I've been setting up a kubernetes cluster and want to protect the dashboard (running at kube.example.com
) behind the bitly/oauth2_proxy
(running at example.com/oauth2
on image a5huynh/oauth2_proxy:latest
) as I want to re-use the OAuth proxy for other services I will be running. Authentication is working perfectly but after a user logs in, i.e. the callback returns, they are sent to example.com
where instead they should be sent to the original host kube.example.com
that initiated the flow. How can I do this? (I am using the nginx-ingress-controller).
Annotation on OAuth2 Proxy:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
Annotation on Dashboard:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start",
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth",
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"
I expect to be redirected to the original host kube.example.com
after OAuth flow is complete but am being sent back to the OAuth2 host example.com
After searching for a bit I came across a blog post about performing this in a super simple manor. Unfortunately I found the provided yaml did not quite work correctly as the oauth2_proxy was never being hit due to nginx intercepting all requests (I am not sure if mine was not working due to me wanting the oauth-proxy url to be example.com/oauth2
rather than oauth2.example.com
). To fix this I added back the oauth2-proxy path to the Ingress for the proxy i.e.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
and made sure that the service was also still exposed i.e.
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: http-proxy
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
Then to protect services behind the oauth proxy I just need to place the following in the Ingress annotations:
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"