Add authentication mechanism to secure contour

kinvolk / lokomotive

🪦 DISCONTINUED Further Lokomotive development has been discontinued. Lokomotive is a 100% open-source, easy to use and secure Kubernetes distribution from the volks at Kinvolk

https://kinvolk.io/lokomotive-kubernetes/

Apache License 2.0

321 stars 49 forks source link

Add authentication mechanism to secure contour #725

Open surajssd opened 4 years ago

surajssd commented 4 years ago

Right now we don't have way to secure ingress and apps it is serving, unless apps are providing an authentication mechanism of their own. So for apps that don't support any form of authentication are wide open.

After implementing this feature ingress controller can act as a guard for such applications.

invidian commented 4 years ago

Couple of notes:

perhaps this should be done not on the contour level but on ingress object level
Perhaps oauth2_proxy could be used for this: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/. However, it might not be possible with Contour because of https://github.com/projectcontour/contour/issues/432 ? On the other hand, oauth2_proxy does not support basic auth either.
In Kyma project, Istio is used to guard endpoints and it supports all kind of authentication. However, I don't know how it integrates with ingress controller then.

jpeach commented 3 years ago

Contour 1.9 supports Envoy external authorization servers (see https://projectcontour.io/guides/external-authorization/); for an out-of-box OIDC integration https://github.com/istio-ecosystem/authservice could be a match.

surajssd commented 3 years ago

Thanks for those pointer @jpeach :+1: