oauth-proxy-secure-applications-openshift/

[utterances-bot]

Using OpenShift OAuth Proxy to secure your Applications on OpenShift | Linuxera

What is OAuth Proxy A reverse proxy and static file server that provides authentication and authorization to an OpenShift OAuth server or Kubernetes master supporting the 1.6+ remote authorization endpoints to validate access to content. It is intended for use withing OpenShift clusters to make it easy to run both end-user and infrastructure services that do not provider their own authentication. [Source] Securing an Application with OAuth Proxy In this blog post we are going to deploy OAuth Proxy in front of a simple application.

https://linuxera.org/oauth-proxy-secure-applications-openshift/

[MaximusVasilenko]

Can you please tell me why there may be an error when executing scenario 2? oauth-proxy container not starting:(

oauth-proxy:
    Container ID:  cri-o://d2bbf6e5e3d07fd50017964902c705fd8f5be578efec2998df9e6bc3e67587e8
    Image:         quay.io/openshift/origin-oauth-proxy:4.1
    Image ID:      quay.io/openshift/origin-oauth-proxy@sha256:261f3493527614a764322ede2036065f3efc11a9bc6a29e06d37748929ff6f54
    Port:          8888/TCP
    Host Port:     0/TCP
    Args:
      --provider=openshift
      --https-address=:8888
      --http-address=
      --email-domain=*
      --upstream=http://localhost:8080
      --tls-cert=/etc/tls/private/tls.crt
      --tls-key=/etc/tls/private/tls.key
      --client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
      --cookie-secret-file=/etc/proxy/secrets/session_secret
      --openshift-service-account=reversewords
      --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
      --skip-auth-regex=^/metrics
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Wed, 31 Aug 2022 15:06:44 +0300
      Finished:     Wed, 31 Aug 2022 15:06:45 +0300
    Ready:          False
    Restart Count:  3
    Limits:
      cpu:     1
      memory:  750Mi
    Requests:
      cpu:        10m
      memory:     64Mi
    Environment:  <none>
    Mounts:
      /etc/proxy/secrets from secret-reversewords-proxy (rw)
      /etc/tls/private from secret-reversewords-tls (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q9dlf (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  secret-reversewords-tls:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  reversewords-tls
    Optional:    false
  secret-reversewords-proxy:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  reversewords-proxy
    Optional:    false
  kube-api-access-q9dlf:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
    ConfigMapName:           openshift-service-ca.crt
    ConfigMapOptional:       <nil>
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/memory-pressure:NoSchedule op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason          Age                From               Message
  ----     ------          ----               ----               -------
  Normal   Scheduled       72s                default-scheduler  Successfully assigned maximvasil79-dev/reverse-words-74b5f7c9f9-lcbg7 to ip-10-0-202-251.ec2.internal
  Warning  FailedMount     69s (x4 over 73s)  kubelet            MountVolume.SetUp failed for volume "secret-reversewords-tls" : secret "reversewords-tls" not found
  Normal   AddedInterface  64s                multus             Add eth0 [10.129.3.40/23] from openshift-sdn
  Normal   Pulling         64s                kubelet            Pulling image "quay.io/mavazque/reversewords:latest"
  Normal   Pulled          63s                kubelet            Successfully pulled image "quay.io/mavazque/reversewords:latest" in 130.141107ms
  Normal   Created         63s                kubelet            Created container reverse-words
  Normal   Started         63s                kubelet            Started container reverse-words
  Normal   Pulled          21s (x4 over 63s)  kubelet            Container image "quay.io/openshift/origin-oauth-proxy:4.1" already present on machine
  Normal   Created         21s (x4 over 63s)  kubelet            Created container oauth-proxy
  Normal   Started         21s (x4 over 63s)  kubelet            Started container oauth-proxy
  Warning  BackOff         20s (x5 over 61s)  kubelet            Back-off restarting failed container

[mvazquezc]

Hey @MaximusVasilenko it seems like you're missing the reversewords-tls secret. Make sure that you have the correct annotation in the service definition: service.alpha.openshift.io/serving-cert-secret-name: reversewords-tls.

[MaximusVasilenko]

Annotation has been specified Here are my current setups: Service

kind: Service
apiVersion: v1
metadata:
  name: reverse-words
  namespace: maximvasil79-dev
  uid: 12605192-1edc-4a7a-b57a-cb578cbde11d
  resourceVersion: '1649005017'
  creationTimestamp: '2022-08-31T12:28:21Z'
  labels:
    name: reverse-words
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.alpha.openshift.io/serving-cert-secret-name":"reversewords-tls"},"labels":{"name":"reverse-words"},"name":"reverse-words","namespace":"maximvasil79-dev"},"spec":{"ports":[{"name":"proxy","port":8888,"protocol":"TCP","targetPort":"oauth-proxy"},{"name":"app","port":8080,"protocol":"TCP","targetPort":"reverse-words"}],"selector":{"name":"reverse-words"},"sessionAffinity":"None","type":"ClusterIP"}}
    service.alpha.openshift.io/serving-cert-secret-name: reversewords-tls
    service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1603422344
    service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1603422344
  managedFields:
    - manager: Go-http-client
      operation: Update
      apiVersion: v1
      time: '2022-08-31T12:28:21Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:service.alpha.openshift.io/serving-cert-signed-by': {}
            'f:service.beta.openshift.io/serving-cert-signed-by': {}
    - manager: kubectl-client-side-apply
      operation: Update
      apiVersion: v1
      time: '2022-08-31T12:28:21Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:kubectl.kubernetes.io/last-applied-configuration': {}
            'f:service.alpha.openshift.io/serving-cert-secret-name': {}
          'f:labels':
            .: {}
            'f:name': {}
        'f:spec':
          'f:internalTrafficPolicy': {}
          'f:ports':
            .: {}
            'k:{"port":8080,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
            'k:{"port":8888,"protocol":"TCP"}':
              .: {}
              'f:name': {}
              'f:port': {}
              'f:protocol': {}
              'f:targetPort': {}
          'f:selector': {}
          'f:sessionAffinity': {}
          'f:type': {}
spec:
  clusterIP: 172.30.188.114
  ipFamilies:
    - IPv4
  ports:
    - name: proxy
      protocol: TCP
      port: 8888
      targetPort: oauth-proxy
    - name: app
      protocol: TCP
      port: 8080
      targetPort: reverse-words
  internalTrafficPolicy: Cluster
  clusterIPs:
    - 172.30.188.114
  type: ClusterIP
  ipFamilyPolicy: SingleStack
  sessionAffinity: None
  selector:
    name: reverse-words
status:
  loadBalancer: {}

Deployment

kind: Deployment
apiVersion: apps/v1
metadata:
  annotations:
    deployment.kubernetes.io/revision: '1'
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"name":"reverse-words"},"name":"reverse-words","namespace":"maximvasil79-dev"},"spec":{"replicas":1,"selector":{"matchLabels":{"name":"reverse-words"}},"template":{"metadata":{"labels":{"name":"reverse-words"}},"spec":{"containers":[{"image":"quay.io/mavazque/reversewords:latest","imagePullPolicy":"Always","name":"reverse-words","ports":[{"containerPort":8080,"name":"reverse-words","protocol":"TCP"}]},{"args":["--provider=openshift","--https-address=:8888","--http-address=","--email-domain=*","--upstream=http://localhost:8080","--tls-cert=/etc/tls/private/tls.crt","--tls-key=/etc/tls/private/tls.key","--client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token","--cookie-secret-file=/etc/proxy/secrets/session_secret","--openshift-service-account=reversewords","--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","--skip-auth-regex=^/metrics"],"image":"quay.io/openshift/origin-oauth-proxy:4.9.0","imagePullPolicy":"IfNotPresent","name":"oauth-proxy","ports":[{"containerPort":8888,"name":"oauth-proxy","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/etc/tls/private","name":"secret-reversewords-tls"},{"mountPath":"/etc/proxy/secrets","name":"secret-reversewords-proxy"}]}],"serviceAccountName":"reversewords","volumes":[{"name":"secret-reversewords-tls","secret":{"defaultMode":420,"secretName":"reversewords-tls"}},{"name":"secret-reversewords-proxy","secret":{"defaultMode":420,"secretName":"reversewords-proxy"}}]}}}}
  resourceVersion: '1649406669'
  name: reverse-words
  uid: d661a18d-52cf-499e-9629-fcf22eafbba7
  creationTimestamp: '2022-08-31T12:28:05Z'
  generation: 1
  managedFields:
    - manager: kubectl-client-side-apply
      operation: Update
      apiVersion: apps/v1
      time: '2022-08-31T12:28:05Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            .: {}
            'f:kubectl.kubernetes.io/last-applied-configuration': {}
          'f:labels':
            .: {}
            'f:name': {}
        'f:spec':
          'f:progressDeadlineSeconds': {}
          'f:replicas': {}
          'f:revisionHistoryLimit': {}
          'f:selector': {}
          'f:strategy':
            'f:rollingUpdate':
              .: {}
              'f:maxSurge': {}
              'f:maxUnavailable': {}
            'f:type': {}
          'f:template':
            'f:metadata':
              'f:labels':
                .: {}
                'f:name': {}
            'f:spec':
              'f:volumes':
                .: {}
                'k:{"name":"secret-reversewords-proxy"}':
                  .: {}
                  'f:name': {}
                  'f:secret':
                    .: {}
                    'f:defaultMode': {}
                    'f:secretName': {}
                'k:{"name":"secret-reversewords-tls"}':
                  .: {}
                  'f:name': {}
                  'f:secret':
                    .: {}
                    'f:defaultMode': {}
                    'f:secretName': {}
              'f:containers':
                'k:{"name":"oauth-proxy"}':
                  'f:image': {}
                  'f:volumeMounts':
                    .: {}
                    'k:{"mountPath":"/etc/proxy/secrets"}':
                      .: {}
                      'f:mountPath': {}
                      'f:name': {}
                    'k:{"mountPath":"/etc/tls/private"}':
                      .: {}
                      'f:mountPath': {}
                      'f:name': {}
                  'f:terminationMessagePolicy': {}
                  .: {}
                  'f:resources': {}
                  'f:args': {}
                  'f:terminationMessagePath': {}
                  'f:imagePullPolicy': {}
                  'f:ports':
                    .: {}
                    'k:{"containerPort":8888,"protocol":"TCP"}':
                      .: {}
                      'f:containerPort': {}
                      'f:name': {}
                      'f:protocol': {}
                  'f:name': {}
                'k:{"name":"reverse-words"}':
                  .: {}
                  'f:image': {}
                  'f:imagePullPolicy': {}
                  'f:name': {}
                  'f:ports':
                    .: {}
                    'k:{"containerPort":8080,"protocol":"TCP"}':
                      .: {}
                      'f:containerPort': {}
                      'f:name': {}
                      'f:protocol': {}
                  'f:resources': {}
                  'f:terminationMessagePath': {}
                  'f:terminationMessagePolicy': {}
              'f:dnsPolicy': {}
              'f:serviceAccount': {}
              'f:restartPolicy': {}
              'f:schedulerName': {}
              'f:terminationGracePeriodSeconds': {}
              'f:serviceAccountName': {}
              'f:securityContext': {}
    - manager: kube-controller-manager
      operation: Update
      apiVersion: apps/v1
      time: '2022-08-31T15:28:31Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:annotations':
            'f:deployment.kubernetes.io/revision': {}
        'f:status':
          'f:conditions':
            .: {}
            'k:{"type":"Available"}':
              .: {}
              'f:lastTransitionTime': {}
              'f:lastUpdateTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
            'k:{"type":"Progressing"}':
              .: {}
              'f:lastTransitionTime': {}
              'f:lastUpdateTime': {}
              'f:message': {}
              'f:reason': {}
              'f:status': {}
              'f:type': {}
          'f:observedGeneration': {}
          'f:replicas': {}
          'f:unavailableReplicas': {}
          'f:updatedReplicas': {}
      subresource: status
  namespace: maximvasil79-dev
  labels:
    name: reverse-words
spec:
  replicas: 1
  selector:
    matchLabels:
      name: reverse-words
  template:
    metadata:
      creationTimestamp: null
      labels:
        name: reverse-words
    spec:
      restartPolicy: Always
      serviceAccountName: reversewords
      schedulerName: default-scheduler
      terminationGracePeriodSeconds: 30
      securityContext: {}
      containers:
        - name: reverse-words
          image: 'quay.io/mavazque/reversewords:latest'
          ports:
            - name: reverse-words
              containerPort: 8080
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
        - resources: {}
          terminationMessagePath: /dev/termination-log
          name: oauth-proxy
          ports:
            - name: oauth-proxy
              containerPort: 8888
              protocol: TCP
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: secret-reversewords-tls
              mountPath: /etc/tls/private
            - name: secret-reversewords-proxy
              mountPath: /etc/proxy/secrets
          terminationMessagePolicy: File
          image: 'quay.io/openshift/origin-oauth-proxy:4.9.0'
          args:
            - '--provider=openshift'
            - '--https-address=:8888'
            - '--http-address='
            - '--email-domain=*'
            - '--upstream=http://localhost:8080'
            - '--tls-cert=/etc/tls/private/tls.crt'
            - '--tls-key=/etc/tls/private/tls.key'
            - >-
              --client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
            - '--cookie-secret-file=/etc/proxy/secrets/session_secret'
            - '--openshift-service-account=reversewords'
            - >-
              --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
            - '--skip-auth-regex=^/metrics'
      serviceAccount: reversewords
      volumes:
        - name: secret-reversewords-tls
          secret:
            secretName: reversewords-tls
            defaultMode: 420
        - name: secret-reversewords-proxy
          secret:
            secretName: reversewords-proxy
            defaultMode: 420
      dnsPolicy: ClusterFirst
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600
status:
  observedGeneration: 1
  replicas: 1
  updatedReplicas: 1
  unavailableReplicas: 1
  conditions:
    - type: Progressing
      status: 'True'
      lastUpdateTime: '2022-08-31T12:49:40Z'
      lastTransitionTime: '2022-08-31T12:49:40Z'
      reason: NewReplicaSetAvailable
      message: ReplicaSet "reverse-words-8d68f47f7" has successfully progressed.
    - type: Available
      status: 'False'
      lastUpdateTime: '2022-08-31T15:28:31Z'
      lastTransitionTime: '2022-08-31T15:28:31Z'
      reason: MinimumReplicasUnavailable
      message: Deployment does not have minimum availability.

reversewords-proxy

kind: Secret
apiVersion: v1
metadata:
  name: reversewords-proxy
  namespace: maximvasil79-dev
  uid: 1c0d47cb-bda4-4610-9c0d-dbe784c7f3f7
  resourceVersion: '1648550189'
  creationTimestamp: '2022-08-31T09:02:51Z'
  managedFields:
    - manager: kubectl-create
      operation: Update
      apiVersion: v1
      time: '2022-08-31T09:02:51Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:data':
          .: {}
          'f:session_secret': {}
        'f:type': {}
data:
  session_secret: ''
type: Opaque

reversewords-tls

kind: Secret
apiVersion: v1
metadata:
  name: reversewords-tls
  namespace: maximvasil79-dev
  uid: 421a2060-6352-40d7-a9d1-c8b2bae5bf28
  resourceVersion: '1649451757'
  creationTimestamp: '2022-08-31T15:49:19Z'
  annotations:
    service.alpha.openshift.io/expiry: '2024-08-30T15:49:19Z'
    service.alpha.openshift.io/originating-service-name: reverse-words
    service.alpha.openshift.io/originating-service-uid: 12605192-1edc-4a7a-b57a-cb578cbde11d
    service.beta.openshift.io/expiry: '2024-08-30T15:49:19Z'
  ownerReferences:
    - apiVersion: v1
      kind: Service
      name: reverse-words
      uid: 12605192-1edc-4a7a-b57a-cb578cbde11d
  managedFields:
    - manager: Go-http-client
      operation: Update
      apiVersion: v1
      time: '2022-08-31T15:49:19Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:data':
          .: {}
          'f:tls.crt': {}
          'f:tls.key': {}
        'f:metadata':
          'f:annotations':
            .: {}
            'f:service.alpha.openshift.io/expiry': {}
            'f:service.alpha.openshift.io/originating-service-name': {}
            'f:service.alpha.openshift.io/originating-service-uid': {}
            'f:service.beta.openshift.io/expiry': {}
          'f:ownerReferences':
            .: {}
            'k:{"uid":"12605192-1edc-4a7a-b57a-cb578cbde11d"}': {}
        'f:type': {}
data:
  tls.crt: >-
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ5akNDQXQ2Z0F3SUJBZ0lJQzluNG9pS1k5ZlV3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRZd016UXlNak0wTkRBZQpGdzB5TWpBNE16RXhOVFE1TVRoYUZ3MHlOREE0TXpBeE5UUTVNVGxhTUMweEt6QXBCZ05WQkFNVEluSmxkbVZ5CmMyVXRkMjl5WkhNdWJXRjRhVzEyWVhOcGJEYzVMV1JsZGk1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRRGVjcnl0My80ZWIwS3FoYllqOCtCUWFmbDE0U29rZi9tdWpyaksraVVBNG9KNAptRHRTaysvdk5NQ2hSLzhrOEV4NzFYeXhIa083SDBBNzRLSVY1dktaZmZodGJPTCt4WVZ2OEVXYmZPaGtRYVRLCjg0N08wcHFTcXBmOGIrZFg3RFVObWJDV1JTUlU3OU4yTThJTlJFTE4rdTJ3THl5cTFKSE1LUGZvRjRwdGRmSWkKdGQyY3lnSHhxbVBCaEFGQmV2QkZONE9hUGRRdFd3andaNmRVNlNEV3V0UlRsZk1aZytzVDJDd0JXakRGcGhKdQpvem9mVGdNdWk0VVU3d2NWejJTUUdJRHdlUlc2ZXZ2QkRySGtSVkplaDh4bnR1VGo2S0pVV1NjOFlHbmwwYXhzCk50NmtZTlhGc2xBZmYwYTQ3c0RiLzEyUElybVlDUFFUOTJvQnNFMFZBZ01CQUFHamdnRVBNSUlCQ3pBT0JnTlYKSFE4QkFmOEVCQU1DQmFBd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXdEQVlEVlIwVEFRSC9CQUl3QURBZApCZ05WSFE0RUZnUVV3bldyQUR6Yk9FeTY0T1VRN285MHc2aXRlM0V3SHdZRFZSMGpCQmd3Rm9BVTF2SmJmaDhuClIzamxKQVRNcUZ0dmk5RDc3V0l3WHdZRFZSMFJCRmd3Vm9JaWNtVjJaWEp6WlMxM2IzSmtjeTV0WVhocGJYWmgKYzJsc056a3RaR1YyTG5OMlk0SXdjbVYyWlhKelpTMTNiM0prY3k1dFlYaHBiWFpoYzJsc056a3RaR1YyTG5OMgpZeTVqYkhWemRHVnlMbXh2WTJGc01EVUdDeXNHQVFRQmtnZ1JaQUlCQkNZVEpERXlOakExTVRreUxURmxaR010Ck5HRTNZUzFpTlRkaExXTmlOVGM0WTJKa1pURXhaREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBUStRdTM2Q2gKb0RaRTVsODlWRUt2c0tDSG5EeWJKcWJWS2YvbmdyQWVNdHppTWRaUTkvOVpzS0YzZ29QbEp3QjBOcFpMSVArZgpnZytDZTFPdi9pUVBjbzNEcXNnYkxBbGMyQWNQLzNKNEE5M1JpYWMrQlVQUy9sNFFPOEJpMWUrSFVDb2pYTVJNCkkyeFd5UFE1UnkwRzZlQzNMQS9Fa2xwRG1WOGVsblpOQVdkUkpKRjlLSnM3THZLSTBsZEV4VCsyMW1CckJOTWIKYUFKUFNoOWdRSXRTd25qN0drODd6Q081bmhya3BmMnpVWU9DNHd3dGNNTW56clg4TG5YNHRNSHY3NmdtYURjZQo3cWFHL29LK1RnZndROE9kNmZQZE9PSXF0dWEvUW8rM3BFY0dkM3VFeHJSWE1qUU5rODFSUW5sRm5PMEl4T0lOCjVZaHhhRUt2aUpLY0tBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRFVUQ0NBam1nQXdJQkFnSUlXVEsvd25PZVIrUXdEUVlKS29aSWh2Y05BUUVMQlFBd05qRTBNRElHQTFVRQpBd3dyYjNCbGJuTm9hV1owTFhObGNuWnBZMlV0YzJWeWRtbHVaeTF6YVdkdVpYSkFNVFl3TXpReU1qTTBOREFlCkZ3MHlNVEV4TWpJd016QTFORFZhRncweU5EQXhNakV3TXpBMU5EWmFNRFl4TkRBeUJnTlZCQU1NSzI5d1pXNXoKYUdsbWRDMXpaWEoyYVdObExYTmxjblpwYm1jdGMybG5ibVZ5UURFMk1ETTBNakl6TkRRd2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYjVCVXNtZzREa3F6MUdnc1diNjczbGkvZ3lXMEwrV0p0CjhtYmdsQWNHM1J6UTVVY3hvWVprK0dXWDdaQ1hiK1pEQkpYN1FaMTc5SzRYYXVLU2k3WjNaZDFYWjBJZ2doSWIKaWEzcE1xUDFrUHV5UkZ3UFRiTGJyWXJ0ekx3akQrUmdoQWxXTkFzQXdXdjMzN3l1bGQwRWF6S2pxWngvWmhXMwovV2FmU28yUy90enAwbVdPNGZZdUVrTzR6bjJMRTY4TmRvNCtuM2E2Z1pvWnJYeU1raUxKaE9HVkMwazViU01VClZENzB4TWFsMllBaHJWRWZkc0JxTW9jSE9wWk9sOXVvQnJTSXprTGpxTVFIcHZQZExkMEN6ekVFMWJPNHFyQ20KNFg5OFRJVnl1RllRQk1hb25kQ08vNlpJR3h3ak92TnVjQjFad3J5R1JjWSttajZjdTNkOUFnTUJBQUdqWXpCaApNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCVFc4bHQrCkh5ZEhlT1VrQk15b1cyK0wwUHZ0WWpBZkJnTlZIU01FR0RBV2dCVFc4bHQrSHlkSGVPVWtCTXlvVzIrTDBQdnQKWWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUJ0d1c5Y2xtajRJdTV0cUErR2FNV3pocStGdzd6VzM0RjFuMgoraEVpWWR6Tkhhby9ZUndCQXlzTUhhVmFkZi9Hbk1QNE1tVHFjRmFUYkpNaXFNSEFRZE1tN2wrVWUzNTFtb2EvCnQySTdZazNpTjBDaDAya0FRcC80cnE1ajJhb0M1Q1poOWdnaXlGU1E3RnlhQ1pJSUFaYUI1L0xDZmdtZXRwK00KNWpLam9QTEZmMzRSZ0JGenBCTXpSaS9rMVdoWE4xQnBPTnlNa2kvNUhKQTRSNmVZUjc3U2QydWJaanRicGV2KwpSbHhheDVXTDJCWHJNeDBKaGp3VVBhV2lGcHpXdGs0SXNpQko0OWllMmR5NTgzVWZvNmp5dHh2ejJBRUpXNHpCCmV6VWJZa2V0Ymg3SDdiRjljSFVqcGhKU1hQUHhZQkI3RnFHR0tNeVlTZEE0bzRmRDJRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRFVUQ0NBam1nQXdJQkFnSUlHZ21zSUFNVkovWXdEUVlKS29aSWh2Y05BUUVMQlFBd05qRTBNRElHQTFVRQpBd3dyYjNCbGJuTm9hV1owTFhObGNuWnBZMlV0YzJWeWRtbHVaeTF6YVdkdVpYSkFNVFl3TXpReU1qTTBOREFlCkZ3MHlNVEV4TWpJd016QTFORFZhRncweU5EQXhNakV3TXpBMU5EWmFNRFl4TkRBeUJnTlZCQU1NSzI5d1pXNXoKYUdsbWRDMXpaWEoyYVdObExYTmxjblpwYm1jdGMybG5ibVZ5UURFMk1ETTBNakl6TkRRd2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYjVCVXNtZzREa3F6MUdnc1diNjczbGkvZ3lXMEwrV0p0CjhtYmdsQWNHM1J6UTVVY3hvWVprK0dXWDdaQ1hiK1pEQkpYN1FaMTc5SzRYYXVLU2k3WjNaZDFYWjBJZ2doSWIKaWEzcE1xUDFrUHV5UkZ3UFRiTGJyWXJ0ekx3akQrUmdoQWxXTkFzQXdXdjMzN3l1bGQwRWF6S2pxWngvWmhXMwovV2FmU28yUy90enAwbVdPNGZZdUVrTzR6bjJMRTY4TmRvNCtuM2E2Z1pvWnJYeU1raUxKaE9HVkMwazViU01VClZENzB4TWFsMllBaHJWRWZkc0JxTW9jSE9wWk9sOXVvQnJTSXprTGpxTVFIcHZQZExkMEN6ekVFMWJPNHFyQ20KNFg5OFRJVnl1RllRQk1hb25kQ08vNlpJR3h3ak92TnVjQjFad3J5R1JjWSttajZjdTNkOUFnTUJBQUdqWXpCaApNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCVFc4bHQrCkh5ZEhlT1VrQk15b1cyK0wwUHZ0WWpBZkJnTlZIU01FR0RBV2dCUzBnMElzcGRLNTA1NFlxdWQ2UkRGOURwUG8KTVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpXUUpNNTBvT2kwN1hWTkhhTWltQkgrK0NzZDQ0ajBrNTNJMQpKWnZLOVc3SEFoWmtnc3UBHTVdrMzFaMzBhWitDSnJaSmNKV1k3ZDV4S2w5CkZTZUppYjVjN0d6NFV2bjZKN0pQdkZBNm5JNXEvRFhVbXZnbXpvS0hQRVN5bVk5Uml3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  tls.key: >-
    LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM25LOHJkLytIbTlDcW9XMkkvUGdVR241ZGVFcUpILzVybzY0eXZvbEFPS0NlSmc3ClVwUHY3elRBb1VmL0pQQk1lOVY4c1I1RHV4OUFPK0NpRmVieW1YMzRiV3ppL3NXRmIvQkZtM3pvWkVHa3l2T08KenRLYWtxcVgvRy9uVit3MURabXdsa1VrVk8vVGRqUENEVVJDemZydHNDOHNxdFNSekNqMzZCZUtiWFh5SXJYZApuTW9COGFwandZUUJRWHJ3UlRlRG1qM1VMVnNJOEdlblZPa2cxcnJVVTVYekdZUHJFOWdzQVZvd3hhWVNicU02CkgwNERMb3VGRk84SEZjOWtrQmlBOEhrVnVucjd3UTZ4NUVWU1hvZk1aN2JrNCtpaVZGa25QR0JwNWRHc2JEYmUKcEdEVnhiSlFIMzlHdU83QTIvOWRqeUs1bUFqMEUvZHFBYkJORlFJREFRQUJBb0lCQVFDdzNSTU5QL25oSXQ4agppM3A4N1d0ZEpGVTJsMWNWZkRiOXhmWkJWRS9WZTBMM05UcDlkcWdmVFpjVzVKS0ZRUlhlbzZnbmZ3T2xKTHpDCm51RGdmeVpHU2ZVYXM2ZHJuNHB2ck43N09IM2hNSndnelRPdlY1MlVuVlNJWGtUWEVEUkNZdjhYQzFST3Yvd20Ka0JKcXorbzVzWmdJTEFuY3JYUmFtZnc1cVhYamZwYjNLeTdzbk1SZ2RtY05tMFdxVXc3K2tselVBSkNKN01tOQp1OUYwbEE5eWNjYjV2N05acUtRNkwxbTdrNW1QbUx4MDBpeUt2a0VDRUJ4ZkZKclRCcjJLaTlIN3ZtRG0vMFNrCitsdEIyVzcyV0Q4RkMybEpQTXpLa002S0JqdFF1Nk41ZUJvTmd3dzNZWkV6MWxCblpxclR1Y3JOdWRLTitla1cKTnV2M3lpc0JBb0dCQVBTUGhLNFpqaEdudllqYW9XOEpBcmozTzF5YWhlVlBIYy9wanhWeTBxT09lOTJ6bWZqQwpadjlnR2RvRUU2bkc3Wlp2TDBKV1NFUnNEVmxGSVRodGt4N1lrUGs3NHd3SDdGQjZpR25BQy8zUHhmZGl4V1J5CkNXKzVCdVdwbGN0amVuZlhJU0hLcEZwVGRpQ3h5d3dSM3pwRVIzOUV3MFZCN1lUZ2wvQWw0c3pWQW9HQkFPamEKYnpFVGNpeEZJdHNic3FZVXJoTkkyV0xmRnV3eXJuOXVraG9yL2JmVDIwMUFzYWR1cENhVWVYY213a3RMNityLwpxOFhFU0UxbXVsVk5BWkRhbGU1ak01TWdFenRiSFk4KzdKYVp2NkhSNzZFR0lWUHVIWkFRZHBLQmE1eE1hVVkyCjU4aTk1MSt1VWw2T2dCMjNjekJvVGhndGJyS3dGTHBWaGQvM1dwOUJBb0dCQVBBTG10amtmbjAzM3lMZ0xncDEKbHJXRS9rQkQ3OThIVENUU2hENHlTU3grNDNmV0hQQjlxR2xMbzdSSndoOG9BZlpoeGNwZ05HanNnaUc0YUFZaQpENEQ4WXpndm53a2xFY0JndFZyUFJUWG81ZENQbzE2WFRFbmNIRGY2dit3MkJYUnh0YlNjV2J2TEppeXJOcmp2CkplUGtOeVZsa2lGOXQ2eHdZdEkxN2FyTkFvR0FQWXFsd3BtNkhqc3ppQ2RjNHdvcUs4eWdMOEo0ZzNxdHBkNXEKWE9KdGp5MCtFNy9hZEQ4SXdXMlNZTXhzbzR2d1VVNjdibXgvRTMzb0YyMWYwWklEK0ZwZG9pL2pCVmdDaXY1OQpkeHd4aXFvNnBCdERxYlFRT2lndnZtN1lLeG9DNU56VUM3a3RNcHVYQjRpd0VhcVBsaWFySlRhMHdDTkxoo=
type: kubernetes.io/tls

[mvazquezc]

@MaximusVasilenko which OCP version are you using? Could you share output for:

oc -n reverse-words get secret 

[MaximusVasilenko]

Used OCP 4.10.28 I am using a different namespace since this is a tutorial project on RedHat Sandbox, I don't have permission to make a different Namespace.

oc -n maximvasil79-dev get secret

NAME                           TYPE                                  DATA   AGE
builder-dockercfg-lwz2d        kubernetes.io/dockercfg               1      2d5h
builder-token-f6sxd            kubernetes.io/service-account-token   4      2d5h
builder-token-ws7pv            kubernetes.io/service-account-token   4      2d5h
default-dockercfg-v8v29        kubernetes.io/dockercfg               1      2d5h
default-token-th9lc            kubernetes.io/service-account-token   4      2d5h
default-token-v5mlv            kubernetes.io/service-account-token   4      2d5h
deployer-dockercfg-7ldpw       kubernetes.io/dockercfg               1      2d5h
deployer-token-9z2vw           kubernetes.io/service-account-token   4      2d5h
deployer-token-l2ggt           kubernetes.io/service-account-token   4      2d5h
reversewords-dockercfg-j95xg   kubernetes.io/dockercfg               1      7h57m
reversewords-proxy             Opaque                                1      8h
reversewords-tls               kubernetes.io/tls                     2      79m
reversewords-token-66b9s       kubernetes.io/service-account-token   4      7h57m
reversewords-token-msp6f       kubernetes.io/service-account-token   4      7h57m

[mvazquezc]

The secret is there, it seems the container is crashing. What do the logs say?

oc -n maximvasil79-dev logs deployment/reverse-words --all-containers

[MaximusVasilenko]

2022/08/31 12:28:39 Starting Reverse Api v0.0.25 Release: NotSet
2022/08/31 12:28:39 Listening on port 8080
2022/08/31 17:41:20 provider.go:128: Defaulting client-id to system:serviceaccount:maximvasil79-dev:reversewords
2022/08/31 17:41:20 provider.go:133: Defaulting client-secret to service account token /var/run/secrets/kubernetes.io/serviceaccount/token
2022/08/31 17:41:20 main.go:140: Invalid configuration:
  missing setting: cookie-secret

[MaximusVasilenko]

Thank you very much! I figured it out. The problem was creating:

oc -n reverse-words create secret generic reversewords-proxy --from-literal=session_secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c43)

Error:

tr: Illegal byte sequence

It helped:

oc -n maximvasil79-dev create secret generic reversewords-proxy --from-literal=session_secret=$(export LC_ALL=C; head /dev/urandom | tr -dc A-Za-z0-9 | head -c43)

[ostero]

Could you be so kind to explain how to access service guarded by OAuth Proxy from the command line of other pod?

[mvazquezc]

Hey @ostero I just added a fourth scenario covering that.

https://linuxera.org/oauth-proxy-secure-applications-openshift/#scenario-4---limiting-access-to-service-accounts

Hope that helps!

[ostero]

Yes , thank you! "Authorization: Bearer $(oc get serviceaccounts get-token ...)" Is what I was looking for.

[aufbakanleitung]

This guide is a real saviour! Thanks!

My Oauth is throwing the error 2023/06/20 11:13:51 server.go:2753: http: TLS handshake error from 172.17.34.39:42002: remote error: tls: internal error when implementing step 2. I find it very challenging to debug because it gives so little info about what is going wrong.

I do notice that the TLS certificate points to this DNS: DNS:doc-service.documentation.svc.cluster.local And the URL itself is : documentation-authenticated-documentation.dsp01-b28f24b6e72e7e5cc659c2395b8d4252-0000.eu-de.containers.appdomain.cloud

Any idea what could be the issue?

[mvazquezc]

@aufbakanleitung make sure you're annotating the serviceaccount properly. Also check your upstream config, is it an http or an https endpoint?

[aufbakanleitung]

I think so, annotations are always a bit magical to me, but I did what your guide suggests.

kind: ServiceAccount
apiVersion: v1
metadata:
  name: documentation
  namespace: documentation
  uid: 2953919e-4271-4c5e-ba46-c1f6ca78acb8
  resourceVersion: '37172018'
  creationTimestamp: '2023-06-19T09:32:52Z'
  annotations:
    serviceaccounts.openshift.io/oauth-redirectreference.documentation: >-
      {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"documentation-authenticated"}}
secrets:
  - name: documentation-dockercfg-kts4s
imagePullSecrets:
  - name: cr-pull-secret
  - name: documentation-dockercfg-kts4s

As to my upstream config, its http and I just took over the localhost in your guide. Is that correct?

Deployment yaml args look like this (9090 is the containerport of my Nginx webpage)

        - image: openshift/oauth-proxy
          name: oauth-proxy
          args:
            - -provider=openshift
            - -https-address=:8888
            - -http-address=
            - -email-domain=*
            - -upstream=http://localhost:9090
            - -tls-cert=/etc/tls/private/tls.crt
            - -tls-key=/etc/tls/private/tls.key

Does anything jump out to you?

[mvazquezc]

@aufbakanleitung I'd say you're missing some arguments for the oauth-proxy container. I don't see these defined:

- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-service-account=documentation
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- -skip-auth-regex=^/metrics

[aufbakanleitung]

I have all those args actually. Not sure why I didn't copy them in that post... I guess I didn't want to overwhelm with too much info like with posting the entire deployment yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth-documentation
  namespace: documentation
  labels:
    name: oauth-documentation
spec:
  replicas: 1
  selector:
    matchLabels:
      name: documentation
  template:
    metadata:
      labels:
        name: documentation
    spec:
      containers:
        - image: de.icr.io/moddsp/documentation_page
          name: documentation-page
          ports:
            - containerPort: 9090
          # This config is necessary to comply to Openshift security constrains
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault
            runAsNonRoot: true
          # Explicitly adding all the volumeMounts is necessary because the pod
          # doesn't run as root. So it can't create these volumes itself
          volumeMounts:
            - mountPath: /var/cache/nginx
              name: nginx-cache
            - mountPath: /etc/nginx/conf.d/default.conf
              subPath: default.conf
              name: nginx-config
            - mountPath: /var/run
              name: nginx-pid
        - image: openshift/oauth-proxy
          name: oauth-proxy
          args:
            - -provider=openshift
            - -https-address=:8888
            - -http-address=
            - -email-domain=*
            - -upstream=http://localhost:9090
            - -tls-cert=/etc/tls/private/tls.crt
            - -tls-key=/etc/tls/private/tls.key
            - -cookie-secret-file=/etc/proxy/secrets/session_secret
            - -openshift-service-account=documentation
            - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
            - -skip-auth-regex=^/metrics
            - -openshift-service-account=documentation
            - -openshift-sar={"resource":"namespaces","resourceName":"documentation","namespace":"documentation","verb":"get"}
#          image: quay.io/openshift/origin-oauth-proxy:4.13
          ports:
            - name: oauth-proxy
              containerPort: 8888
              protocol: TCP
          # Mount also have to be added manually
          volumeMounts:
            - mountPath: /etc/tls/private
              name: secret-documentation-tls
            - mountPath: /etc/proxy/secrets
              name: secret-documentation-proxy
          # This config is necessary to comply to Openshift security constrains
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault
            runAsNonRoot: true
          env:
            - name: OAUTH_PROXY_LOG_LEVEL
              value: debug
            - name: OAUTH_PROXY_LOG_HTTP_BODY
              value: "true"
      serviceAccountName: documentation
      # These volumes match the volumeMounts above
      volumes:
        - name: secret-documentation-tls
          secret:
            defaultMode: 420
            secretName: documentation-tls
        - name: secret-documentation-proxy
          secret:
            defaultMode: 420
            secretName: documentation-proxy
        - name: nginx-cache
        - name: nginx-config
          configMap:
            name: nginx-config
        - name: nginx-pid
          emptyDir: { }

[mvazquezc]

@aufbakanleitung Are you getting redirected when accessing the documentation app route? If so, are you presented with the login screen?

You get below error when login with user and password?

2023/06/20 11:13:51 server.go:2753: http: TLS handshake error from 172.17.34.39:42002: remote error: tls: internal error