Reverse OAuth2 proxy that handles authentication for GS web frontends.
It is build upon the oauth2-proxy/oauth2-proxy, with the configuration:
--cookie-expire=24h0m0s
--cookie-refresh=0h60m0s
--provider=oidc
# Use Auth0 as identity provider
--oidc-issuer-url=https://giantswarm.eu.auth0.com/
--login-url=https://giantswarm.eu.auth0.com/authorize
--redeem-url=https://giantswarm.eu.auth0.com/oauth/token
--validate-url=https://giantswarm.eu.auth0.com/userinfo
More options can be found in the command line options documentation.
- Prometheus operator managed Prometheus and Alertmanager
- G8s-Alertmanager
- G8s-Alertmanager-Dashboard
-
Add following annotations to the existing ingress:
annotations: nginx.ingress.kubernetes.io/auth-signin: https://HOST/oauth2/start nginx.ingress.kubernetes.io/auth-url: https://HOST/oauth2/auth
-
Create a new oauth2 ingress together with the existing ingress
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ Your.Service.Name }}-oauth2-proxy namespace: kube-system spec: rules: - host: {{ Your.Service.URL }} http: paths: - backend: service: name: oauth2-proxy port: number: 4180 path: /oauth2 pathType: Prefix
If TLS is enabled, add the same certificate from the existing ingress, to the oauth2 ingress.
-
Add to Service URL to the list of allowed Callback URLs in Auth0:
Navigate to the Application
OAuth2-Proxy
and enter the service URL in the list of allowed Callback URLs with the following scheme:https://{{ Your.Service.URL }}/oauth2/callback
This has to be done for every installation separately.