Open severity1 opened 5 years ago
I was able to make oauth proxying work using https://github.com/helm/charts/tree/master/stable/oauth2-proxy
but i want to disable basic auth wihtout disabling the AdminUI.
The same here. We use Traefik with OAuth as the ingress for Keel but would like to avoid the need for basic auth to enable the Admin UI.
Would also be nice for Keel to take the OAuth user ID and log approvals against that ID in the audit log.
@severity1 Could you please provide some guidance how to make keel working with oauth2_proxy? (ingress configuration) Are you hosting keel on the subpath? I am using dex, oauth2_proxy and k8s-dashboard which are working without any issues, but when I integrate keel, keel-dashboard never loads. Login is displayed, after successful verification through the oauth2_proxy, but after using the correct keel admin credentials, it's stucked.
@ondrejtomcik hi, so I had my oauth2_proxy exposed via nginx-ingress
as oauth2.example.com
, this way I can reuse it as much as I want.
when setting up oauth2_proxy
key things to note are; (helm chart should be explanatory as what these are for.)
config.clientID
config.clientSecret
config.cookieSecret
extraArgs.email-domain = "example.com"
extraArgs.whitelist-domain = ".example.com"
extraArgs.cookie-domain = ".example.com"
extraArgs.upstream = "file:///dev/null"
and then, i just add these annotations to any ingress i want to protect;
nginx.ingress.kubernetes.io/auth-url: "https://oauth2.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.example.com/oauth2/start?rd=https://$host$request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email"
I think your main culprit is the nginx.ingress.kubernetes.io/auth-response-headers
. Something similar happened on my initial setup as well, I just had to remove authorization
header or something similar, but yeah i ended up with just "x-auth-request-user, x-auth-request-email"
.
Although I am not sure if this is safe.
Thanks a lot.
I just modified the keel to accept TOKEN_JWKS_URL
env variable and if it's available, all tokens are verified against public keys available from the well-known openid keys configuration. This allows me to verify identity tokens forwarded by the oauth2_proxy, issued in my case by dex. Problem is - I am really not into vue and I cannot get rid of the default login screen. It does some weird stuff like persisting locally username, password and accesstoken. I can upstream my go part, but I am not able in acceptable time modify the ui part.
I also would like to use an external auth service, specifically mine available here: https://github.com/travisghansen/external-auth-server
All we really need is a simple ENV var that disables the basic auth.
Have the capability to allow setting OAuth using the following options;