github.com/doodlescheduling/k8soauth2-proxy-controller
Readme
OAUTH2 Proxy server with kubernetes support. The proxy is used as MitM between your idp and an external idp. The proxy dynamically replaces the redirect_uri. This is useful if you have multiple environemnts and one or more external idp like google. On the external idp only the oauth2 proxy needs to be configured as redirect_uri. The proxy makes sure to route the oauth2 callbacks correctly back to your original idp.
💡 The proxy is not to be confused with a proxy which adds oidc authentication to your apps. It is rather a proxy do dynamically swap redirect_uri for external IdP in order to maintain a single redirect_uri there.
OIDC IdP like google don't provide an API to dynamically configure or change OAUTH2 credentials. Meaning there is no good way of progamatically add/remove redirect_uri or create ad hock credentials. With the oauth2 proxy its possible to only have the proxy URL configured as redirect_uri.
The proxy transfers any OAUTH2 state from the original request as well as the redirect_uri in the state param. While the external IdP redirects back to the oauth2 proxy after a successful authorization the oauth2 proxy unpacks the state and transforms the request back to its original.
A OAUTH2Proxy binds to a kubernetes service.
The http proxy will route and clone incoming http requests to all OAUTH2Proxy backends matching the host.
apiVersion: oauth2.infra.doodle.com/v1beta1
kind: OAUTH2Proxy
metadata:
name: idp
spec:
host: my-idp
paths:
- /
redirectURI: https://oauth-proxy
backend:
serviceName: backend-idp
servicePort: http
The proxy should not be exposed directly to the public. Rather should traffic be routed via an ingress controller and only paths which are used to redirect to the external idp should be routed via the oauth2 proxy.
Please see chart/k8soauth2-proxy-controller for the helm chart docs.
Alternatively you may get the bundled manifests in each release to deploy it using kustomize or use them directly.
You may change base settings for the controller using env variables (or alternatively command line arguments). Available env variables:
| Name | Description | Default |
|---|---|---|
METRICS_ADDR | The address of the metric endpoint binds to. | :9556 |
PROBE_ADDR | The address of the probe endpoints binds to. | :9557 |
HTTP_ADDR | The address of the http proxy. | :8080 |
PROXY_READ_TIMEOUT | Read timeout to the proxy backend. | 30s |
PROXY_WRITE_TIMEOUT | Write timeout to the proxy backend. | 30s |
ENABLE_LEADER_ELECTION | Enable leader election for controller manager. | false |
LEADER_ELECTION_NAMESPACE | Change the leader election namespace. This is by default the same where the controller is deployed. | `` |
NAMESPACES | The controller listens by default for all namespaces. This may be limited to a comma delimted list of dedicated namespaces. | `` |
CONCURRENT | The number of concurrent reconcile workers. | 2 |
OTEL_EXPORTER_OTLP_ENDPOINT | The gRPC opentelemtry-collector endpoint uri | `` |
Note: The proxy implements opentelemetry tracing, see further possible env variables to configure it.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The June TC39 meeting wrapped up this week with eight proposals moving on to the next stage. Here's a quick roundup of the features that the committee approved to advance.
Security News
Cyber extortion in the US and Canada hit record levels in 2023, with ransomware attacks surging and median ransom demands skyrocketing, though fewer companies are choosing to pay ransoms.
Security News
Ecma TC39 is meeting this week and has moved key ECMAScript proposals forward, advancing Deferred Import Evaluation, Error.isError(), RegExp Escaping, and Promise.try to the next stages.