nginx: annotations: authrequest: support "signin url"

[colemickens]

I finally got around to trying to put together an OAuth2/OIDC reverse proxy using nginx-ingress-controller and CoreOS's fork of bitly's oauth2_proxy. Initial support for thi scenario was added as a result of this issue: kubernetes-retired/contrib#1492

I had to do a couple things to get it to work:

1. Build nginx-ingress-controller myself since it has not been published in quite a long time.

2. Downgrade to a version of nginx-slim that is actually published (kind of weird)...

3. Add a new annotation for auth-signin that tells nginx where to send 401s to.

4. Add a couple extra X-* headers for things being reverse-proxied that expect them.

As a bonus:

1. Parameterize DOCKER in the Makefile similar to PREFIX and RELEASE for those of us building and pushing to non-GCR repositories.

2. Pulled out the URL parsing logic from the authrequest plugin to the parser since it seems to already hold util-type helpers.

cc: @aledbf

[k8s-reviewable]

This change is 

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling a4429c7 on colemickens:colemickens-signin-url into 910b706 on kubernetes:master.

[bprashanth]

Please add an example of how to use this here: https://github.com/kubernetes/ingress/tree/master/examples (even if it's not part of a released image yet, please say that in the example and we can update it once 0.9.0 is out)

[pieterlange]

nginx-slim:0.13 is published now.

[colemickens]

Ack. I've switched back to 0.13 now.

[colemickens]

Where am I meant to add an example? It seems like all of the nginx annotation examples got left over and forgotten in contrib/.

I can just move over the authrequest example and add a single line to show this attribute, is that what is desired? I would've assumed y'all would've moved the examples over already.

[colemickens]

Rebased. Still seeking clarification about where/how to add the example.

[bprashanth]

I can just move over the authrequest example and add a single line to show this attribute, is that what is desired? I would've assumed y'all would've moved the examples over already.

Yes, please create a directory in examples (https://github.com/kubernetes/ingress/tree/master/examples) called auth, and write a README file describing how to use it, kind of like how we describe tls-termination (https://github.com/kubernetes/ingress/tree/master/examples/tls-termination)

[bprashanth]

I already added a section for auth in the example overview, just needs filling in: https://github.com/kubernetes/ingress/tree/master/examples#auth

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling b9d0878 on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[aledbf]

Please change $scheme to $pass_access_scheme

[aledbf]

Same here. Please change $scheme to $pass_access_scheme

[colemickens]

Updated:

• fixed the headers, per @aledbf.
• added an example, per @bprashanth

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling 84003c4a381f1aa9cf410122ae78b3db3cb64ded on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[colemickens]

Can I relax the URL check? I want to make the auth_request a relative url, but I can't because of how the auth_request is handled -> proxy_pass. proxy_pass seems to require an absolute URL.

I want to make the annotation values $scheme$host:$serverport/oauth2/{callback,signin}, but I can't because of the URL checks.

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling 7240359066e70a75c7436689deedeb41d41b3129 on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling 7240359066e70a75c7436689deedeb41d41b3129 on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling 7240359066e70a75c7436689deedeb41d41b3129 on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling 7240359066e70a75c7436689deedeb41d41b3129 on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[coveralls]

Coverage decreased (-0.3%) to 43.92% when pulling f0709cb54bb5a07cc9cb0be5687a203f6460d47c on colemickens:colemickens-signin-url into b9d272a on kubernetes:master.

[colemickens]

Really hoping to get back to this tomorrow. For when I do...

Is the oauth2_proxy overkill for an example here? I'm not sure how to demonstrate the annotation otherwise to be frank, and I think it might be a popular configuration as people want to get to the kubernetes-dashboard more easily.

I plan to add a simple chunk in one of the READMEs for deploying nginx-ingress-controller which could be linked to from the oauth2_proxy example I've written here. That would effectively make it a nice one-stop shop for setting up nginx-ingress-controller and oauth2_proxy and protecting kubernetes-dashboard. Might be out of scope for this repo though, so I wanted to ask.

[aledbf]

Is the oauth2_proxy overkill for an example here?

I think is a good example showing how to integrate an oauth2 app

[yawboateng]

Thanks for this PR, works very well with coreOS's dex.

question:
what is the right way to configure this to work with multiple host names?

I have 1 Ingress object that handles authentication - points to an oauth2 client that sits in front of dex at foo.bar.com/auth/oauth2 ...and I have another ingress object pointing to some application foo.bar.com/home
authentication and redirection works fine with the above.

But I keep getting 499 error codes when i try to add other ingress objects at like bar.foo.com or echo.bar.com that uses the annotation of the auth object at foo.bar.com/auth/oauth2 to check for authentication status.

do I need to deploy a separate auth ingress object for each host name i want to authenticate?

[aledbf]

@colemickens ping

[colemickens]

I think it's nearly ready to go... except that 0.9.0-beta.2 seems to have a regression. Even the auth_request that was added months ago doesn't seem to be working. And then when I was on master, I couldn't even get external connections to work. Since 0.9.0-beta.2 auth_request seems broken, it seems there's a regression unrelated to this PR. I don't have BW to dig in a lot more.

Other than that, this is ready to go. The README doesn't go into extensive detail on each individual step, but the shell script is short and it's easy enough to figure out what it's doing.

I tested with the helm path suggested in the README and then editted the nginx-ingress deployment to fix the flags and then pointed at an image I'd built a couple weeks ago... due to the aforementioned issues. I used the config examples that are in there, for Azure. But I've also used it with GitHub and anything in oauth2_proxy should work presumably.

[colemickens]

I can say it was between these commits at least, based on the Dockerfile in a working container I have on Docker hub from a couple weeks ago. 08eda50#diff-ce0eea6892ca5cae9d5b726f52b659ba and 2d0971d#diff-ce0eea6892ca5cae9d5b726f52b659ba

[aledbf]

Closing. Replaced by #410