Contents
1) Oauth2-proxy integrates with Cognito
1.1) Configure Cognitor on AWS
Sau khi tạo xong thì bạn cần chỉnh 1 số thứ.
1.2) Install Oauth2-Proxy
1.2.1) Look into the workflow.
Đầu tiền chúng ta cần hiểu cách thức hoạt động.
Mình có 1 trang web hubble:
Nếu bạn public ra thì bạn cũng muốn là chỉ có người trong company có thể truy cập vào.
Đầu tiên, người dùng sẽ access vào hubble.
Nếu chưa login thì bạn sẽ thực hiện login with cognito.
KHi đã login thành công thì bạn được quền access Hubble.
1.2.2) Install Oauth2-Proxy
Helm repo:https://oauth2-proxy.github.io/manifests
1.2.2.1) the value has secrets.
Value:
config:
clientID: "5mkgl65ndu0quf24dbXXXX6"
clientSecret: "2e4rpq73v10ju4e201t0i7iln06k41u1qqeqdmeXXXXXX"
cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RYXXXXXX"
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
extraArgs:
oidc-issuer-url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_kCJ8VXXXj"
oidc-jwks-url: "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_kCJ8VXXXj/.well-known/jwks.json"
provider: oidc
provider-display-name: "Cognito SSO"
cookie-secure: false
cookie-name: "_oauth2_proxy"
skip-provider-button: true
scope: openid
ingress:
enabled: true
hosts: [hubble.nimtechnology.com]
path: /oauth2
annotations:
# If Using cert-manager + letsencrypt
#cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
kubernetes.io/ingress.class: "nginx"
ingressClassName: nginx
tls:
- hosts:
- hubble.nimtechnology.com
secretName: tls-hubble-ingress
1.2.2.2) the value doesn’t have secrets.
với cách trên chắc chắn bạn sẽ thấy là sẽ không thể gitops được
Vì không thể đẩy secret lên github
Đầu tiên bạn cần tạo secret:
apiVersion: v1 data: client-id: ++++++++ client-secret: ++++++++ cookie-secret: ++++++++ kind: Secret metadata: name: oauth2-proxy namespace: oauth2-proxy type: Opaque
và cuối cùng là value của chúng ta như sau:
config:
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
existingSecret: "oauth2-proxy"
extraEnv:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: oauth2-proxy
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client-secret
name: oauth2-proxy
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
key: cookie-secret
name: oauth2-proxy
extraArgs:
oidc-issuer-url: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rjg57f68Q"
oidc-jwks-url: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rjg57f68Q/.well-known/jwks.json"
provider: oidc
provider-display-name: "Cognito SSO"
cookie-secure: false
cookie-name: "_oauth2_proxy"
skip-provider-button: true
scope: openid
insecure-oidc-allow-unverified-email: true
ingress:
enabled: true
hosts:
- cost-analyzer-uat.nimtechnology.com
path: /oauth2
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
kubernetes.io/ingress.class: "nginx"
ingressClassName: nginx
tls:
- hosts:
- cost-analyzer-uat.nimtechnology.com
secretName: tls-oauth2-proxy-ingress
https://github.com/oauth2-proxy/oauth2-proxy/issues/1355
https://gist.github.com/randomk/9e8a1145820428f201ab277caf397790
https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/values.yaml
1.3) Create an ingress for your application.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: hubble
cert-manager.io/issuer-kind: Issuer
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header Origin "";
proxy_hide_header l5d-remote-ip;
proxy_hide_header l5d-server-id;
nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
nginx.ingress.kubernetes.io/proxy-buffering: "on"
#nginx.ingress.kubernetes.io/upstream-vhost: $service_name.$namespace.svc.cluster.local:80
managedFields:
name: ingress-hubble
namespace: kube-system
spec:
ingressClassName: nginx
rules:
- host: hubble.nimtechnology.com
http:
paths:
- backend:
service:
name: hubble-ui
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- hubble.nimtechnology.com
secretName: tls-hubble-ingress
Giờ bạn truy cập hubble thì sẽ tự động yêu cầu đăng nhập:
2) Oauth2-proxy integrate with gitlab
https://oak-tree.tech/blog/k8s-nginx-oauth2-gitlab
3) Oauth2-proxy integrate with Google
Để tạo lấy được …. bạn có thể tham khảo bài biết bên dưới.
sau khi bạn đã tạo xong rồi thì chúng ta lấy credential thôi
https://console.cloud.google.com/apis/credentials
config:
clientID: "5mkgl65ndu0quf24dbXXXX6"
clientSecret: "2e4rpq73v10ju4e201t0i7iln06k41u1qqeqdmeXXXXXX"
cookieSecret: "aXVybTZsUUtEbS9KSlk0Y1plMXYvU09RYXXXXXX"
configFile: |-
email_domains = [ "*" ]
upstreams = [ "file:///dev/null" ]
extraArgs:
redirect-url: https://vscode.nimtechnology.com/oauth2/callback
provider: google
provider-display-name: "Nimtechnology SSO"
cookie-secure: false
cookie-name: "_oauth2_proxy"
skip-provider-button: true
scope: openid
ingress:
enabled: true
hosts: [vscode.nimtechnology.com]
path: /oauth2
annotations:
# If Using cert-manager + letsencrypt
#cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
kubernetes.io/ingress.class: "nginx"
ingressClassName: nginx
tls:
- hosts:
- hubble.nimtechnology.com
secretName: tls-hubble-ingress
Resolve Error.
403 – Forbidden – Login Failed: The upstream identity provider returned an error: invalid_request
Khi login thì xuất hiện lỗi sau:
Login Failed: The upstream identity provider returned an error: invalid_requestChỗ này bị lỗi chỗ scope
Hiện tại trong value mình set là như sau:
scope: opened
Bạn phải change scope thành openid
