Authentication#
You can use Middleware services, OAuth2 Proxy, and Traefik middlewares to place authentication in front of your web apps.
Developer Configuration#
In order to use this with gateway, you will need to establish an app in SIS's Developer App Manager. Protocol should be OIDC. Note the OAuth2 Client ID and Secret from the OAuth2 tab of your application configuration.
In the OAuth2 Redirect URIs section of the OAuth2 tab, add a callback of https://<common-name>/oauth2/callback.
In the Attribute Release tab, ensure that targetedMembership and mailPreferredAddress are checked.
In the Targeted Groups tab, add a group prefix to be targeted.
Create a sealed secret#
You will need to create a Kubernetes Secret to pass the needed client id, secret and cookie secret to the helm chart.
Follow the directions to create a Sealed Secret, using a key/value pair for client id (from developer config above), client secret (also from developer config) and cookie secret (a value you designate that is 16 or 32 bytes long).
Note: The secret data keys must match those in the requiredSecretKeys list in the example below. See chart as reference.
Deploy the OAuth2 Proxy#
For more information see the official oauth2 proxy helm charts.
Flux Setup#
Template#
Below is a flux template. This will setup a Deployment, Ingress, and Service plus a Certificate via ExtraManifests.
Notes:
- All values within
<...>are required and any values within<?...>are optional. - Do NOT put
extraArgssubstitutions in qoutes. They will become part of the value.
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: oauth2-proxy
namespace: <namespace>
spec:
url: https://oauth2-proxy.github.io/manifests
interval: 1h
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: oauth2-proxy
namespace: <namespace>
spec:
targetNamespace: <namespace>
serviceAccountName: flux
chart:
spec:
sourceRef:
kind: HelmRepository
name: oauth2-proxy
chart: oauth2-proxy
version: <latest which is currently 10.6.0>
install:
remediation:
retries: 4
upgrade:
remediation:
retries: 4
interval: 1h
values:
config:
existingSecret: <existingSecret>
requiredSecretKeys:
- "client-id"
- "client-secret"
- "cookie-secret"
extraArgs:
- --reverse-proxy=true
- --upstream=static://202
- --silence-ping-logging
- --cookie-domain=<?cookieDomain>
- --provider=oidc
- --redirect-url=<redirectUrl>
- --oidc-issuer-url=<oidcIssuerUrl>
- --email-domain=*
- --oidc-email-claim=<oidcEmailClaim>
- --oidc-groups-claim=<oidcGroupsClaim>
- --scope=<scope>
- --whitelist-domain=<whitelistDomain>
- --footer=Access restricted to authorized personnel only.
- --pass-authorization-header=true
- --set-authorization-header=true
- --set-xauthrequest=true
- --pass-access-token=true
- --pass-host-header=true
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
extraObjects:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
app: <name>
name: <name>-certificate
namespace: <namespace>
spec:
commonName: <commonName>
dnsNames:
- <commonName>
- <?alternateName1>
secretName: <name>-certificate
issuerRef:
kind: ClusterIssuer
name: letsencrypt
httpScheme: http
ingress:
enabled: true
hosts:
- <commonName>
- <?alternateName1>
path: /
pathType: Prefix
tls:
- hosts:
- <commonName>
- <?alternateName1>
secretName: <name>-certificate
livenessProbe:
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
nameOverride: <name>
namespaceOverride: <namespace>
proxyVarsAsSecrets: true
readinessProbe:
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
successThreshold: 1
periodSeconds: 10
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 100m
memory: 300Mi
securityContext:
allowPrivilegeEscalation : false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["ALL"]
service:
name: http
portNumber: 80
targetPort: http
Example#
This is an example populated template. Name and namespace are literally example, but it demonstrates an otherwise exact working configuration.
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: oauth2-proxy
namespace: example
spec:
url: https://oauth2-proxy.github.io/manifests
interval: 1h
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: oauth2-proxy
namespace: example
spec:
targetNamespace: example
serviceAccountName: flux
chart:
spec:
sourceRef:
kind: HelmRepository
name: oauth2-proxy
chart: oauth2-proxy
version: 10.6.0
install:
remediation:
retries: 4
upgrade:
remediation:
retries: 4
interval: 1h
values:
config:
existingSecret: oauth2-proxy-secret
requiredSecretKeys:
- "client-id"
- "client-secret"
- "cookie-secret"
extraArgs:
- --reverse-proxy=true
- --upstream=static://202
- --silence-ping-logging
- --cookie-domain=example.tenants.dvlp.op.itcp.cloud.vt.edu
- --provider=oidc
- --redirect-url=https://oauth2-proxy.example.tenants.dvlp.op.itcp.cloud.vt.edu/oauth2/callback
- --oidc-issuer-url=https://gateway.login.vt.edu
- --email-domain=*
- --oidc-email-claim=email
- --oidc-groups-claim=targetedMembership
- --scope=openid targetedMembership email
- --whitelist-domain=*.vt.edu
- --footer=Access restricted to authorized personnel only.
- --pass-authorization-header=true
- --set-authorization-header=true
- --set-xauthrequest=true
- --pass-access-token=true
- --pass-host-header=true
- --skip-provider-button=true
- --skip-jwt-bearer-tokens=true
extraObjects:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
labels:
app: example
name: example-certificate
namespace: example
spec:
commonName: "oauth2-proxy.example.tenants.dvlp.op.itcp.cloud.vt.edu"
dnsNames:
- "oauth2-proxy.example.tenants.dvlp.op.itcp.cloud.vt.edu"
secretName: example-certificate
issuerRef:
kind: ClusterIssuer
name: letsencrypt
httpScheme: http
ingress:
enabled: true
hosts:
- "oauth2-proxy.example.tenants.dvlp.op.itcp.cloud.vt.edu"
path: /
pathType: Prefix
tls:
- hosts:
- "oauth2-proxy.example.tenants.dvlp.op.itcp.cloud.vt.edu"
secretName: example-certificate
livenessProbe:
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
nameOverride: example
namespaceOverride: example
proxyVarsAsSecrets: true
readinessProbe:
enabled: true
initialDelaySeconds: 0
timeoutSeconds: 1
successThreshold: 1
periodSeconds: 10
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 100m
memory: 300Mi
securityContext:
allowPrivilegeEscalation : false
readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities:
drop: ["ALL"]
service:
name: http
portNumber: 80
targetPort: http
Use the OAuth2 Proxy#
The oauth2-ingress Helm chart will deploy manifests for an ingress, certificate, and supporting Traefik middlewares.