add external auth example

2017-01-31 20:56:56 -08:00 · 2017-01-31 20:56:56 -08:00 · 8e72bdc83a
commit 8e72bdc83a
parent 2b05c90428
10 changed files with 204 additions and 1 deletions
--- a/examples/README.md
+++ b/examples/README.md
@ -57,7 +57,7 @@ SNI + TCP | TLS routing based on SNI hostname | nginx | Advanced
 Name | Description | Platform   | Complexity Level
 -----| ----------- | ---------- | ----------------
 Basic auth | password protect your website | nginx | Intermediate
-External auth plugin | defer to an external auth service | nginx | Intermediate
+[External auth plugin](external-auth/README.md) | defer to an external auth service | nginx | Intermediate
 ## Protocols
--- a/examples/external-auth/.gitignore
+++ b/examples/external-auth/.gitignore
@ -0,0 +1,2 @@
 oauth2proxy.config
 authenticated_emails
--- a/examples/external-auth/README.md
+++ b/examples/external-auth/README.md
@ -0,0 +1,62 @@
 ## External Authentication
 ### Overview
 The `auth-url` and `auth-signin` annotations allow you to use an external
 authentication provider to protect your Ingress resources.
 (Note, this annotation requires `nginx-ingress-controller v0.9.0` or greater.)
 ### Key Detail
 This functionality is enabled by deploying multiple Ingress objects for a single host.
 One Ingress object has no special annotations and handles authentication.
 Other Ingress objects can then be annotated in such a way that require the user to
 authenticate against the first Ingress's endpoint, and can redirect `401`s to the
 same endpoint.
 Sample:
 ```
 ...
 metadata:
  name: application
  annotations:
    "ingress.kubernetes.io/auth-url": "https://$host/oauth2/auth"
    "ingress.kubernetes.io/signin-url": "https://$host/oauth2/sign_in"
 ...
 ```
 ### Example: OAuth2 Proxy + Kubernetes-Dashboard
 This example will show you how to deploy [`oauth2_proxy`](https://github.com/bitly/oauth2_proxy)
 into a Kubernetes cluster and use it to protect the Kubernetes Dashboard.
 #### Prepare:
 1. `export DOMAIN="somedomain.io"`
 2. Install `nginx-ingress`. If you haven't already, consider using `helm`: `$ helm install stable/nginx-ingress`
 3. Make sure you have a TLS cert added as a Secret named `ingress-tls` that corresponds to your `$DOMAIN`.
 ### Deploy: `oauth2_proxy`
 This is the Deployment object that runs `oauth2_proxy`.
 1. Configure `oauth2proxy.deployment.yaml` to use the desired provider.
 2. Create a secret with the appropriate name and values, matching what is specified in
   `oauth2proxy.deployment.yaml`.
   For example, as-is with Azure AD, you can use this command:
   ```
   kubectl create-secret generic oauth2proxy \
     --from-literal=COOKIE_SECRET="$(uuidgen)" \
     --from-literal=TENANT_ID="${TENANT_ID}" \
     --from-literal=CLIENT_ID="${CLIENT_ID}" \
     --from-literal=CLIENT_SECRET="${CLIENT_SECRET}"
   ```
 3. Deploy it all: `./deploy.sh`
 See the script for further details.
--- a/examples/external-auth/authenticated_emails.example
+++ b/examples/external-auth/authenticated_emails.example
@ -0,0 +1 @@
 sam@example.com
--- a/examples/external-auth/dashboard.ingress.yaml
+++ b/examples/external-auth/dashboard.ingress.yaml
@ -0,0 +1,22 @@
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: dashboard
  namespace: kube-system
  annotations:
    "ingress.kubernetes.io/auth-url": "https://$host/oauth2/auth"
    "ingress.kubernetes.io/auth-signin": "https://$host/oauth2/sign_in"
 spec:
  tls:
  - secretName: 'ingress-tls'
    hosts:
    - '__DOMAIN__'
  rules:
  - host: '__DOMAIN__'
    http:
      paths:
      - path: /
        backend:
          serviceName: kubernetes-dashboard
          servicePort: 80
--- a/examples/external-auth/deploy.sh
+++ b/examples/external-auth/deploy.sh
@ -0,0 +1,45 @@
 #!/usr/bin/env bash
 set -x
 set -u
 set -e
 echo "deploying oauth2proxy for ${DOMAIN}"
 if [[ -z "${DOMAIN:-}" ]]; then
 	echo "You must set \$DOMAIN."
 	exit -1
 fi
 if [[ ! -f "authenticated_emails" ]]; then
 	echo "You must create './authenticated_emails'."
 	exit -1
 fi
 if [[ ! -f "oauth2proxy.config" ]]; then
 	echo "You must create './oauth2proxy.config'."
 	exit -1
 fi
 force_cleanup="n"
 answer="y"
 if kubectl describe secret oauth2proxy &>/dev/null ; then
 	echo "secret 'oauth2proxy' already exists."
 	echo "do you want to replace it and cycle the 'oauth2proxy' container?"
 	read answer
 	if [[ "${answer}" == "y" ]]; then
 		kubectl delete secret oauth2proxy || true
 		kubectl delete deployment oauth2proxy || true
 	fi
 	force_cleanup="y"
 fi
 if [[ "${answer}" == "y" ]]; then
 	kubectl create secret generic oauth2proxy \
 		--from-file=oauth2proxy.config=./oauth2proxy.config \
 		--from-file=authenticated_emails=./authenticated_emails
 fi
 sed "s|__DOMAIN__|${DOMAIN}|g" ./oauth2proxy.deployment.yaml | kubectl apply -f -
 sed "s|__DOMAIN__|${DOMAIN}|g" ./oauth2proxy.ingress.yaml | kubectl apply -f -
 sed "s|__DOMAIN__|${DOMAIN}|g" ./oauth2proxy.service.yaml | kubectl apply -f -
 sed "s|__DOMAIN__|${DOMAIN}|g" ./dashboard.ingress.yaml | kubectl apply -f -
--- a/examples/external-auth/oauth2proxy.config.example
+++ b/examples/external-auth/oauth2proxy.config.example
@ -0,0 +1,7 @@
 http_address = "0.0.0.0:4180"
 upstreams = [ "http://default-http-backend" ]
 provider = "azure"
 client_id = ""
 client_secret = ""
 cookie_secret = ""
 authenticated_emails_file = "/var/run/secrets/oauth2proxy/authenticated_emails"
--- a/examples/external-auth/oauth2proxy.deployment.yaml
+++ b/examples/external-auth/oauth2proxy.deployment.yaml
@ -0,0 +1,31 @@
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
  name: oauth2-proxy
  labels:
    k8s-app: oauth2proxy
 spec:
  replicas: 1
  template:
    metadata:
      labels:
        k8s-app: oauth2proxy
    spec:
      volumes:
      - name: oauth2proxy-secret
        secret:
          secretName: oauth2proxy
      containers:
      - name: oauth2proxy
        image: docker.io/colemickens/oauth2_proxy:latest
        imagePullPolicy: Always
        ports:
        - containerPort: 4180
        volumeMounts:
        - name: oauth2proxy-secret
          readOnly: true
          mountPath: /var/run/secrets/oauth2proxy
        command:
        - oauth2_proxy
        - --config=/var/run/secrets/oauth2proxy/oauth2proxy.config
--- a/examples/external-auth/oauth2proxy.ingress.yaml
+++ b/examples/external-auth/oauth2proxy.ingress.yaml
@ -0,0 +1,18 @@
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: oauth2proxy
 spec:
  tls:
  - secretName: 'ingress-tls'
    hosts:
    - '__DOMAIN__'
  rules:
  - host: '__DOMAIN__'
    http: 
      paths:
      - path: /oauth2
        backend:
          serviceName: oauth2proxy
          servicePort: 4180
--- a/examples/external-auth/oauth2proxy.service.yaml
+++ b/examples/external-auth/oauth2proxy.service.yaml
@ -0,0 +1,15 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    k8s-app: oauth2proxy
  name: oauth2proxy
 spec:
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    k8s-app: oauth2proxy