Protect service on PKS with UAA using oauth-proxy
. Assumes you've deployed the nginx
ingress controller.
Create the UAA
client
:
uaac client add --name kibana --scope openid email profile \
--authorized_grant_types authorization_code --authorities uaa.resources
--redirect-uri kibana.haas-445.pez.pivotal.io/oauth2/callback --secret the-secret
Deploy oauth-proxy
using helm
helm install --name authproxy --namespace=logging --set config.clientID=kibana \
--set config.clientSecret="the-secret" --set config.cookieSecret="ZUN5NXlsUnFMMWhMQ1RRaTJBN1hXdz09" \
--set extraArgs.provider=oidc --set extraArgs.email-domain="*" \
--set extraArgs.redirect-url=https://kibana.haas-445.pez.pivotal.io/oauth2/callback \
--set extraArgs.oidc-issuer-url=https://api.pks.haas-445.pez.pivotal.io:8443/oauth/token \
--set extraArgs.ssl-insecure-skip-verify=true stable/oauth2-proxy
Note: To generate cookie secret:
python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
Create two Ingress
objects as below.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kibana-test
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
rules:
- host: kibana.haas-445.pez.pivotal.io
http:
paths:
- backend:
serviceName: kibana-michaels-cluster
servicePort: 80
path: /
tls:
- hosts:
- kibana.haas-445.pez.pivotal.io
secretName: kibana-tls
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: authproxy-oauth2-proxy
namespace: logging
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
spec:
rules:
- host: kibana.haas-445.pez.pivotal.io
http:
paths:
- backend:
serviceName: authproxy-oauth2-proxy
servicePort: 80
path: /oauth2
tls:
- hosts:
- kibana.haas-445.pez.pivotal.io
secretName: kibana-tls
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=kibana.haas-445.pez.pivotal.io"
kubectl create secret tls kibana-tls --key="tls.key" --cert="tls.crt"