December 19, 2022
Kubernetes has become ubiquitous when deploying distributed applications in the Cloud, especially when it comes to highly performant enterprise infrastructures.
An example of such applications that fit very well in a k8s infrastructure are web apps that use the microservice architecture.
There are many concerns that need to be addressed when developing microservices and one of them is Authentication.
Next we are going to talk about a way to set up authentication for a microservice-enabled web app, using an Nginx ingress and an oauth proxy inside a k8s cluster.
To be able to follow along, please review the first part of this article for a quick intro into Kubernetes and some basic concepts around it.
Managing authentication can be complex – you need to create an authentication service, manage users, and deal with security issues. This can be prone to errors, as bugs may appear in every system. But having a bug as important as authentication can lead to security breaches.
So instead of reinventing the wheel we encourage you to rely on authentication processes which have already proven their value. You can use OAuth providers to handle the user authentication and your services can receive a redirect containing a token. You would still have to validate the token (issuer, signature, expiration etc.).
But you may not want to set up the same configuration for each new service and UI that you want to add. This is where Oauth2-proxy comes in. You may set it up as a gateway in front of all your services. All requests will pass through it. If the request lacks authentication, Oauth2-proxy will perform the authentication flow with the Oauth provider. At the end of the authentication flow, OAuth2-proxy will have stored the authentication details into a cookie. Then the request is forwarded to the destination service, containing authentication details.
Here is how:
– Create a deployment of oauth2-proxy in your cluster.
– Configure oauth2-proxy with the details of your Oauth provider.
– Set up an ingress for a path in your domain which will direct the requests to oauth2-proxy
– Each of your services defines ingresses with external authentication headers pointing to the Oauth2-proxy path defined previously.
– In the service ingress you can also add custom headers to the requests. The same headers must be configured in the Oauth2-proxy deployment: nginx.ingress.kubernetes.io/auth-response-headers: “X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Groups, X-Auth-Request-Access-Token”
Kubernetes applications need an authentication layer. It is advisable to rely on existing professional tools for authentication rather than implementing your own authentication methods.
OAuth2Proxy is an easy-to-use solution for the authentication needs of your microservices. You can configure it with multiple OAuth providers and it can act as an authentication gateway.
We’d love to hear about your plans for transformation.
Use the form below to send us a message, and we will get back to you within 24 hours.
New Broad Street House, 35 New Broad Street, London, EC2M 1NH
4D Gara Herastrau Street, 2nd Floor
Building C, 020334
+40 31 425 19 08
30 Stirbei Voda Blvd,
Malmo Business Center, 200423
+40 35 142 36 80