AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
Voyager
github-icon twitterx-icon
TRY NOW FREE
  • Welcome
  • Concepts
  • Setup
  • Certificate
    Ingress
    cert-manager
  • Reference
You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.

New to Voyager? Please start here.

OAuth2 Authentication

You can configure external authentication / oauth on Voyager Ingress controller via frontendrules. For this you have to configure and expose oauth2-proxy and specify it as a backend under same host. For example:

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  namespace: default
spec:
  frontendRules:
  - port: 80
    auth:
      oauth:
      - host: voyager.appscode.ninja
        authBackend: auth-be
        authPath: /oauth2/auth
        signinPath: /oauth2/start
        paths: 
        - /app
  rules:
  - host: voyager.appscode.ninja
    http:
      paths:
      - path: /health
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /app
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /oauth2
        backend:
          name: auth-be
          serviceName: oauth2-proxy
          servicePort: 4180

Please note the followings:

  • Oauth will be enabled only for the specified paths. It is not necessary that this paths should match with the paths specified in the http-rules.

  • Auth backend and app backend should be under same host.

  • For secure/tls connections, you have to set cookie-secure=true (default) and for insecure/non-tls connections, you have to set cookie-secure=false while configuring oauth2-proxy.

  • You can use any random string as OAUTH2_PROXY_COOKIE_SECRET while configuring oauth2-proxy. You can generate one using following command:

$ python -c 'import os,base64; print base64.b64encode(os.urandom(16))'

  • If you use standard ports, you have to write frontend rules under port 80 for non-tls and under port 443 for tls.

  • You can not use different auth backends for different paths under same host and port. However, it is possible to configure different auth backends for different hosts under same port. For example:

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  namespace: default
spec:
  frontendRules:
  - port: 80
    auth:
      oauth:
      - host: team01.example.com
        authBackend: google-auth
        authPath: /google/auth
        signinPath: /google/start
        paths:
        - /foo
      - host: team02.example.com
        authBackend: github-auth
        authPath: /github/auth
        signinPath: /github/start
        paths:
        - /bar
  rules:
  - host: team01.example.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /google
        backend:
          name: google-auth
          serviceName: oauth2-proxy-google
          servicePort: 4180
  - host: team02.example.com
    http:
      paths:
      - path: /bar
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /github
        backend:
          name: github-auth
          serviceName: oauth2-proxy-github
          servicePort: 4180

Next Steps

  • Learn how to configure Github as auth provider here.
  • Learn how to configure Google as auth provider here.
  • Learn how to secure Kubernetes Dashboard using voyager external auth here.

What's on this Page

Search
Improve This Page