Hello,
I have configured the oauth-proxy component with the Google provider to protect certain applications in my cluster and that they are only accessible if we use this authentication system, among them, the Kubernetes Dashboard.
With oauth-proxy configured, I have created a manifest to create an Ingress resource where the authentication path is declared which is also protected with SSL through Cert Manager.
Also, I created the Ingress resource to expose the Dashboard application under an SSL protected domain.
When I access that Dashboard domain, the Google authentication flow starts, and everything seems to work fine until I am redirected back to the Dashboard after authenticating. At that point, I get the Dashboard login where it asks me to add an access token.
So, I suspect that somewhere along the way I am leaving some settings out, as Dashboard is not able to recognize that I have authenticated.
I need help, thanks!
Configuration details
When I install oauth-proxy, I install it via helm:
helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm install oauth2-proxy oauth2-proxy/oauth2-proxy \
--namespace infrastructure \
--values ./k8s/infrastructure/oauth2-proxy/installation.yml
With these values in the installation.yml:
config:
clientID: "<GOOGLE_CLIENT_ID>"
clientSecret: "<GOOGLE_CLIENT_SECRET>"
provider: "google"
redirectURL: "<REDIRECT_URL>"
cookieSecret: "<COOKIE_SECRET>"
extraArgs:
- --whitelist-domain=app1.example.com
- --whitelist-domain=dashboard.example.com
- --whitelist-domain=authentication.example.com
- --cookie-domain=.example.com
- --set-authorization-header
- --pass-authorization-header
- --pass-user-headers
- --pass-access-token
- --set-xauthrequest
service:
portNumber: 4180
This is the ingress resource I apply to expose the authentication urls:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: oauth2-proxy-ingress
namespace: infrastructure
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/issuer: "letsencrypt-issuer"
spec:
ingressClassName: nginx
tls:
- hosts:
- authentication.example.com
secretName: oauth2-proxy-tls-certificate
rules:
- host: authentication.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
Finally, this is the ingress resource that exposes the Dashboard application:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard-ingress
namespace: administration
annotations:
cert-manager.io/issuer: "letsencrypt-issuer"
nginx.ingress.kubernetes.io/rewrite-target: /
#nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/auth-url: "https://authentication.example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://authentication.example.com/oauth2/start?rd=$scheme://$host$request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user,x-auth-request-email,authorization"
spec:
ingressClassName: nginx
tls:
- hosts:
- dashboard.example.com
secretName: dashboard-tls-certificate
rules:
- host: dashboard.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kubernetes-dashboard-kong-proxy
port:
number: 443
