work in progress
The goal of this project is to enable easy integration with OAuth2 for applications that are targeting Kubernetes and Knative.
There is an explicit assumption that the binary for
OAuth2-Proxy
is in a base
layer of the container your app will run in. The easiest way to do this is to
use ko
with a .ko.yaml
config like:
baseImageOverrides:
go.path.of/your.app/: quay.io/oauth2-proxy/oauth2-proxy
Targeting the Knative runtime contact means the OAuth2 Proxy must run on $PORT
and your application is going to run on $APP_PORT
. Authn
will default
$APP_PORT
to 8181
if not set.
The resulting application will look like this:
inbound http --> [:PORT (oauth2_proxy via authn)] --> [:$APP_PORT your custom app]
Only authenticated requests will reach $APP_PORT
.
-
Fill in
oauth2_proxy.cfg
with the correct settings. -
Fill in
oidc_client_id
andoidc_issuer
based on the provider selected. -
Make a secret from these files, like:
kubectl create secret generic whoami-proxy-config --from-file=./config/secrets/oauth2_proxy.cfg --from-file=./config/secrets/oidc_client_id --from-file=./config/secrets/oidc_issuer
-
Confirm the base image contains
quay.io/oauth2-proxy/oauth2-proxy
as mentioned above. -
Deploy your application, here is an example for the
whoami
app:
ko apply -f config/whoami.yaml
Please do not use $PORT
. This is reserved for the proxy.
$APP_PORT
- this is the port your app should run on.
If you need to change where the secret is mounted, set env var:CONFIG_ROOT
, it
defaults to "/etc/proxy-config/"`.
If you need to change the OAuth2 Proxy binary, set OAUTH_PROXY_PATH
, it
defaults from "/bin/oauth2_proxy".
The internal parts of the secret mounted are expected to be: oauth2_proxy.cfg
,
oidc_issuer
, oidc_client_id
.