https://sso.konst.fish is an OAuth2 Proxy which authorizes any member of the shoal-konst-fish GitHub Org.
Architecture
flowchart TD
A[Web] --> ing(Ingress)
subgraph OAuth2 Flow
ing -->|1| sso[sso.konst.fish]
sso -->|2| gh{{GitHub IdP}}
gh -->|3| sso
sso -->|4| ing
end
ing -->|5| srv(Service)
Usage
Add the following annotations to an ingress to use the proxy. All request made to the ingress will be secured by the proxy. The headers X-Auth-Request-Email, X-Auth-Request-Groups & X-Auth-Request-User are passed to the application, which can be used to identify and assign appropriate access levels to the user.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-behind-auth
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://sso.konst.fish/oauth2/start?rd=$scheme://$host$request_uri
nginx.ingress.kubernetes.io/auth-url: https://sso.konst.fish/oauth2/auth
nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Email,X-Auth-Request-Groups,X-Auth-Request-User