oauth2_proxy not asking for authentication

7/23/2019

I am trying to setup oauth2_proxy on kubernetes to secure one of my single page application and I am using github as the authentication provider. I found this link useful and I followed this for doing my setup. [https://alikhil.github.io/2018/05/oauth2-proxy-for-kubernetes-services/]

I have created an application on github and used my DNS Name in place of the HomePageURL and CallBackURL (https://auth.example.com replaced with https://example.com) because I do not have TLS secrets generated for auth.example.com. Rather I have TLS certificates generated for example.com because this domain belongs to me. I was getting error in nginx-controller that the certificate belongs to example.com and not to auth.example.com as these URLs have been used in defining the example Ingress and oauth proxy ingress and this was the basis for me to do the before mentioned chang.

My Ingresses looks like this

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - backend:
              serviceName: oauth2-proxy
              servicePort: 4180
            path: /oauth2
  tls:
    - hosts:
        - example.com
      secretName: oauth-proxy-tls
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: oauth-main-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
    ingress.kubernetes.io/auth-url: https://example.com/oauth2/auth
    ingress.kubernetes.io/auth-signin: https://example/oauth2/start?rd=https://$host$request_uri$is_args$args
spec:
  rules:
    - host: example.com
      http:
        paths:
          - backend:
              serviceName: example-service
              servicePort: 80
            path: /
  tls:
    - hosts:
        - example.com
      secretName: tls-secret

I want that whenever I click example.com it should display page for github authentication but in my case its directly giving the response which a service should give after successful authentication. I am not being asked to provide credentials. Also, I am getting error in my ingress controller logs as 7 controller.go:753] Error obtaining Endpoints for Service "default/oauth2-proxy": no object matching key "default/oauth2-proxy" in local store Also, I tried replacing using nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.oauth-proxy.svc.cluster.local:4180/oauth2/auth as mentioned in the link but it did not work for me. Can some one explain why is oauth2_proxy not asking for authentication and ingress is serving the requests directly without asking for authentication?

-- Nitesh Ratnaparkhe
kubernetes
kubernetes-ingress
nginx-reverse-proxy
oauth-2.0
ssl

1 Answer

7/24/2019

The annotation declared in the oauth-main-ingress yaml is incorrect. As per the kubernetes/nginx-ingress documentation the annotation for external auth-url should be

 nginx.ingress.kubernetes.io/auth-url: http://<oauth-service-url>

instead of

 ingress.kubernetes.io/auth-url: http://<oauth-service-url>
-- idhruv
Source: StackOverflow