k8s-gitops
k8s-gitops copied to clipboard
billimek
Explore self-hosted OAuth provider
The Auth0 implementation is cloud-based and I want to see something self-hosted that will work better in 'offline' scenarios.
Some references:
- https://github.com/ibuetler/docker-keycloak-traefik-workshop
- https://github.com/containous/traefik/issues/593
Keycloak is scalable as well but takes a bit to get that setup, never tried Authelia but looks interesting, I just know when it comes to open source IDPs Keycloak seems to always come up and its easier to find info with integration.
Another option would be auth0.com, they offer 100% free wide-open service for open source projects as well, it would be hosted by them but in the case of auth that might not be a bad thing if you want to avoid downtime due to an outage depending on how you hook into the IDP.
Would ouath2_proxy be an alternative to cover this need?? https://github.com/pusher/oauth2_proxy
Keycloak also allows using 3rd party IDPs to auth against such as google and AWS, its really a matter of do you want to be you're own IDP or do you want to just proxy the requests.
If sticking with cloud-based (Auth0), now that nginx is being used, will likely deploy something like:
- oauth2-proxy helm chart
- configure oauth2-proxy to leverage auth0 with something like this example
- annotate ingress objects with something like,
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"
Deployed oauth2-proxy configured to use auth0: https://github.com/billimek/k8s-gitops/tree/master/kube-system/oauth2-proxy
I’m in the process of moving to KeyCloak with a sidecar injector for KeyCloak-Gateway (Stakater). So far it’s looking promising. Allows for 100% on prem federated logins.
Only negative I’ve found thus far is that the sidecar injector requires Deployment annotations. Most of the available helm charts don’t allow for specifying deployment annotations OOB.
Interesting, you need to run keycloak sidecards on all of the target workloads doing auth? I was hoping it could be used as a 'central' replacement for something like auth0.
Keycloak would be run as the central Auth0 replacement. Sidecars are functionally replacing them NGINX annotations that forward the client to oauth proxy for Auth. Also allows for a bit more granularity in rules. For instance, on Sonarr/Radar I can have the /api path allowed without Auth because it’s protected by API keys but require everything else be authd first.
Sidecars are also workload configurable. For services like Grafana which can directly federate with oauth providers I don’t deploy a sidecar.
That looks great
On Sat, Jan 16, 2021, 10:14 AM Jeff Billimek [email protected] wrote:
Also take a look at https://github.com/travisghansen/external-auth-server
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/billimek/k8s-gitops/issues/36#issuecomment-761561694, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXVRIQFEWQRTNNMUGCBWLS2GGM5ANCNFSM4HPWVZ6Q .
I would suggest using bitnami's gatekeeper helm chart instead, more up to date I found, even their helm chart is decent for keycloak as well.
I've also got keycloak + kube apiserver dialed in so I can use it to protect the kubernetes dashboard ;)
As far as how I use gatekeeper, I just have it handle the ingress and then pass to the protected app's service, so just an extra yaml, but works.
I would suggest using bitnami's gatekeeper helm chart instead, more up to date I found, even their helm chart is decent for keycloak as well.
I've also got keycloak + kube apiserver dialed in so I can use it to protect the kubernetes dashboard ;)
As far as how I use gatekeeper, I just have it handle the ingress and then pass to the protected app's service, so just an extra yaml, but works.
@echel0n -- any chance your config is public?
apiVersion: apps/v1
kind: Deployment
metadata:
name: gatekeeper
namespace: transmission
labels:
app: gatekeeper
spec:
replicas: 1
selector:
matchLabels:
app: gatekeeper
strategy:
type: Recreate
template:
metadata:
labels:
app: gatekeeper
spec:
containers:
- name: gatekeeper
image: bitnami/keycloak-gatekeeper:10.0.0
envFrom:
- secretRef:
name: transmission-gatekeeper-env
ports:
- containerPort: 3000
args:
- /keycloak-gatekeeper
- --discovery-url=https://auth.something.ca/auth/realms/something
- --upstream-url=http://transmission.transmission:9091
- --listen=0.0.0.0:3000
- --client-id=$(CLIENT_ID)
- --client-secret=$(CLIENT_SECRET)
- --enable-refresh-tokens=true
- --enable-session-cookies=true
- --secure-cookie=true
- --encryption-key=$(ENCRYPTION_KEY)
- --enable-default-deny=true
- --verbose
- --enable-logging
- --resources=uri=/*
- --oauth-uri=/transmission/oauth
---
kind: Service
apiVersion: v1
metadata:
name: gatekeeper
namespace: transmission
labels:
app: gatekeeper
spec:
ports:
- port: 3000
targetPort: 3000
selector:
app: gatekeeper
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gatekeeper
namespace: transmission
labels:
app: gatekeeper
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- something.ca
secretName: something-ca-tls
- hosts:
- something.lan
secretName: something-lan-tls
rules:
- host: something.ca
http:
paths:
- path: /transmission
pathType: Prefix
backend:
service:
name: gatekeeper
port:
number: 3000
Hi @billimek I am from Casbin team and we have a central authentication project called Casdoor: https://casdoor.org/ . Casdoor is itself an OAuth provider, also as well as an integrator of other OAuth providers like GitHub, Google, etc. It also supports SMS, Email logins. It contains a full-fledged web UI but it can also run in "headless" mode. It's developed in Go. And it integrates well with Casbin. You can build it from source (just type in go run main.go) or use our Docker image: https://hub.docker.com/r/casbin/casdoor . You can see the live demo here: https://door.casbin.com/ . Let me know if you have any questions :)
