Search code examples
nginxoauth-2.0google-kubernetes-engine

GKE Nginx Ingress Controller Oauth2 Proxy redirect

I am trying to add authentication to my cluster by using an oauth2-proxy. Locally I tested and is working as expected: When I go to the landing page it redirects me to an IP such as GitHub. After login, I am redirected to my page and everything is working as expected. For some odd reason, when porting from local to the cluster living in the google cloud, I am not getting redirect to GitHub for authentication. I have two ingresses, one for the oauth2-proxy (ingress-oauth2-proxy) and another for all of the apps (ingress-apps). I added the Nginx annotations and still nothing.

Here are the Ingress YAML file used for the creation of the ingress rules

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    acme.cert-manager.io/http01-edit-in-place: "true"
    ingress.kubernetes.io/force-ssl-redirect: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-url: "https://auth.example.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://auth.exmaple.com/oauth2/start?rd=$escaped_request_uri"
    cert-manager.io/cluster-isuer: letsecnrypt-prod
    nginx.ingress.kubernetes.io/rewrite-target: $/1
  name: ingress-apps
  namespace: default
spec:
  rules:
  - host: echo.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: echo1
          servicePort: 80
  tls:
    - hosts:
      - echo.exmaple.com
      secretName: echo-tls-cert
---

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-oauth2-proxy
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    acme.cert-manager.io/http01-edit-in-place: "true"
    ingress.kubernetes.io/force-ssl-redirect: "true"
    ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
  - host: auth.exmaple.com
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 4180
        path: /oauth2
  tls:
    - hosts:
      - auth.exmaple.com
      secretName: auth-tls-cert

I checked the logs of the OAuth proxy and when I go to echo.example.com nothing happens. If I make a request to auth.example.com/oauth2 I get redirected, as expected, to the IP login page which is GitHub in this case.

Am I missing something?

Note: I checked and both ingresses are being applied.

Solution

  • Ok, I figured it out: The problem was the Ingress controller used. I installed the Nginx controller from the repo helm.nginx.com/stable which is nginxinc and does not support the annotations. Therefore they were being ignored. To fix it I just used the kubernetes.github.io/ingress-nginx/deploy/#gce-gke. This is better explained here Nginx ingress controller authentication not working

    Cheers ! :)