bigkevmcd
commented
8 months ago @zs-dima Can you say more about how you're configuring it?
The no-authentication-user they have access to the Kubernetes cluster?
Closed zs-dima closed 8 months ago
bigkevmcd
commented
8 months ago @zs-dima Can you say more about how you're configuring it?
The no-authentication-user they have access to the Kubernetes cluster?
zs-dima
commented
8 months ago @bigkevmcd thanks for looking into.
In case of insecure-no-authentication-user with oauth2-proxy to secure access in common way - we will have result shown above.
In case of use weave-gitops internal oidc, or insecure-no-authentication-user without oauth2-proxy it works well.
So looks authentification conflicts with internal weave-gitops oidc.
bigkevmcd
commented
8 months ago @zs-dima I'd be happy to look at a PR that introduced support for oauth2-proxy.
I'm not entirely sure what it would take tho', as we basically take the OIDC ID Token and use that to talk to the kube-apiserver (which is very similar to what Kubernetes does natively).
zs-dima
commented
8 months ago @bigkevmcd thanks a lot for looking into
You can look into sample comfiguration: https://github.com/zs-dima/monitoring-stack-k3s
If you will change weave auth from the auth-methods=oidc to the insecure-no-authentication-user=gitops-test-user
Then add middlewares to the ingress traefik.ingress.kubernetes.io/router.middlewares: auth-oauth@kubernetescrd
https://github.com/zs-dima/monitoring-stack-k3s/blob/main/infrastructure/system/weave-gitops/release.yaml
Plus include weave into oauth2-proxy ingress hosts similar to other apps:
https://github.com/zs-dima/monitoring-stack-k3s/blob/main/infrastructure/auth/oauth2-proxy/release.yaml
you will be able to reproduce this issue.
Anonymous access does not work as described in the documentation:
https://docs.gitops.weave.works/docs/guides/anonymous-access/
In this case, only a welcome page is available: