使用 oauth2-proxy(reverse proxy) 对 ingress 进行 oidc 认证。可扩展对接 k8s RBAC 进行权限控制
参数配置:
http-address='0.0.0.0:4180' email_domains = [ "*" ] whitelist_domains = ["*.example.com"] # 使用 cookie 存储 session 信息 cookie_secure = false cookie_domains = [".example.cn"] cookie_samesite = "lax" # oidc provider = "oidc" provider_display_name = "xxxxx" oidc_issuer_url = "https://xxxx.com" client-id = 'xxxx' client-secret = 'xxxx' skip_provider_button = true # 透传 authorization token set-authorization-header = true set-xauthrequest = true pass_authorization_header = true pass_access_token = trueoauth2-proxy 使用 Header(X-Forwarded-User, X-Forwarded-Email, X-Forwarded-Preferred-Username) 向 upstream 传递用户信息。 通过访问 /oauth2/auth 可以进行debug。
# rd 参数表示认证成功后客户端重定向地址(用于处理多个域名),oauth2-proxy 也支持从 headers(X-Auth-Request-Redirect) 参数获取 nginx.ingress.kubernetes.io/auth-signin: 'http://oauth2-proxy.example.com/oauth2/start?rd=$scheme://$host$request_uri' # 需配置 service 端口 nginx.ingress.kubernetes.io/auth-url: 'http://oauth2-proxy.oauth2-proxy.svc.cluster.local:4180/oauth2/auth' # 透传 token nginx.ingress.kubernetes.io/auth-response-headers: 'authorization,x-auth-request-access-token' nginx.ingress.kubernetes.io/configuration-snippet: | auth_request_set $token $upstream_http_x_auth_request_access_token; add_header Authorization $token;