You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to Voyager? Please start here.
OAuth2 Authentication Using Google
This example will demonstrate how to configure external authentication in both TLS and non-TLS mode using Google as auth provider.
Example using Google (no TLS)
First configure google auth provider by following instructions provided here and generate client-id and client-secret.
In this example Authorized JavaScript origins
is set to http://voyager.appscode.ninja
and Authorized redirect URIs
is set to http://voyager.appscode.ninja/oauth2/callback
.
Now deploy and expose a test server:
$ kubectl run test-server --image=gcr.io/google_containers/echoserver:1.8
$ kubectl expose deployment test-server --port=80 --target-port=8080
Configure, deploy and expose oauth2-proxy:
$ kubectl apply -f oauth2-proxy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=google
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
- --cookie-secure=false
- --pass-authorization-header=true
- --set-authorization-header=true
- --set-xauthrequest=true
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: ...
- name: OAUTH2_PROXY_CLIENT_SECRET
value: ...
- name: OAUTH2_PROXY_COOKIE_SECRET
value: ...
image: quay.io/pusher/oauth2_proxy:v3.1.0
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
Here, --set-xauthrequest
flag sets X-Auth-Request-User
and X-Auth-Request-Email
headers, which will be forwarded to backend. --pass-authorization-header
and --set-authorization-header
set OIDC IDToken via Authorization
Bearer header and X-Auth-Request-Id-Token
header.
Finally create the ingress:
$ kubectl apply -f auth-ingress.yaml
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: auth-ingress
namespace: default
spec:
frontendRules:
- port: 80
auth:
oauth:
- host: voyager.appscode.ninja
authBackend: auth-be
authPath: /oauth2/auth
signinPath: /oauth2/start
paths:
- /app
rules:
- host: voyager.appscode.ninja
http:
paths:
- path: /health
backend:
service:
name: test-server
port:
number: 80
- path: /app
backend:
service:
name: test-server
port:
number: 80
- path: /oauth2
backend:
name: auth-be
service:
name: oauth2-proxy
port:
number: 4180
Now browse the followings:
- http://voyager.appscode.ninja/app (external-auth required)
- http://voyager.appscode.ninja/health (external-auth not required)
Example using Google (with TLS)
First configure google auth provider by following instructions provided here and generate client-id and client-secret.
In this example Authorized JavaScript origins
is set to https://voyager.appscode.ninja
and Authorized redirect URIs
is set to https://voyager.appscode.ninja/oauth2/callback
.
Now deploy and expose a test server:
$ kubectl run test-server --image=gcr.io/google_containers/echoserver:1.8
$ kubectl expose deployment test-server --port=80 --target-port=8080
Create TLS secret:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=voyager.appscode.ninja"
$ kubectl create secret tls tls-secret --key /tmp/tls.key --cert /tmp/tls.crt
Configure, deploy and expose oauth2-proxy:
$ kubectl apply -f oauth2-proxy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=google
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
- --cookie-secure=true
- --set-xauthrequest=true
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: ...
- name: OAUTH2_PROXY_CLIENT_SECRET
value: ...
- name: OAUTH2_PROXY_COOKIE_SECRET
value: ...
image: quay.io/pusher/oauth2_proxy:v3.1.0
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
Finally create the ingress:
$ kubectl apply -f auth-ingress.yaml
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: auth-ingress
namespace: default
spec:
tls:
- secretName: tls-secret
hosts:
- voyager.appscode.ninja
frontendRules:
- port: 443
auth:
oauth:
- host: voyager.appscode.ninja
authBackend: auth-be
authPath: /oauth2/auth
signinPath: /oauth2/start
paths:
- /app
rules:
- host: voyager.appscode.ninja
http:
paths:
- path: /health
backend:
service:
name: test-server
port:
number: 80
- path: /app
backend:
service:
name: test-server
port:
number: 80
- path: /oauth2
backend:
name: auth-be
service:
name: oauth2-proxy
port:
number: 4180
Now browse the followings:
- https://voyager.appscode.ninja/app (external-auth required)
- https://voyager.appscode.ninja/health (external-auth not required)