Skip to content

NimTechnology

Trình bày các công nghệ CLOUD một cách dễ hiểu.

  • Kubernetes & Container
    • Docker
    • Kubernetes
      • Ingress
    • Helm Chart
    • Isito-EnvoyFilter
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Vault
    • Longhorn – Storage
    • VictoriaMetrics
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Spinnaker
    • Jenkins
    • Harbor
    • TeamCity
    • Git
      • Bitbucket
  • Coding
    • Terraform
      • GCP – Google Cloud
      • AWS – Amazon Web Service
    • Golang
    • Laravel
    • Python
    • Jquery & JavaScript
    • Selenium
  • Log & Monitor
    • Prometheus
    • Grafana
    • ELK
      • Kibana
      • Logstash
  • BareMetal
  • Toggle search form

[Oauth2-Proxy] Protect any of your websites on Kubernetes by Oauth2-Proxy

Posted on December 18, 2022January 8, 2023 By nim No Comments on [Oauth2-Proxy] Protect any of your websites on Kubernetes by Oauth2-Proxy

Contents

  • 1) Oauth2-proxy integrates with Cognito
    • 1.1) Configure Cognitor on AWS
    • 1.2) Install Oauth2-Proxy
      • 1.2.1) Look into the workflow.
      • 1.2.2) Install Oauth2-Proxy
        • 1.2.2.1) the value has secrets.
        • 1.2.2.2) the value doesn’t have secrets.
    • 1.3) Create an ingress for your application.
  • 2) Oauth2-proxy integrate with gitlab
  • 3) Oauth2-proxy integrate with Google
  • Resolve Error.
    • 403 – Forbidden – Login Failed: The upstream identity provider returned an error: invalid_request
  • Error redeeming code during OAuth2 callback: missing email

1) Oauth2-proxy integrates with Cognito

1.1) Configure Cognitor on AWS

CHúng ta tạo cognito pool trên UI cũ, tại mình cung chưa rành UI mới
GIờ tạo luôn.

Sau khi tạo xong thì bạn cần chỉnh 1 số thứ.

1.2) Install Oauth2-Proxy

1.2.1) Look into the workflow.

Đầu tiền chúng ta cần hiểu cách thức hoạt động.
Mình có 1 trang web hubble:

Và trang web này mặc định ko có authen.
Nếu bạn public ra thì bạn cũng muốn là chỉ có người trong company có thể truy cập vào.

Đầu tiên, người dùng sẽ access vào hubble.
Nếu chưa login thì bạn sẽ thực hiện login with cognito.
KHi đã login thành công thì bạn được quền access Hubble.

1.2.2) Install Oauth2-Proxy

Helm repo:
https://oauth2-proxy.github.io/manifests

1.2.2.1) the value has secrets.

Value:

config:
  clientID: "5mkgl65ndu0quf24dbXXXX6"
  clientSecret: "2e4rpq73v10ju4e201t0i7iln06k41u1qqeqdmeXXXXXX"
  cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RYXXXXXX"
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
extraArgs:
  oidc-issuer-url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_kCJ8VXXXj"
  oidc-jwks-url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_kCJ8VXXXj/.well-known/jwks.json"
  provider: oidc
  provider-display-name: "Cognito SSO"
  cookie-secure: false
  cookie-name: "_oauth2_proxy"
  skip-provider-button: true
  scope: openid
ingress:
  enabled: true
  hosts: [hubble.nimtechnology.com]
  path: /oauth2
  annotations:
    # If Using cert-manager + letsencrypt
    #cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    kubernetes.io/ingress.class: "nginx"
  ingressClassName: nginx
  tls:
    - hosts:
        - hubble.nimtechnology.com
      secretName: tls-hubble-ingress
1.2.2.2) the value doesn’t have secrets.

với cách trên chắc chắn bạn sẽ thấy là sẽ không thể gitops được
Vì không thể đẩy secret lên github

Đầu tiên bạn cần tạo secret:

apiVersion: v1	
data:	
  client-id: ++++++++	
  client-secret: ++++++++	
  cookie-secret: ++++++++	
kind: Secret	
metadata:	
  name: oauth2-proxy	
  namespace: oauth2-proxy	
type: Opaque

và cuối cùng là value của chúng ta như sau:

config:
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
  existingSecret: "oauth2-proxy"
extraEnv:
  - name: OAUTH2_PROXY_CLIENT_ID
    valueFrom:
      secretKeyRef:
        key: client-id
        name: oauth2-proxy
  - name: OAUTH2_PROXY_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
        key: client-secret
        name: oauth2-proxy
  - name: OAUTH2_PROXY_COOKIE_SECRET
    valueFrom:
      secretKeyRef:
        key: cookie-secret
        name: oauth2-proxy
extraArgs:
  oidc-issuer-url: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rjg57f68Q"
  oidc-jwks-url: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rjg57f68Q/.well-known/jwks.json"
  provider: oidc
  provider-display-name: "Cognito SSO"
  cookie-secure: false
  cookie-name: "_oauth2_proxy"
  skip-provider-button: true
  scope: openid
  insecure-oidc-allow-unverified-email: true
ingress:
  enabled: true
  hosts:
    - cost-analyzer-uat.nimtechnology.com
  path: /oauth2
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    kubernetes.io/ingress.class: "nginx"
  ingressClassName: nginx
  tls:
    - hosts:
        - cost-analyzer-uat.nimtechnology.com
      secretName: tls-oauth2-proxy-ingress

https://github.com/oauth2-proxy/oauth2-proxy/issues/1355
https://gist.github.com/randomk/9e8a1145820428f201ab277caf397790
https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml

Sau khi cài xong bạn sẽ có thành quả như này.

1.3) Create an ingress for your application.

Giờ chúng ta tạo ingress cho application.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/issuer: hubble
    cert-manager.io/issuer-kind: Issuer
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Origin "";
      proxy_hide_header l5d-remote-ip;
      proxy_hide_header l5d-server-id;
    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    #nginx.ingress.kubernetes.io/upstream-vhost: $service_name.$namespace.svc.cluster.local:80
  managedFields:
  name: ingress-hubble
  namespace: kube-system
spec:
  ingressClassName: nginx
  rules:
  - host: hubble.nimtechnology.com
    http:
      paths:
      - backend:
          service:
            name: hubble-ui
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - hubble.nimtechnology.com
    secretName: tls-hubble-ingress

Giờ bạn truy cập hubble thì sẽ tự động yêu cầu đăng nhập:

2) Oauth2-proxy integrate with gitlab

https://oak-tree.tech/blog/k8s-nginx-oauth2-gitlab

3) Oauth2-proxy integrate with Google

Để tạo lấy được …. bạn có thể tham khảo bài biết bên dưới.

[kiali] Config authentication on Kiali.

sau khi bạn đã tạo xong rồi thì chúng ta lấy credential thôi
https://console.cloud.google.com/apis/credentials

config:
  clientID: "5mkgl65ndu0quf24dbXXXX6"
  clientSecret: "2e4rpq73v10ju4e201t0i7iln06k41u1qqeqdmeXXXXXX"
  cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RYXXXXXX"
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]
extraArgs:
  redirect-url: https://vscode.nimtechnology.com/oauth2/callback
  provider: google
  provider-display-name: "Nimtechnology SSO"
  cookie-secure: false
  cookie-name: "_oauth2_proxy"
  skip-provider-button: true
  scope: openid
ingress:
  enabled: true
  hosts: [vscode.nimtechnology.com]
  path: /oauth2
  annotations:
    # If Using cert-manager + letsencrypt
    #cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    kubernetes.io/ingress.class: "nginx"
  ingressClassName: nginx
  tls:
    - hosts:
        - hubble.nimtechnology.com
      secretName: tls-hubble-ingress

Resolve Error.

403 – Forbidden – Login Failed: The upstream identity provider returned an error: invalid_request

Khi login thì xuất hiện lỗi sau:

Login Failed: The upstream identity provider returned an error: invalid_request

Chỗ này bị lỗi chỗ scope

Hiện tại trong value mình set là như sau:

scope: opened
Với config bên trên chúng ta đang chỉ cho phép: openid, email, profile

Bạn phải change scope thành openid

Error redeeming code during OAuth2 callback: missing email

Kubernetes & Container

Post navigation

Previous Post: [Windows] The helpful command on Powershell
Next Post: [AWS] Solutions Architect Professional: Lesson 2 – Security

More Related Articles

[Kubernetes] Lesson4: k8s easy – Pob Lifecycle, Image registry, init Container Kubernetes & Container
[Goldilocks] Help you identify a starting point for resource requests and limits. Kubernetes & Container
[K8s] Hướng dẫn sử dụng kubectl trên mấy local kết nối đến k8s master Kubernetes
[Kubernetes] Discovering the strategy deployment on K8s Kubernetes & Container
[Kubernetes] Gateway API – Ingress And Service Mesh Spec Replacement? Kubernetes & Container
[Istio/Recheck] Hướng dẫn kiểm tra các feature của cụm istio mới cài lên đã work ngon lành chưa? Isito-EnvoyFilter

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Tham Gia Group DevOps nhé!
Để Nim có nhiều động lực ra nhiều bài viết.
Để nhận được những thông báo mới nhất.

Recent Posts

  • [Smartctl] Instruction check the health disk of Raspberry. January 16, 2023
  • [kubectl/Argocd] How to create a kubectl config file for serviceaccount or from the cluster secret of Argocd January 12, 2023
  • [Helm/Github] Create a public Helm chart repository with GitHub Pages January 8, 2023
  • [AWS] How to increase the disk size of a Windows EC2 machine? January 4, 2023
  • [Redis] ElastiCache-Redis Cross-Region Replication|Global DataStore January 3, 2023

Archives

  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021

Categories

  • BareMetal
  • CI/CD
    • ArgoCD
    • ArgoWorkflows
    • Git
      • Bitbucket
    • Harbor
    • Jenkins
    • Spinnaker
    • TeamCity
  • Coding
    • Golang
    • Jquery & JavaScript
    • Laravel
    • Python
    • Selenium
    • Terraform
      • AWS – Amazon Web Service
      • GCP – Google Cloud
  • Kubernetes & Container
    • Apache Kafka
      • Kafka
      • Kafka Connect
      • Lenses
    • Docker
    • Helm Chart
    • Isito-EnvoyFilter
    • Kubernetes
      • Ingress
    • Longhorn – Storage
    • Vault
    • VictoriaMetrics
  • Log & Monitor
    • ELK
      • Kibana
      • Logstash
    • Grafana
    • Prometheus
  • Uncategorized
  • Admin

Copyright © 2023 NimTechnology.