oauth2-proxy: provider "keycloak" breaks authentication to Kubeapps and Kubernetes-dashboard

Hi,

I tried to use kubeprods oauth2-proxy to authenticate bitnami/kubeapps and Kubernetes-dashboard. After some analysis I found, oauth2-proxy with --provider=keycloak is not usable for this task, because it is not possible to add an authentication bearer token header to the http requests, which is needed for those apps.

References:

So it maybe a good idea to switch to --provider=oidc in kubeprod to support this. For everyone interested in this task: Here are my options, needed to successfully authenticate to Kubernetes dashboard with keycloak / oauth2-proxy:

OIDC options for kube-apiserver:

    --oidc-client-id=bkpr
    --oidc-groups-claim=groups
    --oidc-issuer-url=https://id.kubeprod.domain/auth/realms/BKPR
    --oidc-username-claim=preferred_username

In keycloak add a role, for example "my-custer-admin-role", and add it to a user.

Clusterrolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: my-custer-admin-role

Options for oauth2-proxy:

--provider=oidc
--oidc-issuer-url=https://id.kubeprod.domain/auth/realms/BKPR
--set-authorization-header=true

Annotations for kubernetes-dashboard nginx-ingress:

    nginx.ingress.kubernetes.io/auth-signin: https://auth.kubeprod.domain/oauth2/start?rd=%2F$server_name$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://auth.kubeprod.domain/oauth2/auth

    # important to add the Authorization: Bearer header:
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization

Cheers, floek

vmware-archive / kube-prod-runtime

oauth2-proxy: provider "keycloak" breaks authentication to Kubeapps and Kubernetes-dashboard #1065