Built-in SSO for Thales employees (Oauth2) (Deprecated)

note

We recommend to use the SSO new generation except if you are using a corporate k8saas instance.

Context

k8saas is a Thales service. A significant part of our workloads are dedicated to thales employees. To restrict the accesses we usually use an App Registration in Azure Active Directory. To avoid to many requests to the IT support, k8saas provides a generic App Registration to both identify and authorize Thales Employees to access to the application hosted in k8saas.

Basically, the All in one application publication service feature works like:

here

The flow is:

the user access to the domain
the ingress controller binds the domain with an ingress configuration
the ingress controller provide a valid TLS certificate based on the ingress configuration
then the ingress route the request to the application using a kubernetes service

The Built-in SSO works like:

here

The flow is: For the first request:

the user access to the domain
the ingress controller binds the domain with an ingress configuration
because there is no token, the ingress redirect the user to the oauth 2 proxy
the user now is invited to provide his credentials
then the user is redirect to the real application using OAUTH2_PROXY_UPSTREAM

For the second request:

the user follows the simple stream presented earlier with a validation of the token at any request

The feature is based on dockerhub project

Use case

After GoToDemo Gate, expose an application to user outside the development team without using a VPN

What to do ?

First, ask for the credentials of the App Registration named "k8saas-builtin-sso-thales-employees" on the TrustNest K8SaaS Service catalog. Please provide to the support team the reply_url that need to be configured in the SSO.

Second, here is an example for explanation purpose:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - env:
          - name: OAUTH2_PROXY_PROVIDER
            value: azure
          - name: OAUTH2_PROXY_AZURE_TENANT
            value: <OAUTH2_PROXY_AZURE_TENANT_ID>
          - name: OAUTH2_PROXY_CLIENT_ID
            value: <OAUTH2_PROXY_APP_ID>
          - name: OAUTH2_PROXY_CLIENT_SECRET
            value: <OAUTH2_PROXY_CLIENT_SECRET>
          - name: OAUTH2_PROXY_HTTP_ADDRESS
            value: "0.0.0.0:4180"
          - name: OAUTH2_PROXY_UPSTREAM
            value: "http://<SERVICE_NAME>.<NAMESPACE>.svc.cluster.local"
        image: machinedata/oauth2_proxy:latest
        imagePullPolicy: IfNotPresent
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy
  name: oauth2-proxy
spec:
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    app: oauth2-proxy
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oauth2-proxy
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecAuditLog /dev/stdout
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
spec:
  ingressClassName: nginx
  rules:
    - host: <APP_URL>
      http:
        paths:
          - path: /oauth2
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
  tls:
  - hosts:
    - <APP_URL>
    secretName: oauth2-proxy-tls

Now, update the following variables:

<OAUTH2_PROXY_AZURE_TENANT_ID> by the info provided by the support team
<OAUTH2_PROXY_APP_ID> by the info provided by the support team
<OAUTH2_PROXY_CLIENT_SECRET> by the info provided by the support team
<SERVICE_NAME> must be replaced by the name of the kubernetes services bind to your application

$ kubectl get services -n <NAMESPACE>

<NAMESPACE> must be replaced by the namespace where the service is deployed
<APP_URL> the same URL has the default ingress of your application

Then, apply this file in your namespace

$ kubectl apply -f oauth2-proxy-kubernetes.yml -n <NAMESPACE>

Once done, you should add the following 2 lines in the default ingress configuration, section metadata.annotations:

nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"

Redeploy it, you should be able to use the generic thales sso, try to access to your URL !

here

HOWTO

Use internal ingress rather than the public one ?

Update the ingress class of both ingresses. Here is the field to set:

spec:
  ingressClassName: nginx

TROUBLESHOOTING

Unable to protect 2 different applications in the same namespace using this mechanism !

The configuration in example does not work for multiple application, because of the OAUTH2_PROXY_UPSTREAM settings. To put this mechanism in place, we recommend to adapt the naming convention using the name of the application everywhere.

For example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy-app1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy-app1
  template:
    metadata:
      labels:
        app: oauth2-proxy-app1
    spec:
      containers:
      - env:
          - name: OAUTH2_PROXY_PROVIDER
            value: azure
          - name: OAUTH2_PROXY_AZURE_TENANT
            value: <OAUTH2_PROXY_AZURE_TENANT_ID>
          - name: OAUTH2_PROXY_CLIENT_ID
            value: <OAUTH2_PROXY_APP_ID>
          - name: OAUTH2_PROXY_CLIENT_SECRET
            value: <OAUTH2_PROXY_CLIENT_SECRET>
          - name: OAUTH2_PROXY_HTTP_ADDRESS
            value: "0.0.0.0:4180"
          - name: OAUTH2_PROXY_UPSTREAM
            value: "http://<SERVICE_NAME>.<NAMESPACE>.svc.cluster.local"
        image: machinedata/oauth2_proxy:latest
        imagePullPolicy: IfNotPresent
        name: oauth2-proxy-app1
        ports:
        - containerPort: 4180
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  labels:
    k8s-app: oauth2-proxy-app1
  name: oauth2-proxy-app1
spec:
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    app: oauth2-proxy-app1
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oauth2-proxy-app1
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecAuditLog /dev/stdout
      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
spec:
  ingressClassName: nginx
  rules:
    - host: <APP_URL>
      http:
        paths:
          - path: /oauth2
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy-app1
                port:
                  number: 4180
  tls:
  - hosts:
    - <APP_URL>
    secretName: oauth2-proxy-app1-tls

Next step

Use your own app registration ! Ask the IT Team to do so using the TrustNest Support Platforms
Look at the SSO new generation easier to configure !

Built-in SSO for Thales employees (Oauth2) (Deprecated)

note

Context​

Use case​

What to do ?​

HOWTO​

Use internal ingress rather than the public one ?​

TROUBLESHOOTING​

Unable to protect 2 different applications in the same namespace using this mechanism !​

Next step​

Context

Use case

What to do ?

HOWTO

Use internal ingress rather than the public one ?

TROUBLESHOOTING

Unable to protect 2 different applications in the same namespace using this mechanism !

Next step