Contents
1) Oauth2-proxy integrates with Cognito
1.1) Configure Cognitor on AWS








Sau khi tạo xong thì bạn cần chỉnh 1 số thứ.


1.2) Install Oauth2-Proxy
1.2.1) Look into the workflow.
Đầu tiền chúng ta cần hiểu cách thức hoạt động.
Mình có 1 trang web hubble:

Nếu bạn public ra thì bạn cũng muốn là chỉ có người trong company có thể truy cập vào.

Đầu tiên, người dùng sẽ access vào hubble.
Nếu chưa login thì bạn sẽ thực hiện login with cognito.
KHi đã login thành công thì bạn được quền access Hubble.
1.2.2) Install Oauth2-Proxy
Helm repo:https://oauth2-proxy.github.io/manifests
1.2.2.1) the value has secrets.
Value:
config: clientID: "5mkgl65ndu0quf24dbXXXX6" clientSecret: "2e4rpq73v10ju4e201t0i7iln06k41u1qqeqdmeXXXXXX" cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RYXXXXXX" configFile: |- email_domains = [ "*" ] upstreams = [ "file:///dev/null" ] extraArgs: oidc-issuer-url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_kCJ8VXXXj" oidc-jwks-url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_kCJ8VXXXj/.well-known/jwks.json" provider: oidc provider-display-name: "Cognito SSO" cookie-secure: false cookie-name: "_oauth2_proxy" skip-provider-button: true scope: openid ingress: enabled: true hosts: [hubble.nimtechnology.com] path: /oauth2 annotations: # If Using cert-manager + letsencrypt #cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" nginx.ingress.kubernetes.io/proxy-buffering: "on" kubernetes.io/ingress.class: "nginx" ingressClassName: nginx tls: - hosts: - hubble.nimtechnology.com secretName: tls-hubble-ingress
1.2.2.2) the value doesn’t have secrets.
với cách trên chắc chắn bạn sẽ thấy là sẽ không thể gitops được
Vì không thể đẩy secret lên github
Đầu tiên bạn cần tạo secret:
apiVersion: v1 data: client-id: ++++++++ client-secret: ++++++++ cookie-secret: ++++++++ kind: Secret metadata: name: oauth2-proxy namespace: oauth2-proxy type: Opaque
và cuối cùng là value của chúng ta như sau:
config: configFile: |- email_domains = [ "*" ] upstreams = [ "file:///dev/null" ] existingSecret: "oauth2-proxy" extraEnv: - name: OAUTH2_PROXY_CLIENT_ID valueFrom: secretKeyRef: key: client-id name: oauth2-proxy - name: OAUTH2_PROXY_CLIENT_SECRET valueFrom: secretKeyRef: key: client-secret name: oauth2-proxy - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: key: cookie-secret name: oauth2-proxy extraArgs: oidc-issuer-url: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rjg57f68Q" oidc-jwks-url: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rjg57f68Q/.well-known/jwks.json" provider: oidc provider-display-name: "Cognito SSO" cookie-secure: false cookie-name: "_oauth2_proxy" skip-provider-button: true scope: openid insecure-oidc-allow-unverified-email: true ingress: enabled: true hosts: - cost-analyzer-uat.nimtechnology.com path: /oauth2 annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" nginx.ingress.kubernetes.io/proxy-buffering: "on" kubernetes.io/ingress.class: "nginx" ingressClassName: nginx tls: - hosts: - cost-analyzer-uat.nimtechnology.com secretName: tls-oauth2-proxy-ingress
https://github.com/oauth2-proxy/oauth2-proxy/issues/1355
https://gist.github.com/randomk/9e8a1145820428f201ab277caf397790
https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml

1.3) Create an ingress for your application.

apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/issuer: hubble cert-manager.io/issuer-kind: Issuer nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Origin ""; proxy_hide_header l5d-remote-ip; proxy_hide_header l5d-server-id; nginx.ingress.kubernetes.io/proxy-buffer-size: 8k nginx.ingress.kubernetes.io/proxy-buffering: "on" #nginx.ingress.kubernetes.io/upstream-vhost: $service_name.$namespace.svc.cluster.local:80 managedFields: name: ingress-hubble namespace: kube-system spec: ingressClassName: nginx rules: - host: hubble.nimtechnology.com http: paths: - backend: service: name: hubble-ui port: number: 80 path: / pathType: Prefix tls: - hosts: - hubble.nimtechnology.com secretName: tls-hubble-ingress
Giờ bạn truy cập hubble thì sẽ tự động yêu cầu đăng nhập:

2) Oauth2-proxy integrate with gitlab
https://oak-tree.tech/blog/k8s-nginx-oauth2-gitlab
3) Oauth2-proxy integrate with Google
Để tạo lấy được …. bạn có thể tham khảo bài biết bên dưới.
sau khi bạn đã tạo xong rồi thì chúng ta lấy credential thôi
https://console.cloud.google.com/apis/credentials
config: clientID: "5mkgl65ndu0quf24dbXXXX6" clientSecret: "2e4rpq73v10ju4e201t0i7iln06k41u1qqeqdmeXXXXXX" cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RYXXXXXX" configFile: |- email_domains = [ "*" ] upstreams = [ "file:///dev/null" ] extraArgs: redirect-url: https://vscode.nimtechnology.com/oauth2/callback provider: google provider-display-name: "Nimtechnology SSO" cookie-secure: false cookie-name: "_oauth2_proxy" skip-provider-button: true scope: openid ingress: enabled: true hosts: [vscode.nimtechnology.com] path: /oauth2 annotations: # If Using cert-manager + letsencrypt #cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" nginx.ingress.kubernetes.io/proxy-buffering: "on" kubernetes.io/ingress.class: "nginx" ingressClassName: nginx tls: - hosts: - hubble.nimtechnology.com secretName: tls-hubble-ingress
Resolve Error.
403 – Forbidden – Login Failed: The upstream identity provider returned an error: invalid_request

Khi login thì xuất hiện lỗi sau:
Login Failed: The upstream identity provider returned an error: invalid_request
Chỗ này bị lỗi chỗ scope
Hiện tại trong value mình set là như sau:

scope: opened

Bạn phải change scope thành openid