Forem: Marcin Janiak The latest articles on Forem by Marcin Janiak (@marcinjaniak). https://forem.com/marcinjaniak https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F553431%2Fd3a25a2d-b75d-4904-9b40-95846b991fe9.png Forem: Marcin Janiak https://forem.com/marcinjaniak en Authorizing endpoints of external apps in k8s Marcin Janiak Mon, 09 Dec 2024 15:05:00 +0000 https://forem.com/marcinjaniak/authorizing-endpoints-of-external-apps-in-k8s-4gc1 https://forem.com/marcinjaniak/authorizing-endpoints-of-external-apps-in-k8s-4gc1 <p>Implementing authorization at the code level is often straightforward.<br> Similarly, exposing external tools with built-in support for authentication (e.g Grafana) can be handled with relative ease.</p> <p>The real challenge arises when dealing with simple tools or services that lack native support for authentication or authorization, requiring external mechanisms to ensure secure access.</p> <p>One approach to managing this is by restricting access through a VPN or securing it with IP address ranges, which remains one of the most reliable methods.</p> <p>However, I recently explored an alternative: reusing Keycloak, one of the oauth providers which we were already using, to verify access to specific endpoints.</p> <p>The tool that might work for this is <strong>OAuth2 Proxy</strong>, which supports a wide range of OAuth providers such as Facebook, Google, GitLab, and Azure.</p> <p>The additional requirement was to group these tools under a single URL, such as <strong>tools.example.com/tool-name</strong>, to streamline access and management.</p> <p><strong>oauth2-proxy basic setup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">name</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">--provider=keycloak-oidc</span> <span class="pi">-</span> <span class="s">--oidc-issuer-url=https://{ISSUER_HOST}/realms/{REALM_NAME}</span> <span class="pi">-</span> <span class="s">--code-challenge-method=S256</span> <span class="pi">-</span> <span class="s">--allowed-role={ROLE}</span> <span class="pi">-</span> <span class="s">--email-domain=*</span> <span class="pi">-</span> <span class="s">--upstream=file:///dev/null</span> <span class="pi">-</span> <span class="s">--http-address=0.0.0.0:4180</span> <span class="pi">-</span> <span class="s">--client-id={CLIENT_ID}</span> <span class="pi">-</span> <span class="s">--client-secret={CLIENT_SECRET}</span> <span class="pi">-</span> <span class="s">--session-cookie-minimal</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">OAUTH2_PROXY_COOKIE_SECRET</span> <span class="na">value</span><span class="pi">:</span> <span class="pi">{</span><span class="nv">COOKIE_SECRET</span><span class="pi">}</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/oauth2-proxy/oauth2-proxy:latest</span> <span class="na">imagePullPolicy</span><span class="pi">:</span> <span class="s">Always</span> <span class="na">name</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">4180</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">name</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">http</span> <span class="na">port</span><span class="pi">:</span> <span class="m">4180</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">4180</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">k8s-app</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> </code></pre> </div> <p><strong>Ingress configuration (assuming you already have a TLS secret named tools-example-com-tls)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="pi">:</span> <span class="s">15m</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">tools.example.com</span> <span class="s">secretName:</span><span class="nv"> </span><span class="s">tools-example-com-tls</span> <span class="s">rules:</span> <span class="s">-</span><span class="nv"> </span><span class="s">host:</span><span class="nv"> </span><span class="s">"tools.example.com"</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/oauth2</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">oauth2-proxy</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">4180</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">networking.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Ingress</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools-external-auth-oauth2</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">annotations</span><span class="pi">:</span> <span class="na">nginx.ingress.kubernetes.io/proxy-body-size</span><span class="pi">:</span> <span class="s">15m</span> <span class="na">nginx.ingress.kubernetes.io/auth-url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://$host/oauth2/auth"</span> <span class="na">nginx.ingress.kubernetes.io/auth-signin</span><span class="pi">:</span> <span class="s2">"</span><span class="s">https://$host/oauth2/start?rd=$escaped_request_uri"</span> <span class="na">nginx.ingress.kubernetes.io/use-regex</span><span class="pi">:</span> <span class="s2">"</span><span class="s">true"</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">ingressClassName</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">tls</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">hosts</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">tools.example.com"</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">tools-example-com-tls</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">host</span><span class="pi">:</span> <span class="s2">"</span><span class="s">tools.example.com"</span> <span class="na">http</span><span class="pi">:</span> <span class="na">paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/certificates</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">Prefix</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">cert-checker</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">8081</span> </code></pre> </div> <p>In our case, one of the tools was a dashboard for a certificate checker.</p> <p><strong>Extra bonus:</strong><br> Additionally, our solution included multiple stateful services deployed at addresses following the pattern s1-app, s2-app, and so on, with each respective service exposing its own instance of tools, in our case, through ASP.NET.</p> <p>For example, we might want to expose the relevant quartz-ui instances at addresses like <strong>tools.example.com/s1/quartz</strong> and <strong>tools.example.com/s2/quartz</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa9xa2gjbmnu3cahhh8te.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa9xa2gjbmnu3cahhh8te.png" alt="Uri routing diagram" width="800" height="306"></a></p> <p><strong>Given this requirement, the Ingress resource tools-external-auth-oauth2 consists of multiple paths, such as:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">path</span><span class="pi">:</span> <span class="s">/s[0-9]+/quartz</span> <span class="na">pathType</span><span class="pi">:</span> <span class="s">ImplementationSpecific</span> <span class="na">backend</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy</span> <span class="na">port</span><span class="pi">:</span> <span class="na">number</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p><strong>The nginx reverse proxy configuration:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy-config</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">data</span><span class="pi">:</span> <span class="na">nginx.conf</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">events {</span> <span class="s">worker_connections 1024; </span> <span class="s">}</span> <span class="s">http {</span> <span class="s">resolver 10.3.0.10 valid=10s; #KubeDNS or CoreDNS internal ip</span> <span class="s">server {</span> <span class="s">listen 80;</span> <span class="s">location ~ ^/s([0-9]+)/quartz{</span> <span class="s">set $service_name "s$1-app.default.svc.cluster.local";</span> <span class="s">rewrite ^/s([0-9]+)/quartz$ /quartz break;</span> <span class="s">proxy_pass http://$service_name:80;</span> <span class="s">proxy_set_header Host $host;</span> <span class="s">proxy_set_header X-Real-IP $remote_addr;</span> <span class="s">proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</span> <span class="s">proxy_set_header X-Forwarded-Proto $scheme;</span> <span class="s">proxy_http_version 1.1;</span> <span class="s">proxy_set_header Connection "";</span> <span class="s">proxy_read_timeout 90;</span> <span class="s">proxy_send_timeout 90;</span> <span class="s">}</span> <span class="s">location ~ ^/s([0-9]+)/quartz/(.*\.(css|js|png|jpg|jpeg|gif|svg|woff2|woff|ttf))$ {</span> <span class="s">set $service_name "s$1-app.default.svc.cluster.local";</span> <span class="s">rewrite ^/s([0-9]+)/quartz/(.*)$ /$2 break;</span> <span class="s">proxy_pass http://$service_name:80;</span> <span class="s">}</span> <span class="s">location / {</span> <span class="s">return 404;</span> <span class="s">}</span> <span class="s">}</span> <span class="s">}</span> <span class="s">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">1</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">matchLabels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy</span> <span class="na">template</span><span class="pi">:</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">labels</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">containers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-config</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/nginx/nginx.conf</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">nginx.conf</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-config</span> <span class="na">configMap</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy-config</span> <span class="nn">---</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">selector</span><span class="pi">:</span> <span class="na">app</span><span class="pi">:</span> <span class="s">tools-nginx-reverse-proxy</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span> <span class="na">port</span><span class="pi">:</span> <span class="m">80</span> <span class="na">targetPort</span><span class="pi">:</span> <span class="m">80</span> </code></pre> </div> <p><strong>Note:</strong><br> The cover image was (obviously) created by bing ai.</p> <p><strong>Useful Resources:</strong><br> <a href="https://oauth2-proxy.github.io/oauth2-proxy/" rel="noopener noreferrer">https://oauth2-proxy.github.io/oauth2-proxy/</a><br> <a href="https://www.keycloak.org" rel="noopener noreferrer">https://www.keycloak.org</a><br> <a href="https://github.com/mogensen/cert-checker" rel="noopener noreferrer">https://github.com/mogensen/cert-checker</a><br> <a href="https://github.com/guryanovev/CrystalQuartz" rel="noopener noreferrer">https://github.com/guryanovev/CrystalQuartz</a></p> kubernetes webdev devops