manifests icon indicating copy to clipboard operation
manifests copied to clipboard
verified publisher icon oauth2-proxy

Integrating Oauth2-Proxy with Kubernetes Dashboard running on Azure Kubernetes Service (AKS) with EntraId (ADD)

Open ogbonnaec opened this issue 4 months ago • 7 comments

I want to integrate oauth-proxy with kubernetes dashboard on AKS and EntraId so that users can login to the dashboard after authenticating on EntraId. Ouath2-proxy sits between the dashboard and EntraId. I followed the Oauth-proxy documentation, I have these working:

  1. The dashboard redirect to microsoft login page.
  2. The authentication with EntraId works fine.
  3. The redirect after EntraId to the dashboard works. The problem is that dashboard is still requesting for a bearer token. I have inspected the header request of the oauth-proxy using developer tools on the browser and the bearer token is generated. I have gone through various blog post on this integration but none configuration mix, seem to solve my problem.

AKS is ADD enabled as RBAC is managed through EntraId Dashbaord version 7.7.0 and Oauth2-proxy version 7.11.2 are installed with helm

dashboard-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: kubernetes-dashboard
  name: kubernetes-dashboard-ingress
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "https"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-url: "$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "$host/oauth2/start?rd=$scheme://$host$escaped_request_uri"
    nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Access-Token,X-Auth-Request-Email,X-Auth-Request-Groups,Authorization"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - dashboard.internal.com
  rules:
    - host: dashboard.internal.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard-kong-proxy
                port:
                  number: 443

oauth2-proxy-values.yaml

config:
  clientID: "__CLIENT_ID__"
  clientSecret: "__CLIENT_SECRET__"
  cookieSecret: "__COOKIE_SECRET__"
  configFile: |-
    provider="oidc"
    client_id="__CLIENT_ID__"
    client_secret="__CLIENT_SECRET__"
    oidc_issuer_url="https://login.microsoftonline.com/__TENANT_ID__/v2.0"
    redirect_url="https://oauthproxy.internal.com/oauth2/callback"
    login_url="https://login.microsoftonline.com/__TENANT_ID__/oauth2/v2.0/authorize"
    scope="openid email profile"
    set_xauthrequest=true
    set_authorization_header=true
    pass_access_token=true
    pass_authorization_header=true
    auth_logging=true
    standard_logging=true
    request_logging=true
    silence_ping_logging=false
    cookie_domains=".internal.com"
    whitelist_domains=".internal.com"
    email_domains=["*"]
    skip_jwt_bearer_tokens=true
    extra_jwt_issuers=[
      "issuer=https://sts.windows.net/__TENANT_ID__/, audience=api://AzureADTokenExchange"
    ]
    redis_password="__REDIS_PASSWORD__"
    redis_connection_url="redis://oauth2-proxy-redis-master.kubernetes-dashboard.svc.aks-newprj-dev-001.privatelink.westeurope.azmk8s.io:6379

ingress:
  enabled: true
  className: "nginx"
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
    nginx.ingress.kubernetes.io/proxy-buffering: "on"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
  hosts:
    - oauthproxy.internal.com
  tls:
    - hosts:
        - oauthproxy.internal.com
sessionStorage:
  type: redis

LOGS oauth-proxy pod

10.244.76.16:41844 - e2650078177d4a9ec92eb285311cb11d - **user_email** [2025/08/26 08:24:17] [AuthSuccess] Authenticated via OAuth2: Session**user_email** user:MPxIywoA6UpuHBgw8u1Om_1vsv9G79N-zG0L_8Vp7Lc PreferredUsername:**user_email** token:true id_token:true created:2025-08-26 08:24:17.773791602 +0000 UTC m=+7713.631325392 expires:2025-08-26 09:30:07.618384776 +0000 UTC m=+11663.475918566 groups:[.......] 10.244.76.16:41844 - e2650078177d4a9ec92eb285311cb11d - - [2025/08/26 08:24:17] oauthproxy.internal..com GET - "/oauth2/callback?code=***retracted cookie**not bearer token***&session_state=007e1189-077a-0159-9eab-d3bd60f105f0" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" 302 24 0.585 10.244.76.16:41844 - 832190f8f8d4521532639366d29c7dce -**user email** [2025/08/26 08:24:18] oauthproxy.internal..com GET - "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36" 404 19 0.000 10.244.76.100:60908 - f50c7ca8-b382-4b14-b0e7-b833eb4c86d3 - - [2025/08/26 08:24:18] 10.244.76.12:4180 GET - "/ping" HTTP/1.1 "kube-probe/1.30" 200 2 0.000 10.244.76.100:60918 - 402004fa-c457-4755-9d3f-72c725d11b75 - - [2025/08/26 08:24:18] 10.244.76.12:4180 GET - "/ready" HTTP/1.1 "kube-probe/1.30" 200 2 0.000 10.244.76.11:36512 - 0fe467bdc0ac96e6215a48c87fe6d242 - - [2025/08/26 08:24:25] oauthproxy.internal.com GET - "/oauth2/auth" HTTP/1.1 "" 401 13 0.000

kubernetes-dashboard-auth pod

I0826 09:54:07.3555271auth.go:38] "Bearer token" size=4786
E0826 09:54:07.4511531 handler.go:33] "Could not get user" err="MSG_LOGIN_UNAUTHORIZED_ERROR"
[GIN] 2025/08/26 - 09:54:07 | 401 |95.896263ms | 10.244.76.32 | GET"/api/v1/me"

Every variable is correctly substituted and the deployments are running. I need help with this, so far the documentation from oauth2-proxy does not help a lot in this regards. Users are managed on EntraId. My user has is able to create, get and delete resources on the cluster. simply put my user has necessary rights (even cluster-admin role) to this cluster. What are my not doing right because I believe this should work.

ogbonnaec avatar Aug 26 '25 10:08 ogbonnaec

@ogbonnaec If OAuth2 Proxy returns the token to the browser, the problem may be with the dashboard, not the proxy. I found a similar issue to yours in the Dashboard repository; please also follow that thread: https://github.com/kubernetes/dashboard/issues/10103

pierluigilenoci avatar Aug 28 '25 11:08 pierluigilenoci

Also, this can be related: https://github.com/kubernetes/dashboard/issues/10242

pierluigilenoci avatar Aug 28 '25 11:08 pierluigilenoci

@tuunit WDYT?

pierluigilenoci avatar Aug 28 '25 11:08 pierluigilenoci

Or maybe @desaintmartin?

pierluigilenoci avatar Aug 28 '25 11:08 pierluigilenoci

Thank @pierluigilenoci for your response. There seems to be an issue with Oauth2-Proxy and AKS integration the documentation does not give very explanations and examples. A case is application registrations on Azure, there is no information regarding the default AKS API server-id and ouath-proxy config example does not also highlight it on the scope entry. The issue which you refer to has also not been solved. I would appreciate if i could get a support on this after which I would put out a comprehensive post on AKS + Oauth2-proxy integration

ogbonnaec avatar Aug 28 '25 15:08 ogbonnaec

When you identify the issue or see how clarity could be improved. It would be amazing if you could open a PR to improve the official docs <3

tuunit avatar Aug 28 '25 15:08 tuunit

@ogbonnaec Please note that this repository is for the OAuth2 Proxy helm chart. If you think this is a problem with the chart, this is the right place to ask for help. If you think the problem is with the software or its documentation, this is not the right place.

pierluigilenoci avatar Aug 29 '25 11:08 pierluigilenoci

@ogbonnaec, could you please provide feedback?

pierluigilenoci avatar Nov 27 '25 10:11 pierluigilenoci