We are going to implement oauth2_proxy from bitly (https://github.com/bitly/oauth2_proxy). We will be following the steps indicated in the documentation for Azure AD (https://docs.microsoft.com/en-us/azure/active-directory/).
First, register an app with Azure AD as shown in the following screenshot:
Next, create a client ID secret by performing the following steps:
- Select Certificates & secrets and go to New client secret:
- Add the secret:
- Click on the Copy icon and save the secret in a safe place:
- Save the client and the tenant ID:
After creating the client ID secret, we will now launch oauth2_proxy with the following YAML file:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- args:
- --provider=azure
- --email-domain=microsoft.com
- --upstream=http://10.0.83.95:80
- --http-address=0.0.0.0:4180
- --azure-tenant=d3dc3a5f-de30-4781-8752-7814fd5d0a5e
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: 9f640227-965c-43ac-bf8d-8bc5eac86ea1
- name: OAUTH2_PROXY_CLIENT_SECRET
value: "wu:q{%.}+^&X(K;_!K|0:1+k(v^.E%^]%w)7;);*NL9$;>!l()_"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: 9ju360pxM2nVQdQqQZ4Dtg==
image: docker.io/colemickens/oauth2_proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
Next, Oauth2 needs to be exposed as a service so that the ingress can talk to it by running the following code:
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
app: oauth2-proxy
Create an ingress so that any URL link that goes to handsonaks-ingress-<yourname>.westus2.cloudapp.azure.com/oauth will be redirected to the oauth2-proxy service.
The same letsencrypt certificate is used here:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy-ingress
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
spec:
tls:
- hosts:
- handsonaks-ingress.westus2.cloudapp.azure.com
secretName: tls-secret
rules:
- host: handsonaks-ingress.westus2.cloudapp.azure.com
http:
paths:
- path: /oauth2
backend:
serviceName: oauth2-proxy
servicePort: 4180
Finally, we will link the oauth2 proxy to the frontend service by creating an ingress that configures nginx so that authentication is checked using the paths in auth-url and auth-signin. If it is successful, the traffic is redirected to the backend service (in our case it is the frontend service).
The following code performs the redirection once authentication is successful:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-oauth2-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.default.svc.cluster.local:4180/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "http://handsonaks-ingress-<yourname>.westus2.cloudapp.azure.com/oauth2/start"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: handsonaks-ingress-<yourname>.westus2.cloudapp.azure.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
We are done with configuration. You can now log in with your existing Microsoft account to the service at https://handsonaks-ingress-<yourname>.westus2.cloudapp.azure.net/.