Merge 36070faff9 into 8218421812

controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl

@@ -663,12 +663,13 @@ stream {
             {{ end }}
             {{ if not (empty $location.ExternalAuth.Method) }}
             proxy_method                {{ $location.ExternalAuth.Method }};
-            proxy_set_header            X-Original-URI $request_uri;
+            proxy_set_header            X-Original-URI          $request_uri;
-            proxy_set_header            X-Scheme       $pass_access_scheme;
+            proxy_set_header            X-Scheme                $pass_access_scheme;
             {{ end }}
             proxy_pass_request_headers  on;
-            proxy_set_header            Host {{ $location.ExternalAuth.Host }};
+            proxy_set_header            Host                    {{ $location.ExternalAuth.Host }};
-            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
+            proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
+            proxy_set_header            X-Auth-Request-Redirect $request_uri;
             proxy_ssl_server_name       on;
 
             client_max_body_size        "{{ $location.Proxy.BodySize }}";
@@ -712,9 +713,9 @@ stream {
 
             {{ if not (empty $authPath) }}
             # this location requires authentication
-            auth_request {{ $authPath }};
+            auth_request        {{ $authPath }};
-            auth_request_set $auth_cookie $upstream_http_set_cookie;
+            auth_request_set    $auth_cookie $upstream_http_set_cookie;
-            add_header Set-Cookie $auth_cookie;
+            add_header          Set-Cookie $auth_cookie;
             {{- range $idx, $line := buildAuthResponseHeaders $location }}
             {{ $line }}
             {{- end }}
@@ -780,9 +781,6 @@ stream {
             proxy_set_header X-Original-URI         $request_uri;
             proxy_set_header X-Scheme               $pass_access_scheme;
 
-            {{/* This header is used for external authentication */}}
-            proxy_set_header X-Auth-Request-Redirect $request_uri;
-
             # mitigate HTTPoxy Vulnerability
             # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
             proxy_set_header Proxy                  "";

examples/external-auth/nginx/dashboard-ingress.yaml

@@ -8,7 +8,7 @@ metadata:
   namespace: kube-system
 spec:
   rules:
-  - host: __INGRESS_HOST__
+  - host: dashboard.uswest2-01.rocket-science.io
     http:
       paths:
       - backend:
@@ -25,7 +25,7 @@ metadata:
   namespace: kube-system
 spec:
   rules:
-  - host: __INGRESS_HOST__
+  - host: dashboard.uswest2-01.rocket-science.io
     http:
       paths:
       - backend:
@@ -34,5 +34,5 @@ spec:
         path: /oauth2
   tls:
   - hosts:
-    - __INGRESS_HOST__
+    - dashboard.uswest2-01.rocket-science.io
-    secretName: __INGRESS_SECRET__
+    secretName: dashboard-rocket-science.io

examples/external-auth/nginx/oauth2-proxy.yaml

@@ -25,13 +25,13 @@ spec:
         # https://github.com/settings/applications/new
         env:
         - name: OAUTH2_PROXY_CLIENT_ID
-          value: <Client ID>
+          value: b609d40bdedf145d832e
         - name: OAUTH2_PROXY_CLIENT_SECRET
-          value: <Client Secret>
+          value: cc2a10e004624aae225b4d5edd5574dea7944395
         # python -c 'import os,base64; print base64.b64encode(os.urandom(16))'
         - name: OAUTH2_PROXY_COOKIE_SECRET
-          value: SECRET
+          value: F6HNMR7IiGzwAYSAHV+9OQ==
-        image: docker.io/colemickens/oauth2_proxy:latest
+        image:  skippy/docker-oauth2_proxy:2.0.1
         imagePullPolicy: Always
         name: oauth2-proxy
         ports:
@@ -46,6 +46,7 @@ metadata:
   labels:
     k8s-app: oauth2-proxy
   name: oauth2-proxy
+  namespace: kube-system
 spec:
   ports:
   - name: http