Create Kubernetes NGINX Ingress manifest which includes oAuth2 authentication for AirFlow
AirFlow does not include a built-in authentication mechanism. Due to the sensitivity of the systems and data that AirFlow manages, it needs to have one. One option to provide protection to AirFlow is to use NGINX (as a proxy) and GitLab (or another SSO provider) to handle authentication. NGINX includes support for OpenID authentication workflows, and can effectively proxy traffic to AirFlow.
@ethan.chap says: To get going, follow steps found in this guide. https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ Replace GitHub specific material with these steps:
-
The
name
is only for humans and doesn't need to be specific. Theredirect_uri
should behttps://<my-domain-name>/oauth2/callback
-
Now that the GitLab application has been created, copy the
Application ID
and theSecret
. -
You can continue to follow the guide: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ except use this YAML file instead of what they provide.
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=gitlab
- --upstream=file:///dev/null
- --redirect-url=https://<ingress host>/oauth2/callback
- --skip-provider-button=false
- --set-xauthrequest=true
- --skip-auth-preflight=false
- --skip-oidc-discovery
- --oidc-issuer-url=https://code.oak-tree.tech
- --login-url=https://code.oak-tree.tech/oauth/authorize
- --redeem-url=https://code.oak-tree.tech/oauth/token
- --oidc-jwks-url=https://code.oak-tree.tech/oauth/discovery/keys
- --email-domain=*
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: <generate me>
- name: OAUTH2_PROXY_CLIENT_SECRET
value: <generate me>
- name: OAUTH2_PROXY_COOKIE_SECRET
value: <generate me>
# cookie secret: see https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/
image: quay.io/oauth2-proxy/oauth2-proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
# Not exactly what these two items are used for, but I haven't been
# able to fully test and flush this out yet.
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
name: external-auth-oauth2
spec:
rules:
- host: hello-world.example
# your service's domain name should replace `hello-world.example`
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: web
servicePort: 8080
# These refer to a test service I used to debug this
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
spec:
rules:
- host: hello-world.example
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
Notes
- You can lock down which users are able to access the service by using the
email-domain
setting. If you're looking to only allow oak-tree users, you'd supply--email-domain=oak-tree.us
instead of the wildcard. - You might be able to remove
--skip-provider-button=false
,--set-xauthrequest=true
, and--skip-auth-preflight=false