https://sso.konst.fish is an OAuth2 Proxy which authorizes any member of the shoal-konst-fish GitHub Org.

Architecture

flowchart TD
    A[Web] --> ing(Ingress)
    subgraph OAuth2 Flow
    ing -->|1| sso[sso.konst.fish]
    sso -->|2| gh{{GitHub IdP}}
    gh -->|3| sso
    sso -->|4| ing
    end
    ing -->|5| srv(Service)

Usage

Add the following annotations to an ingress to use the proxy. All request made to the ingress will be secured by the proxy. The headers X-Auth-Request-Email, X-Auth-Request-Groups & X-Auth-Request-User are passed to the application, which can be used to identify and assign appropriate access levels to the user.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-behind-auth
  annotations:
    nginx.ingress.kubernetes.io/auth-signin: https://sso.konst.fish/oauth2/start?rd=$scheme://$host$request_uri
    nginx.ingress.kubernetes.io/auth-url: https://sso.konst.fish/oauth2/auth
    nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Email,X-Auth-Request-Groups,X-Auth-Request-User