- I made the switch to nginx-ingress, but the basics should be the same as Traefik.
- I am using github as OIDC, using google is almost the same. Just remove github-repo and change the provider.
I made a raw copy of my code so you need to read through it yourself, i'm using helm in tf with a value-file, not all values below are relevant. Replace with your own domain.
Helm-tf:
resource "helm_release" "oauth2_proxy" {
name = "oauth2-proxy"
repository = "https://oauth2-proxy.github.io/manifests"
chart = "oauth2-proxy"
namespace = <your favorite ns>
version = "6.16.1"
values = [
"${file("value-files/oauth2-proxy.yaml")}" # these are the values below
]
set_sensitive {
name = "config.cookieSecret"
value = random_string.cookie.id
}
set_sensitive {
name = "config.clientSecret"
value = <appsecret>
}
set_sensitive {
name = "config.clientID"
value = <appid>
}
value-file:
extraArgs:
github-repo: <your-repo>
provider: github
scope: "user:email"
skip-provider-button: "false"
http-address: 0.0.0.0:4180
reverse-proxy: "true"
cookie-refresh: 1h
real-client-ip-header: X-Forwarded-For
redirect-url: https://auth.<your-domain>.com/oauth2/callback
whitelist-domain: ".<your-domain>"
cookie-domain: ".<your-domain>"
set-authorization-header: "true"
pass-basic-auth: "true"
email-domain: "*"
ingress:
enabled: true
tls:
- hosts:
- auth.<your-domain>
hosts:
- auth.<your-domain>
path: /oauth2
pathType: Prefix
When you have oauth2 proxy up and running. You need to set two annotations on your application ingress for nginx, they're gonna be different for traefik of course, but the 'gist of it' should be the same:
annotations:
nginx.ingress.kubernetes.io/auth-url: "http://<oauth2 service name>.<namespace where oauth2 proxy is running>.svc.cluster.local/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://auth.<your-domain>/oauth2/start?rd=https://$host$request_uri"