search

keel-hq / keel

Kubernetes Operator to automate Helm, DaemonSet, StatefulSet & Deployment updates
https://keel.sh
Mozilla Public License 2.0
2.42k stars 280 forks source link

OAuth on adminUI #433

Open severity1 opened 5 years ago

severity1 commented 5 years ago

Have the capability to allow setting OAuth using the following options;

  1. Allow to enable AdminUI without basic auth so people can use oauth proxying.
  2. Built in support to use OAuth on AdminUI.
severity1 commented 5 years ago

I was able to make oauth proxying work using https://github.com/helm/charts/tree/master/stable/oauth2-proxy

but i want to disable basic auth wihtout disabling the AdminUI.

jcardoso-bv commented 5 years ago

The same here. We use Traefik with OAuth as the ingress for Keel but would like to avoid the need for basic auth to enable the Admin UI.

Would also be nice for Keel to take the OAuth user ID and log approvals against that ID in the audit log.

ondrejtomcik commented 4 years ago

@severity1 Could you please provide some guidance how to make keel working with oauth2_proxy? (ingress configuration) Are you hosting keel on the subpath? I am using dex, oauth2_proxy and k8s-dashboard which are working without any issues, but when I integrate keel, keel-dashboard never loads. Login is displayed, after successful verification through the oauth2_proxy, but after using the correct keel admin credentials, it's stucked.

severity1 commented 4 years ago

@ondrejtomcik hi, so I had my oauth2_proxy exposed via nginx-ingress as oauth2.example.com, this way I can reuse it as much as I want.

when setting up oauth2_proxy key things to note are; (helm chart should be explanatory as what these are for.)

config.clientID
config.clientSecret
config.cookieSecret
extraArgs.email-domain = "example.com"
extraArgs.whitelist-domain = ".example.com"
extraArgs.cookie-domain = ".example.com"
extraArgs.upstream = "file:///dev/null"

and then, i just add these annotations to any ingress i want to protect;

nginx.ingress.kubernetes.io/auth-url: "https://oauth2.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://oauth2.example.com/oauth2/start?rd=https://$host$request_uri"
nginx.ingress.kubernetes.io/auth-response-headers:  "x-auth-request-user, x-auth-request-email"

I think your main culprit is the nginx.ingress.kubernetes.io/auth-response-headers. Something similar happened on my initial setup as well, I just had to remove authorization header or something similar, but yeah i ended up with just "x-auth-request-user, x-auth-request-email". Although I am not sure if this is safe.

ondrejtomcik commented 4 years ago

Thanks a lot. I just modified the keel to accept TOKEN_JWKS_URL env variable and if it's available, all tokens are verified against public keys available from the well-known openid keys configuration. This allows me to verify identity tokens forwarded by the oauth2_proxy, issued in my case by dex. Problem is - I am really not into vue and I cannot get rid of the default login screen. It does some weird stuff like persisting locally username, password and accesstoken. I can upstream my go part, but I am not able in acceptable time modify the ui part.

travisghansen commented 4 years ago

I also would like to use an external auth service, specifically mine available here: https://github.com/travisghansen/external-auth-server

bigwheels16 commented 3 years ago

All we really need is a simple ENV var that disables the basic auth.