Azure / application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
https://azure.github.io/application-gateway-kubernetes-ingress
MIT License
678 stars 422 forks source link

Auth Proxy Support #860

Open erikschlegel opened 4 years ago

erikschlegel commented 4 years ago

Is your feature request related to a problem? Please describe. The customer I'm working with requires JWT OAUTH2 token validation for all ingress activity. We're unclear with available approaches for setting up an authentication proxy for our frontend AGIC route. Our identity provider is AAD.

Nginx supports service authentication today

annotations:
  kubernetes.io/ingress.class: nginx
  nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.default.svc.cluster.local:4180/oauth2/auth"
  nginx.ingress.kubernetes.io/auth-signin: "http://<DNS prefix>.<azure region>.cloudapp.azure.com/oauth2/start"

Are there any alternative approaches that would support this use-case?

Describe the solution you'd like A new annotation in the AGIC where we can provide the authentication url and signin endpoint for the ingress controller.

IvanJosipovic commented 4 years ago

This feature is needed and is preventing my company from moving to the AG Ingress Controller. It would also be useful to have this feature working without having to run oauth2-proxy in the cluster.

Karishma-Tiwari-MSFT commented 4 years ago

@caya @erikschlegel Do either of you know if there has been an update on this ask? We have another customer with similar query as below:

"Does Application gateway ingress controller supports JWT validation? We need to perform JWT Oauth Token validation for all ingress activities in aks. Nginx support this feature through location / { proxy_pass: } Or annotations: nginx.ingress.kubernetes.io/auth-url: Does Application Gateway Ingress Controller(standard v2 sku) supports this functionality."

mscatyao commented 4 years ago

OAuth is not currently supported on AppGW, but is on our roadmap. Until we support it on AppGW, we won't have support for it on AGIC. I can update this thread once it's available on AppGW.

alchemistake commented 3 years ago

Is there a workaround for this? I'm trying to use oauth2 proxy image as a sidecar to things I want to add auth proxy. I'm getting some weird errors on oauth2 container. From what I read it seems like AGIC is rewriting some stuff oauth container was looking for like cookie, headers etc. Can I configure AGIC to be less abrasive?

jonno85 commented 3 years ago

Hi, are there any news on the subject?

hovermind commented 3 years ago

There is a workaround with APIM + AGIC, but that is not feasible (because of high cost). Application Gateway should support Authentication similar to APIM.

AmudaPalani commented 3 years ago

are there any update on this?

AmudaPalani commented 3 years ago

@mscatyao is there any update on this?

mcabrito commented 3 years ago

@mscatyao is there any update on this?

pownkel commented 3 years ago

@mscatyao Is this still on the roadmap for app gateway, and if so can you let us know what the timeframe is?

seilorjunior commented 2 years ago

Do you have any news on that?

omeryesil commented 2 years ago

Any update on this?

tschechniker commented 2 years ago

Currently a blocker for us. @mscatyao do you have any updates?

ScratZa commented 2 years ago

What is the recommended pattern regarding exposing endpoints requiring oauth in AKS ? Is api manager the way to go ? My worry is the overhead associated with managing api manager and cost ?

ahoeing commented 2 years ago

Is there a workaround for this? I'm trying to use oauth2 proxy image as a sidecar to things I want to add auth proxy. I'm getting some weird errors on oauth2 container. From what I read it seems like AGIC is rewriting some stuff oauth container was looking for like cookie, headers etc. Can I configure AGIC to be less abrasive?

@alchemistake : Have you found a solution for this?

wasfree commented 2 years ago

@mscatyao Any update on this ? Is there any ETA when this feature is supported on AppGW ?

sintetico82 commented 2 years ago

Hello,

At this point, what are the alternatives to JWT token validation if the AGIC is still not ready to do this job?

IvanJosipovic commented 2 years ago

Hello,

At this point, what are the alternatives to JWT token validation if the AGIC is still not ready to do this job?

I have been exploring this lately. The paid ingress controller options are not cheap...

Paid Ingress Controllers: Traefik Nginx Plus etc

Open Source: Isto Service Mesh Ingress Nginx + OAuth2-Proxy Ingress Nginx + ingress-nginx-validate-jwt (one instance can validate multiple Ingress objects) Ingress Nginx + OIDC-Guard supports JWT and cookie auth for web apps (one instance can validate multiple Ingress objects)

philippn commented 2 years ago

We have deployed https://github.com/oauth2-proxy/oauth2-proxy in front of some our workloads, works fine in combination with AGIC 👍 (not sure what problem @alchemistake encountered, maybe it was fixed in the meantime)

omeryesil commented 2 years ago

@sintetico82 If you are using istio, you can add authorization through Istio's AuthorizationPolicy with custom provider (in this case it is oauth2proxy (see @philippn's comment)). The flow should look like this:

Application Gateway -> AGIC (route all requests to istio ingress gateway) -> Istio Ingress Gateway + AuthorizationPolicy with Oauth2Proxy custom provider

audunsolemdal commented 2 years ago

We have deployed https://github.com/oauth2-proxy/oauth2-proxy in front of some our workloads, works fine in combination with AGIC 👍 (not sure what problem @alchemistake encountered, maybe it was fixed in the meantime)

Care to share some details on your setup? You've got AGIC working together with oauth2-proxy sidecars?

philippn commented 2 years ago

Sure, we have installed it via the Helm chart though, deployed separately to the upstream-service. However, it should be possible to adapt this setup to a sidecar and configure your own Ingress to point to the sidecar instead.

Here is what we do: helm install release-name oauth2-proxy/oauth2-proxy --version 6.2.2 -f values.yaml

The redacted version of our values file can be found here. Basically, it sets up an Ingress for the OAuth proxy with TLS termination and configures OAuth proxy to talk to the target service inside the cluster via HTTP.

Hope that helps!

audunsolemdal commented 2 years ago

Sure, we have installed it via the Helm chart though, deployed separately to the upstream-service. However, it should be possible to adapt this setup to a sidecar and configure your own Ingress to point to the sidecar instead.

Followed this guide with some modifications for Azure AD via odic provider, works well thanks. However I believe this setup would still require a oauth2-proxy pod for each unique ingress one would like to set up?

philippn commented 2 years ago

Sure, we have installed it via the Helm chart though, deployed separately to the upstream-service. However, it should be possible to adapt this setup to a sidecar and configure your own Ingress to point to the sidecar instead.

Followed this guide with some modifications for Azure AD via odic provider, works well thanks. However I believe this setup would still require a oauth2-proxy pod for each unique ingress one would like to set up?

Yes, that is correct.

sintetico82 commented 2 years ago

There is a workaround with APIM + AGIC, but that is not feasible (because of high cost). Application Gateway should support Authentication similar to APIM.

I need two things to protect my API endpoints:

-- JWT token verification (through the use of jwks_uri inside the .well-know URL of OpenID Connect (OIDC) standard) -- HTTP Basic authentication

I understand I can use APIM (Azure API Management) for both...is it right?

@hovermind can you kindly give me some link/document/resource where I can understand more about configuring this "workaround"?

@omeryesil I am scared to introduce Istio to the AKS cluster. There is no official documentation from Microsoft, and they look like they don't encourage using it.. (https://learn.microsoft.com/en-us/azure/aks/servicemesh-about).

4c74356b41 commented 1 year ago

@sintetico82 istio does work with aks for at least 4 years already without any issues. but introducing istio just for JWT token verifications seems like an overkill

sintetico82 commented 1 year ago

@4c74356b41 Yes, I agree with you that that is overkill just for JWT.

Anyway, I decide to use Azure API Management in the end. It has a specific policy for JWT validation and works very well, but overall API Management introduced to me also some big disadvantages in his Premium tier in internal mode (internal network):

In my opinion, AGIC is not mature yet for the business scenarios and i think these feature are not implemented for force people to use more expensive service like API Management.

David3Ar commented 1 year ago

I can't believe that AGIC does not support oauth2 authentication out of the box in 2023...

yashar-gh commented 1 year ago

OAuth is not currently supported on AppGW, but is on our roadmap. Until we support it on AppGW, we won't have support for it on AGIC. I can update this thread once it's available on AppGW.

any update after two years?

jorgealziro commented 1 year ago

FWIW Microsoft Learn's kubecost tutorial touches the implementation of an oauth2-proxy while using AGIC as an ingress controller

tleerai commented 5 months ago

This is a bit disappointing, I'll need to invest some time into the work arounds.

pawellegowski89 commented 1 month ago

Any updates?