New to Voyager? Please start here.

OAuth2 Authentication

You can configure external authentication / oauth on Voyager Ingress controller via frontendrules. For this you have to configure and expose oauth2-proxy and specify it as a backend under same host. For example:

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  namespace: default
spec:
  frontendRules:
  - port: 80
    auth:
      oauth:
      - host: voyager.appscode.ninja
        authBackend: auth-be
        authPath: /oauth2/auth
        signinPath: /oauth2/start
        paths: 
        - /app
  rules:
  - host: voyager.appscode.ninja
    http:
      paths:
      - path: /health
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /app
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /oauth2
        backend:
          name: auth-be
          serviceName: oauth2-proxy
          servicePort: 4180

Please note the followings:

  • Oauth will be enabled only for the specified paths. It is not necessary that this paths should match with the paths specified in the http-rules.

  • Auth backend and app backend should be under same host.

  • For secure/tls connections, you have to set cookie-secure=true (default) and for insecure/non-tls connections, you have to set cookie-secure=false while configuring oauth2-proxy.

  • You can use any random string as OAUTH2_PROXY_COOKIE_SECRET while configuring oauth2-proxy. You can generate one using following command:

$ python -c 'import os,base64; print base64.b64encode(os.urandom(16))'
  • If you use standard ports, you have to write frontend rules under port 80 for non-tls and under port 443 for tls.

  • You can not use different auth backends for different paths under same host and port. However, it is possible to configure different auth backends for different hosts under same port. For example:

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  namespace: default
spec:
  frontendRules:
  - port: 80
    auth:
      oauth:
      - host: team01.example.com
        authBackend: google-auth
        authPath: /google/auth
        signinPath: /google/start
        paths:
        - /foo
      - host: team02.example.com
        authBackend: github-auth
        authPath: /github/auth
        signinPath: /github/start
        paths:
        - /bar
  rules:
  - host: team01.example.com
    http:
      paths:
      - path: /foo
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /google
        backend:
          name: google-auth
          serviceName: oauth2-proxy-google
          servicePort: 4180
  - host: team02.example.com
    http:
      paths:
      - path: /bar
        backend:
          serviceName: test-server
          servicePort: 80
      - path: /github
        backend:
          name: github-auth
          serviceName: oauth2-proxy-github
          servicePort: 4180

Next Steps

  • Learn how to configure Github as auth provider here.
  • Learn how to configure Google as auth provider here.
  • Learn how to secure Kubernetes Dashboard using voyager external auth here.

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.