//

How to use OAuth2 Proxy for central authentication

7.6.2021 | 2 minutes of reading time

This blog post will show you how to use one central OAuth2 Proxy (see the official page ) as authentication proxy for multiple services inside your Kubernetes Cluster .

The default example on how to secure a service with Nginx and OAuth2 Proxy shows you how to secure one service. To achieve this, it uses two Ingress objects for the service to be secured. If you plan to secure multiple services with the same OAuth provider, you end up with a lot of Ingress objects. Another problem of this setup is that it is not supported by most Helm charts. Most Helm charts only allow you to create one Ingress object. You would have to set up the service via its Helm chart and then add somehow the additional Ingress object needed by OAuth2 Proxy.

One central authentication service for multiple services

This post will show you how you can achieve the same with one central OAuth2 Proxy Ingress. I used the official Helm chart for OAuth2 Proxy (see https://github.com/oauth2-proxy/manifests ) to install the proxy. The Helm chart allows you to define an Ingress:


ingress:
  enabled: true
  path: /
  hosts:
    - oauth.example.com
  annotations:
    kubernetes.io/ingress.class: external
  tls:
    - secretName: tls-cert
      hosts:
        - oauth.example.com

As the OAuth2 Proxy documentation explains how to set up the different authentication providers , I will focus on the Ingress setup here.

The above values result in this Ingress object:


apiVersion: networking.k8s.io/v1
kind: Ingress
  name: oauth2-proxy
spec:
  rules:
  - host: oauth.example.com
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 80
        path: /
  tls:
  - hosts:
    - oauth.example.com
    secretName: tls-cert

This Ingress will handle all authentication request as we will see in the next Ingress definition. For the service you want to secure, add the below annotations to the Ingress:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: external
    nginx.ingress.kubernetes.io/auth-signin: https://oauth.example.com/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.auth-namespace.svc.cluster.local/oauth2/auth
  name: alertmanager
spec:
  rules:
  - host: alertmanager.example.com
    http:
      paths:
      - backend:
          serviceName: alertmanager
          servicePort: 9093
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - alertmanager.example.com
    secretName: tls-cert

The `auth-sigin` redirects any needed login to the OAuth2 Proxy Ingress.
The `auth-url` annotation can access the OAuth2 Proxy internally via its service to verify a submitted token.

The OAuth2 Proxy will handle the authentication and later redirect you to the protected service again.

An additional advantage of this setup is, that you only need to specify one valid redirect URL in your OIDC client. OAuth2 Proxy will handle the service specific redirects.

Conclusion

This post showed you how to secure multiple services with just one central OAuth2 Proxy. I hope this helps you to reduce the complexity of your cluster and also limit the number of resources consumed.

share post

Likes

1

//

More articles in this subject area\n

Discover exciting further topics and let the codecentric world inspire you.

//

Gemeinsam bessere Projekte umsetzen

Wir helfen Deinem Unternehmen

Du stehst vor einer großen IT-Herausforderung? Wir sorgen für eine maßgeschneiderte Unterstützung. Informiere dich jetzt.

Hilf uns, noch besser zu werden.

Wir sind immer auf der Suche nach neuen Talenten. Auch für dich ist die passende Stelle dabei.