K
Q

How to pass authenticatedEmailIds to helm chart stable/oauth2_proxy?

7/31/2019

I am installing the following helm chart https://github.com/helm/charts/tree/master/stable/oauth2-proxy using the command

helm install --name authproxy \
    --namespace=ingress \
    --set config.clientID=<github oauth app client id> \
    --set config.clientSecret=<github oauth app client secret> \
    --set config.cookieSecret=<some secret>  \
    --set extraArgs.provider=github \
    --set authenticatedEmailsFile.enabled=true \
    --set authenticatedEmailsFile.restricted_access="abc@gmail.com" \
    stable/oauth2-proxy

All the k8 resources are correctly getting created and oauth2_proxy is securing my service which is running behind this proxy. But it allows all github users (since the oauth provider is github) instead of allowing access only to abc@gmail.com. Why is it so?

Helm Version Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"} Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}

Kubectl version Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.11", GitCommit:"637c7e288581ee40ab4ca210618a89a555b6e7e9", GitTreeState:"clean", BuildDate:"2018-11-26T14:38:32Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"windows/amd64"} Server Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.8", GitCommit:"a89f8c11a5f4f132503edbc4918c98518fd504e3", GitTreeState:"clean", BuildDate:"2019-04-23T04:41:47Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

kubectl describe cm authproxy-oauth2-proxy-accesslist -n ingress gives me

Name:         authproxy-oauth2-proxy-accesslist
Namespace:    ingress
Labels:       app=oauth2-proxy
              chart=oauth2-proxy-0.13.0
              heritage=Tiller
              release=authproxy
Annotations:  <none>

Data
====
restricted_user_access:
----
abc@gmail.com
Events:  <none>

kubectl describe deployment authproxy-oauth2-proxy -n ingress gives me:

Name:                   authproxy-oauth2-proxy
Namespace:              ingress
CreationTimestamp:      Wed, 31 Jul 2019 23:35:58 +0200
Labels:                 app=oauth2-proxy
                        chart=oauth2-proxy-0.13.0
                        heritage=Tiller
                        release=authproxy
Annotations:            deployment.kubernetes.io/revision=1
Selector:               app=oauth2-proxy,release=authproxy
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:       app=oauth2-proxy
                release=authproxy
  Annotations:  checksum/config=e2b420ec4978f9c8f5691b15c79b15a60c864499ad729df2776dca63a745aecc
                checksum/config-emails=4c24c472d9e274c18876d8a01f14a126b741d92942e4531c18fd288b86d648ad
                checksum/google-secret=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
                checksum/secret=b00f895c2fa3a3bc6028a660998b9872bee7c8aeb70b1bbe50183b65a06e1666
  Containers:
   oauth2-proxy:
    Image:      quay.io/pusher/oauth2_proxy:v3.2.0
    Port:       4180/TCP
    Host Port:  0/TCP
    Args:
      --http-address=0.0.0.0:4180
      --provider=github
      --config=/etc/oauth2_proxy/oauth2_proxy.cfg
      --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
    Liveness:   http-get http://:http/ping delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:  http-get http://:http/ping delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:
      OAUTH2_PROXY_CLIENT_ID:      <set to the key 'client-id' in secret 'authproxy-oauth2-proxy'>      Optional: false
      OAUTH2_PROXY_CLIENT_SECRET:  <set to the key 'client-secret' in secret 'authproxy-oauth2-proxy'>  Optional: false
      OAUTH2_PROXY_COOKIE_SECRET:  <set to the key 'cookie-secret' in secret 'authproxy-oauth2-proxy'>  Optional: false
    Mounts:
      /etc/oauth2-proxy from configaccesslist (ro)
      /etc/oauth2_proxy from configmain (rw)
  Volumes:
   configmain:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      authproxy-oauth2-proxy
    Optional:  false
   configaccesslist:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      authproxy-oauth2-proxy-accesslist
    Optional:  false
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  authproxy-oauth2-proxy-559b67cb45 (1/1 replicas created)
NewReplicaSet:   <none>
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  44m   deployment-controller  Scaled up replica set authproxy-oauth2-proxy-559b67cb45 to 1

How should I provide parameters to this helm chart so that it only allows access to the users whose email id is mentioned in the authenticateEmailList?

-- Nitesh Ratnaparkhe
kubernetes-helm

Similar Questions

Is there a way to enable kubernetes on docker via command line on linux?
How to get kubernetes GPC output IP
How to update the ConfigMap for the workloads running on GKE cluster using Helm?
HPA with windows worker nodes - EKS 1.11
Is it possible to serve a static file from s3 on ingress-nginx?

0 Answers