DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add example using github oauth application

Browse source
This commit is contained in:
Manuel de Brito Fontes 2017-03-08 20:58:34 -03:00
parent 09e6aabce4
commit 681af2d8d6
7 changed files with 159 additions and 116 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
examples/README.md
View file

@ -57,7 +57,7 @@ SNI + TCP | TLS routing based on SNI hostname | nginx | Advanced
Name | Description | Platform | Complexity Level Name | Description | Platform | Complexity Level
-----| ----------- | ---------- | ---------------- -----| ----------- | ---------- | ----------------
Basic auth | password protect your website | nginx | Intermediate Basic auth | password protect your website | nginx | Intermediate
[External auth plugin](external-auth/README.md) | defer to an external auth service | nginx | Intermediate [External auth plugin](external-auth/nginx/README.md) | defer to an external auth service | nginx | Intermediate
## Protocols ## Protocols

45
examples/external-auth/README.md
View file

@ -1,45 +0,0 @@
## External Authentication
### Overview
The `auth-url` and `auth-signin` annotations allow you to use an external
authentication provider to protect your Ingress resources.
(Note, this annotation requires `nginx-ingress-controller v0.9.0` or greater.)
### Key Detail
This functionality is enabled by deploying multiple Ingress objects for a single host.
One Ingress object has no special annotations and handles authentication.
Other Ingress objects can then be annotated in such a way that require the user to
authenticate against the first Ingress's endpoint, and can redirect `401`s to the
same endpoint.
Sample:
```
...
metadata:
name: application
annotations:
"ingress.kubernetes.io/auth-url": "https://$host/oauth2/auth"
"ingress.kubernetes.io/signin-url": "https://$host/oauth2/sign_in"
...
```
### Example: OAuth2 Proxy + Kubernetes-Dashboard
This example will show you how to deploy [`oauth2_proxy`](https://github.com/bitly/oauth2_proxy)
into a Kubernetes cluster and use it to protect the Kubernetes Dashboard.
#### Prepare:
1. `export DOMAIN="somedomain.io"`
2. Install `nginx-ingress`. If you haven't already, consider using `helm`: `$ helm install stable/nginx-ingress`
3. Make sure you have a TLS cert added as a Secret named `ingress-tls` that corresponds to your `$DOMAIN`.
### Deploy: `oauth2_proxy`
This is the Deployment object that runs `oauth2_proxy`.

27
examples/external-auth/dashboard.ingress.yaml
View file

@ -1,27 +0,0 @@
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: dashboard
namespace: kube-system
annotations:
"ingress.kubernetes.io/auth-url": "https://$host/oauth2/auth"
"ingress.kubernetes.io/auth-signin": "https://$host/oauth2/sign_in"
spec:
tls:
- secretName: 'foo-secret-966'
hosts:
- 'foo-966.bar.com'
rules:
- host: 'foo-966.bar.com'
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 80
- parh: /oauth2
backend:
serviceName: oauth2proxy
servicePort: 4180

43
examples/external-auth/deployment.yaml
View file

@ -1,43 +0,0 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: oauth2-proxy
labels:
k8s-app: oauth2proxy
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: oauth2proxy
spec:
volumes:
- name: oauth2proxy-secret
secret:
secretName: oauth2proxy
containers:
- name: oauth2proxy
image: docker.io/colemickens/oauth2_proxy:latest
imagePullPolicy: Always
ports:
- containerPort: 4180
args:
- --provider=github
- --email-domain=*
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2proxy
name: oauth2proxy
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2proxy

64
examples/external-auth/nginx/README.md Normal file
View file

@ -0,0 +1,64 @@
## External Authentication
### Overview
The `auth-url` and `auth-signin` annotations allow you to use an external
authentication provider to protect your Ingress resources.
(Note, this annotation requires `nginx-ingress-controller v0.9.0` or greater.)
### Key Detail
This functionality is enabled by deploying multiple Ingress objects for a single host.
One Ingress object has no special annotations and handles authentication.
Other Ingress objects can then be annotated in such a way that require the user to
authenticate against the first Ingress's endpoint, and can redirect `401`s to the
same endpoint.
Sample:
```
...
metadata:
name: application
annotations:
"ingress.kubernetes.io/auth-url": "https://$host/oauth2/auth"
"ingress.kubernetes.io/signin-url": "https://$host/oauth2/sign_in"
...
```
### Example: OAuth2 Proxy + Kubernetes-Dashboard
This example will show you how to deploy [`oauth2_proxy`](https://github.com/bitly/oauth2_proxy)
into a Kubernetes cluster and use it to protect the Kubernetes Dashboard.
#### Prepare:
1. Install the kubernetes dashboard
```console
kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.5.0.yaml
```
2. Create a custom Github OAuth application https://github.com/settings/applications/new
- Homepage URL is the FQDN in the Ingress rule, like `https://foo.bar.com`
- Authorization callback URL is the same as the base FQDN plus `/oauth2`, like `https://foo.bar.com/oauth2`
3. Configure oauth2_proxy values in the file oauth2-proxy.yaml with the values:
- OAUTH2_PROXY_CLIENT_ID with the github `<Client ID>`
- OAUTH2_PROXY_CLIENT_SECRET with the github `<Client Secret>`
- OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print base64.b64encode(os.urandom(16))'`
4. Customize the contents of the file dashboard-ingress.yaml:
Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate.
5. Deploy the oauth2 proxy and the ingress rules running:
```console
$ kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
```
Test the oauth integration accessing the configured URL, like `https://foo.bar.com`

38
examples/external-auth/nginx/dashboard-ingress.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/auth-signin: https://$host/oauth2/sign_in
ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
name: external-auth-oauth2
namespace: kube-system
spec:
rules:
- host: __INGRESS_HOST__
http:
paths:
- backend:
serviceName: kubernetes-dashboard
servicePort: 80
path: /
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: kube-system
spec:
rules:
- host: __INGRESS_HOST__
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
tls:
- hosts:
- __INGRESS_HOST__
secretName: __INGRESS_SECRET__

56
examples/external-auth/nginx/oauth2-proxy.yaml Normal file
View file

@ -0,0 +1,56 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=github
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
# Register a new application
# https://github.com/settings/applications/new
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: <Client ID>
- name: OAUTH2_PROXY_CLIENT_SECRET
value: <Client Secret>
# python -c 'import os,base64; print base64.b64encode(os.urandom(16))'
- name: OAUTH2_PROXY_COOKIE_SECRET
value: SECRET
image: docker.io/colemickens/oauth2_proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy