work in progress
The goal of this project is to enable easy integration with OAuth2 for applications that are targeting Kubernetes and Knative.
There is an explicit assumption that the binary for
OAuth2-Proxy is in a base
layer of the container your app will run in. The easiest way to do this is to
use ko with a .ko.yaml config like:
baseImageOverrides:
go.path.of/your.app/: quay.io/oauth2-proxy/oauth2-proxyTargeting the Knative runtime contact means the OAuth2 Proxy must run on $PORT
and your application is going to run on $APP_PORT. Authn will default
$APP_PORT to 8181 if not set.
The resulting application will look like this:
inbound http --> [:PORT (oauth2_proxy via authn)] --> [:$APP_PORT your custom app]
Only authenticated requests will reach $APP_PORT.
-
Fill in
oauth2_proxy.cfgwith the correct settings. -
Fill in
oidc_client_idandoidc_issuerbased on the provider selected. -
Make a secret from these files, like:
kubectl create secret generic whoami-proxy-config --from-file=./config/secrets/oauth2_proxy.cfg --from-file=./config/secrets/oidc_client_id --from-file=./config/secrets/oidc_issuer
-
Confirm the base image contains
quay.io/oauth2-proxy/oauth2-proxyas mentioned above. -
Deploy your application, here is an example for the
whoamiapp:
ko apply -f config/whoami.yamlPlease do not use $PORT. This is reserved for the proxy.
$APP_PORT - this is the port your app should run on.
If you need to change where the secret is mounted, set env var:CONFIG_ROOT, it
defaults to "/etc/proxy-config/"`.
If you need to change the OAuth2 Proxy binary, set OAUTH_PROXY_PATH, it
defaults from "/bin/oauth2_proxy".
The internal parts of the secret mounted are expected to be: oauth2_proxy.cfg,
oidc_issuer, oidc_client_id.