miclip/protect_pks_service_uaa.md

## protect_pks_service_uaa.md

      
    Raw
  

              protect_pks_service_uaa.md
            
          
    Protect Service on PKS with UAA

Protect service on PKS with UAA using oauth-proxy. Assumes you've deployed the nginx ingress controller.
Create the UAA client:
 uaac client add --name kibana --scope openid email profile \
   --authorized_grant_types authorization_code --authorities uaa.resources 
   --redirect-uri kibana.haas-445.pez.pivotal.io/oauth2/callback --secret the-secret
Deploy oauth-proxy using helm
helm install --name authproxy --namespace=logging --set config.clientID=kibana \
  --set config.clientSecret="the-secret" --set config.cookieSecret="ZUN5NXlsUnFMMWhMQ1RRaTJBN1hXdz09" \
  --set extraArgs.provider=oidc --set extraArgs.email-domain="*" \
  --set extraArgs.redirect-url=https://kibana.haas-445.pez.pivotal.io/oauth2/callback \
  --set extraArgs.oidc-issuer-url=https://api.pks.haas-445.pez.pivotal.io:8443/oauth/token \
  --set extraArgs.ssl-insecure-skip-verify=true stable/oauth2-proxy

Note: To generate cookie secret: python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'

Create two Ingress objects as below.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kibana-test
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
  rules:
  - host: kibana.haas-445.pez.pivotal.io
    http:
      paths:
      - backend:
          serviceName: kibana-michaels-cluster
          servicePort: 80
        path: /
  tls:
  - hosts:
    - kibana.haas-445.pez.pivotal.io
    secretName: kibana-tls
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: authproxy-oauth2-proxy
  namespace: logging
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
spec:
  rules:
  - host: kibana.haas-445.pez.pivotal.io
    http:
      paths:
      - backend:
          serviceName: authproxy-oauth2-proxy
          servicePort: 80
        path: /oauth2
  tls:
  - hosts:
    - kibana.haas-445.pez.pivotal.io
    secretName: kibana-tls
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=kibana.haas-445.pez.pivotal.io"
kubectl create secret tls kibana-tls --key="tls.key" --cert="tls.crt"