harbur / kubernetic

Kubernetic - Supercharge your Kubernetes clusters
https://kubernetic.com
276 stars 26 forks source link

Use oauth2-proxy in web-version for teams #384

Open stepanselyuk opened 9 months ago

stepanselyuk commented 9 months ago

Hello,

how to use oauth2-proxy in front of Kubernetic? In general it's working as usually, but I cannot make "users" work, so all users just going to use admin local default account.

I added a few specific arguments to oauth2-proxy, so it should pass headers to kubernetic, like X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username

https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/

- '--pass-user-headers=true'
- '--set-authorization-header=true'
- '--set-xauthrequest=true'
- '--pass-access-token=true'

but I'm unsure if the headers passed to Kubernetic, and if Kubernetic should react on those.

stepanselyuk commented 9 months ago

In the Kubernetic ingress I used these annotations:

annotations:
  nginx.ingress.kubernetes.io/auth-signin: 'https://$host/oauth2/start?rd=$escaped_request_uri'
  nginx.ingress.kubernetes.io/auth-url: 'https://$host/oauth2/auth'
  nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-groups, x-auth-request-email"
stepanselyuk commented 9 months ago

I confirmed with tcpdump and wireshark that Kubernetic receives these headers (populated):

x-auth-request-user: 11146279033.....\r\n
x-auth-request-email: stepan@[REDACTED]\r\n
x-auth-request-access-token: [REDACTED]\r\n

The user with the specified email I also added in Kubernetic. And also added the user mentioned in the x-auth-request-user header. Nothing works.