Open mlbiam opened 11 months ago
Thanks @mlbiam . Although I agree that skipping the login page is the ideal behavior here in the situation described, I'm unsure why you're seeing the login page if the Authorization
header is already populated with a valid (ie. accepted by the API server) token. Kubeapps isn't itself aware of the authentication, it (the dashboard) simply tries a request and relies on an Authorization header (often set by the proxy - whether it's oauth2-proxy or openunison?).
Ah right, as you say, because you've got authProxy.enabled
set to false
, the chart is assuming that you want to use token authentication. Have you tried:
authProxy:
enabled: true
external: true
This tells Kubeapps that you are using an auth proxy, but an external one (not the one bundled with the chart).
Hi @mlbiam, did you finally test the above-mentioned options?
i haven't, though i still have it setup. i'll also ping my customer that was planning to roll this out and see if they've tried it.
I'm being lazy, but does the reverse proxy integration support impersonation header passthrough along with passing the token along? (ie like the way the kubernetes dashboard will pass impersonation headers when present?). I'm doing a session on securing dashboards in Kubernetes next month at civo navigate and want to include kubeapps.
Thanks
Thanks for the update! I'd say, from memory, we have a frontend.proxypassAccessTokenAsBearer
param which allows passing the raw access_token
as the Bearer when talking to the k8s api server.
Have a look at the frontend.*
config our chart hase, maybe they can be useful for your use case: https://github.com/bitnami/charts/tree/main/bitnami/kubeapps#frontend-parameters
Look luck in your Securing Dashboards in a Command Line World
talk! Happy to see kubeapps featured there :)
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Summary provide a flag that bypasses login when a token is present in the
Authorization
headerBackground and rationale I've integrated KubeApps with OpenUnison's reverse proxy, which injects a token that is accepted by the API server, instead of the bundled oauth2-proxy. I didn't integrate via the oauth2 proxy because it doesn't handle very short lived tokens (1 min) well and so each page was refreshing the authentication back to OpenUnison's identity provider. Integrating this way lets me inject a short lived (1 min) token that the API server will recognize without having to get a new token via OIDC every minute and without having to deal with refresh tokens.
While the setup with OpenUnison works, I'm presented with a login screen asking for a token. providing any value bypasses this screen without issue. (this isn't a security issue, because the token thats injected into the header is used). Setting
authProxy.skipKubeappsLoginPage
totrue
has no impact (probably becauseauthPRoxy.enabled
isfalse
This request is similar to how the Kubernetes Dashboard and Kiali both work with external proxies.
Description
Add a helm chart option similar to
frontend.skipLogin
or just detect that there's a token and skip the login page.Acceptance criteria If
frontend.skipLoginPage
istrue
, trust theAuthorization
header and do not present a login screen.Additional context Add any other context or screenshots about the feature request here.