This section shows how to set up the OAuth2 Proxy on GKE to secure a website. The motivation for this is that in many companies and enterprises, serving a site on Kubernetes may be the only option.
Unlike previous examples, the static site is served via its own web server rather than directly through the OAuth2 Proxy. This web server's networking restricts access to be visible only internally within the Kubernetes cluster. The proxy forwards traffic to this web server. This is a more general pattern in case you want to host other web applications that are not static sites (like dashboards).
👉 If you are unfamiliar with Kubernetes or OAuth, start with Minimal Oauth. 👈
- A domain name. If you don't have one, you can buy one here
- A google cloud account
- Deploy a hello-world Kubernetes cluster with these instructions
You can see the commands I used in setup_k8s.sh
DOCKER_NM=<your docker repo/img name> # ex: hamelsmu/hello-web
docker build -t $DOCKER_NM --platform=linux/amd64 . && docker push $DOCKER_NMgcloud container clusters create-auto oauth-demo \
--region us-west1 \
--project=<your-project-name>
gcloud compute addresses create oauth-ip-address --globalCreate an OAuth App, and fill out the following fields:
- Application Name: Any name you want, I called it
k8s-oauth - Homepage URL: this is the url of the website
https://hamel.page - Application Description: you can skip this
- Authorization callback URL: your url with the path
/oauth2/callbackfor example, I puthttps://hamel.page/oauth2/callback.
Take note of the ClientID and Client secret, which you will use below.
Create a file named oauth.env with the following contents:
OAUTH_CLIENT_ID=your-client-id # from GitHub
OAUTH_CLIENT_SECRET=your-client-secret # from GitHub
OAUTH2_PROXY_COOKIE_SECRET=your-cookie-secret # you generate this locally, see below.
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
You can generate the OAUTH2_PROXY_COOKIE_SECRET by running this:
python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'Finally, you can store these in your Kubernetes cluster:
kl create configmap oauth-env-file --from-env-file oauth.envNote: you should use secrets instead, but the goal is to keep things as minimal as possible.
We can first deploy our web app with k8s/deployment_1.yml without any OAuth security. You will need to edit the image name in the Deployment as well as the domains in ManagedCertificate. After some time, you will be able to see your web page at your domain name with https properly working.
kubectl apply -f k8s/deployment_1.yml
Next, we can deploy the web app with an OAuth reverse proxy in front of it with k8s/deployment_2.yml:
kubectl apply -f k8s/whitelist.yml # this is a whitelist of all the email addresses you want to allow to access your app.
kubectl apply -f k8s/deployment_2.yml
It will ask you to authenticate via GitHub, but will give you a 403 if your email is not in k8s/whitelist.yml.