumed.
Dein Job bei codecentric?
More articles in this subject area\n
Discover exciting further topics and let the codecentric world inspire you.