imranrazakhan
commented
1 year ago @jobinjosem Are you able to find the solution? I am looking for the same as I am also using Azure Application gateway rather than NGINX.
Closed jobinjosem closed 11 months ago
imranrazakhan
commented
1 year ago @jobinjosem Are you able to find the solution? I am looking for the same as I am also using Azure Application gateway rather than NGINX.
sde-melo
commented
1 year ago For those who are interested, I succeeded by following the method indicated here: https://stackoverflow.com/a/55778476
sde-melo
commented
1 year ago My Helm values file:
extraDeploy:
[
{
apiVersion: "v1",
data:
{
nginx.conf: "worker_processes 5;
events {
}
http {
\ server {
\ listen 80 default_server;
\ location = /healthcheck {
\ add_header Content-Type text/plain;
\ return 200 'ok';
\ }
\ location ~ /redirect/(.*) {
\ return 307 https://$1$is_args$args;
\ }
\ }
}\n"
},
kind: "ConfigMap",
metadata: { name: "oauth2-proxy-nginx" }
}
]
ingress:
enabled: true
pathType: Prefix
ingressClassName: "nginx"
hostname: oauth2.<DOMAIN>
path: /
configuration:
clientID: "xxx"
clientSecret: "yyy"
cookieSecret: "zzz"
content: |
email_domains = [ "*" ]
upstreams = [ "file:///dev/null", "http://localhost/redirect/" ]
whiteList: ".<DOMAIN>"
extraArgs:
[
"--cookie-domain=.<DOMAIN>",
"--email-domain=*",
"--provider=github",
"--github-org=<ORG>",
"--footer=-"
]
extraVolumes:
[
{
configMap: { name: "oauth2-proxy-nginx" },
name: "nginx"
}
]
sidecars:
[
{
image: "nginx:stable-alpine",
imagePullPolicy: "Always",
livenessProbe:
{
failureThreshold: 2,
httpGet: { path: "/healthcheck", port: 80 },
initialDelaySeconds: 3,
timeoutSeconds: 2
},
name: "nginx",
ports: [ { containerPort: 80, name: "nginx" } ],
resources:
{
limits: { memory: "64Mi" },
requests: { cpu: "50m", memory: "64Mi" }
},
volumeMounts:
[
{
mountPath: "/etc/nginx/",
name: "nginx",
readOnly: true
}
]
}
]
Montralis
commented
1 year ago Im not sure if i got the same problem, but lets try to break this down.
I my k8s namespace two services are providing a webservice. One is named service1 and the other service2. Both websides are avialable under a domain, lets say service1.mydomain.com and service2.mydomain.com. I want to use the one oauth2-proxy deployment for both since they have the same *.mydomain.com.
The part im missing is the oauth2.proxy config for --redirect-url and --upstream-url.
-Webrequest->|Traefik|-redirect_to_oauth2-proxy->|oauth2-proxay|-(based on request subdomain upstream to serviveX)->|SeriviceX| Im usings Treafik als proxy server.
How can oauth2-proxy descide (based on requested subdomain) to which service the upsream service should point? Or must i create two oauth2-proxy deployment for this case?
jobinjosem1
commented
1 year ago @sde-melo Thanks for your reply. A quick question, are you using oauth2-proxy behind an Azure Application Gateway? I had an issue in my setup with appGW overwrites the host header so nginx don't see the actual requested host. Nginx gets the internal url, which is called by application gateway as host header, so constructing the redirect url points to internal url's, which is not accessible from public.
Montralis
commented
1 year ago Im not sure if i got the same problem, but lets try to break this down.
I my k8s namespace two services are providing a webservice. One is named service1 and the other service2. Both websides are avialable under a domain, lets say service1.mydomain.com and service2.mydomain.com. I want to use the one oauth2-proxy deployment for both since they have the same *.mydomain.com.
The part im missing is the oauth2.proxy config for --redirect-url and --upstream-url.
-Webrequest->|Traefik|-redirect_to_oauth2-proxy->|oauth2-proxay|-(based on request subdomain upstream to serviveX)->|SeriviceX| Im usings Treafik als proxy server.
How can oauth2-proxy descide (based on requested subdomain) to which service the upsream service should point? Or must i create two oauth2-proxy deployment for this case?
@jobinjosem1 may u can meld me as well?
Montralis
commented
1 year ago My Helm values file:
extraDeploy: [ { apiVersion: "v1", data: { nginx.conf: "worker_processes 5; events { } http { \ server { \ listen 80 default_server; \ location = /healthcheck { \ add_header Content-Type text/plain; \ return 200 'ok'; \ } \ location ~ /redirect/(.*) { \ return 307 https://$1$is_args$args; \ } \ } }\n" }, kind: "ConfigMap", metadata: { name: "oauth2-proxy-nginx" } } ] ingress: enabled: true pathType: Prefix ingressClassName: "nginx" hostname: oauth2.<DOMAIN> path: / configuration: clientID: "xxx" clientSecret: "yyy" cookieSecret: "zzz" content: | email_domains = [ "*" ] upstreams = [ "file:///dev/null", "http://localhost/redirect/" ] whiteList: ".<DOMAIN>" extraArgs: [ "--cookie-domain=.<DOMAIN>", "--email-domain=*", "--provider=github", "--github-org=<ORG>", "--footer=-" ] extraVolumes: [ { configMap: { name: "oauth2-proxy-nginx" }, name: "nginx" } ] sidecars: [ { image: "nginx:stable-alpine", imagePullPolicy: "Always", livenessProbe: { failureThreshold: 2, httpGet: { path: "/healthcheck", port: 80 }, initialDelaySeconds: 3, timeoutSeconds: 2 }, name: "nginx", ports: [ { containerPort: 80, name: "nginx" } ], resources: { limits: { memory: "64Mi" }, requests: { cpu: "50m", memory: "64Mi" } }, volumeMounts: [ { mountPath: "/etc/nginx/", name: "nginx", readOnly: true } ] } ]
Im sry im quite new to k8s and all that. How does this slove this problem? Where is the part that when the user is authentificated the oauth2 proxy is redirected to the subdomain the user requested? I dont get how i can "store" the requested subdomain for the redirect? Thanks a lot!!
github-actions[bot]
commented
1 year ago This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
sde-melo
commented
11 months ago Hi @jobinjosem1, sorry I didn't see your question. No I use it on AWS EKS, behind a load balancer and ingress-nginx
Is there a way I can reuse the same oauth2 instance for multiple URLs in the same parent domain? I have two services running in AKS service1.internal.domain.com and service2.internal.domain.com and an application gateway is deployed Infront of AKS. I access the services using two external url's like service1.external.domain.com and service2.external.domain.com. Now in the oauth2-proxy helm release I can provide only one redirect URL like https://service1.external.domain.com/oauth2/callback and then service1 works butservice2 not. Can someone help me how to fix this issue?
My helm release values are like below.
extraArgs: provider: oidc email-domain: domain.com azure-tenant: xxxx-xxx-xxxxx-xxx--xxxxx oidc-issuer-url: https://login.microsoftonline.com/xxxx-xxx-xxxxx-xxx--xxxxx/v2.0 cookie-domain: .domain.com redirect-url: https://service1.external.domain.com/oauth2/callback ingress: enabled: true className: nginx-internal path: /oauth2 pathType: Prefix hosts: