OAuth2 Proxy

  • Commercial Systems
Channel Revision Published Runs on
latest/stable 3 23 Jul 2024
Ubuntu 22.04
latest/edge 4 26 Aug 2024
Ubuntu 22.04
juju deploy oauth2-proxy-k8s --channel edge
Show information

Platform:

OAuth2 Proxy K8s Operator

This is the Kubernetes Python Operator for the OAuth2 proxy.

Description

OAuth2 Proxy is a reverse proxy and static file server that authenticates users through providers like Google and GitHub, allowing validation by email, domain, or group.

This operator provides the OAuth2 proxy, and consists of Python scripts which wraps the versions distributed by OAuth2 proxy.

Usage

The OAuth2 Proxy charm can be used to enable authentication for charmed and non-charmed applications, by providing the oauth2 configuration to the charm, and setting the upstream config value to the name of your application’s k8s service. For charmed applications, this is the name of the deployed application.

Enable TLS

To enable TLS connections, you must have a TLS certificate stored as a k8s secret (default name is oauth2-proxy-tls”). The secret name can be configured using the tls-secret-name config property in the charm. A self-signed certificate for development purposes can be created as follows:

# Generate private key
openssl genrsa -out server.key 2048

# Generate a certificate signing request
openssl req -new -key server.key -out server.csr -subj "/CN=oauth2-proxy-k8s"

# Create self-signed certificate
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile <(printf "subjectAltName=DNS:oauth2-proxy-k8s")

# Create a k8s secret
kubectl -n <model-name> create secret tls oauth2-proxy-tls --cert=server.crt --key=server.key

Deploy

To deploy Charmed OAuth2 Proxy, you need to run the following commands, which will enable ingress in your microk8s, fetch the charm from Charmhub and deploy it to your model:

# Deploy ingress controller.
sudo microk8s enable ingress:default-ssl-certificate=<model-name>/oauth2-proxy-tls

# Deploy charms
juju deploy oauth2-proxy-k8s --channel edge
juju deploy nginx-ingress-integrator --channel edge --revision 103 --trust

# Set the necessary config
juju config oauth2-proxy-k8s \
                upstream=<requirer_application_name> \
                client-id=<client_id> \
                client-secret=<client_secret> \
                cookie-secret=<cookie_secret>

# Relate the charms
juju relate oauth2-proxy-k8s nginx-ingress-integrator

Verify Ingress Resource

To verify the ingress resources were correctly created, you can run the following command:

kubectl describe ingress -n <model-name>

Connect Ingress

Once deployed and related, find the IP of the ingress controller by running the following command:

kubectl get pods -n ingress -o wide

You should see something similar to the following output:

NAME                                      READY   STATUS    RESTARTS          AGE    IP           NODE      NOMINATED NODE   READINESS GATES
nginx-ingress-microk8s-controller-mfmtx   1/1     Running   512 (3h15m ago)   145d   10.1.232.8   ubuntu   <none>           <none>

Take note of the ingress controller IP address and add the IP-to-hostname mapping in your /etc/hosts file as follows:

sudo nano /etc/hosts

# Add the following entries
10.1.232.8     oauth2-proxy-k8s

By default, the hostname will be set to the application name oauth2-proxy-k8s. You should now be able to access your application at this address.

Verifying

To verify that the setup is running correctly, run juju status --relations --watch 2s and ensure that all pods are active and the required integrations exist.

Contributing

This charm is still in active development. Please see the Juju SDK docs for guidelines on enhancements to this charm following best practice guidelines, and CONTRIBUTING.md for developer guidance.

License

The Charmed OAuth2 Proxy K8s Operator is free software, distributed under the Apache Software License, version 2.0. See License for more details.


Help improve this document in the forum (guidelines). Last updated 4 months ago.