DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2020-02-09 23:53:05 +00:00
parent ec2af1dbc3
commit 006cda8fee
62 changed files with 1885 additions and 1843 deletions
Download patch file Download diff file Expand all files Collapse all files

49
examples/auth/basic/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#basic-authentication" tabindex="1" class="md-skip">
<a href="#basic-authentication" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1151,20 +1151,20 @@
<h1 id="basic-authentication">Basic Authentication<a class="headerlink" href="#basic-authentication" title="Permanent link"></a></h1>
<p>This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with <code class="codehilite">htpasswd</code>.
It's important the file generated is named <code class="codehilite">auth</code> (actually - that the secret has a key <code class="codehilite">data.auth</code>), otherwise the ingress-controller returns a 503.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> htpasswd -c auth foo
<p>This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with <code class="codehilite"><span class="err">htpasswd</span></code>.
It's important the file generated is named <code class="codehilite"><span class="err">auth</span></code> (actually - that the secret has a key <code class="codehilite"><span class="err">data.auth</span></code>), otherwise the ingress-controller returns a 503.</p>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> htpasswd -c auth foo
<span class="go">New password: &lt;bar&gt;</span>
<span class="go">New password:</span>
<span class="go">Re-type new password:</span>
<span class="go">Adding password for user foo</span>
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl create secret generic basic-auth --from-file<span class="o">=</span>auth
<span class="go">secret &quot;basic-auth&quot; created</span>
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl get secret basic-auth -o yaml
<span class="go">apiVersion: v1</span>
<span class="go">data:</span>
<span class="go"> auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK</span>
@ -1173,9 +1173,9 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> name: basic-auth</span>
<span class="go"> namespace: default</span>
<span class="go">type: Opaque</span>
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span><span class="go">echo &quot;</span>
<div class="codehilite"><pre><span></span><code><span class="go">echo &quot;</span>
<span class="go">apiVersion: networking.k8s.io/v1beta1</span>
<span class="go">kind: Ingress</span>
<span class="go">metadata:</span>
@ -1197,9 +1197,9 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="go"> serviceName: http-svc</span>
<span class="go"> servicePort: 80</span>
<span class="go">&quot; | kubectl create -f -</span>
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
<div class="codehilite"><pre><span></span><code>$ curl -v http://10.2.29.4/ -H &#39;Host: foo.bar.com&#39;
* Trying 10.2.29.4...
* Connected to 10.2.29.4 (10.2.29.4) port 80 (#0)
&gt; GET / HTTP/1.1
@ -1223,9 +1223,9 @@ It's important the file generated is named <code class="codehilite">auth</code>
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 10.2.29.4 left intact
</pre></div>
</code></pre></div>
<div class="codehilite"><pre><span></span>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
<div class="codehilite"><pre><span></span><code>$ curl -v http://10.2.29.4/ -H <span class="s1">&#39;Host: foo.bar.com&#39;</span> -u <span class="s1">&#39;foo:bar&#39;</span>
* Trying <span class="m">10</span>.2.29.4...
* Connected to <span class="m">10</span>.2.29.4 <span class="o">(</span><span class="m">10</span>.2.29.4<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
* Server auth using Basic with user <span class="s1">&#39;foo&#39;</span>
@ -1268,10 +1268,11 @@ x-real-ip<span class="o">=</span><span class="m">10</span>.2.29.1
BODY:
* Connection <span class="c1">#0 to host 10.2.29.4 left intact</span>
-no body in request-
</pre></div>
</code></pre></div>
@ -1326,9 +1327,9 @@ BODY:
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1338,7 +1339,7 @@ BODY:
</div>
<script src="../../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../../.."}})</script>

41
examples/auth/client-certs/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#client-certificate-authentication" tabindex="1" class="md-skip">
<a href="#client-certificate-authentication" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1219,12 +1219,12 @@ Before getting started you must have the following Certificates Setup:</p>
</ol>
<p>For more details on the generation process, checkout the Prerequisite <a href="../../PREREQUISITES/#client-certificate-authentication">docs</a>.</p>
<p>You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:</p>
<div class="codehilite"><pre><span></span>openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
<div class="codehilite"><pre><span></span><code>openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</code></pre></div>
<p>Then, you can concatenate them all in only one file, named 'ca.crt' as the following:</p>
<div class="codehilite"><pre><span></span>cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
<div class="codehilite"><pre><span></span><code>cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</code></pre></div>
<p><strong>Note:</strong> Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
for each certificate generated. Otherwise you will receive an error.</p>
@ -1235,23 +1235,23 @@ Authentication to work properly.</p>
<li>
<p>You can create a secret containing just the CA certificate and another
Secret containing the Server Certificate which is Signed by the CA.</p>
<div class="codehilite"><pre><span></span>kubectl create secret generic ca-secret --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
<div class="codehilite"><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
kubectl create secret generic tls-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key
</pre></div>
</code></pre></div>
</li>
<li>
<p>You can create a secret containing CA certificate along with the Server
Certificate, that can be used for both TLS and Client Auth.</p>
<div class="codehilite"><pre><span></span>kubectl create secret generic ca-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
</pre></div>
<div class="codehilite"><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
</code></pre></div>
</li>
<li>
<p>If you want to also enable Certificate Revocation List verification you can
create the secret also containing the CRL file in PEM format:
<div class="codehilite"><pre><span></span>kubectl create secret generic ca-secret --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt --from-file<span class="o">=</span>ca.crl<span class="o">=</span>ca.crl
</pre></div></p>
<div class="codehilite"><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt --from-file<span class="o">=</span>ca.crl<span class="o">=</span>ca.crl
</code></pre></div></p>
</li>
</ol>
<p>Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.</p>
@ -1264,6 +1264,7 @@ kubectl create secret generic tls-secret --from-file<span class="o">=</span>tls.
@ -1318,9 +1319,9 @@ kubectl create secret generic tls-secret --from-file<span class="o">=</span>tls.
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1330,7 +1331,7 @@ kubectl create secret generic tls-secret --from-file<span class="o">=</span>tls.
</div>
<script src="../../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../../.."}})</script>

39
examples/auth/external-auth/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#external-basic-authentication" tabindex="1" class="md-skip">
<a href="#external-basic-authentication" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1197,8 +1197,8 @@
<h1 id="external-basic-authentication">External Basic Authentication<a class="headerlink" href="#external-basic-authentication" title="Permanent link"></a></h1>
<h3 id="example-1">Example 1:<a class="headerlink" href="#example-1" title="Permanent link"></a></h3>
<p>Use an external service (Basic Auth) located in <code class="codehilite">https://httpbin.org</code></p>
<div class="codehilite"><pre><span></span>$ kubectl create -f ingress.yaml
<p>Use an external service (Basic Auth) located in <code class="codehilite"><span class="c">https://httpbin.org</span></code></p>
<div class="codehilite"><pre><span></span><code>$ kubectl create -f ingress.yaml
ingress <span class="s2">&quot;external-auth&quot;</span> created
$ kubectl get ing external-auth
@ -1232,10 +1232,10 @@ status:
ingress:
- ip: <span class="m">172</span>.17.4.99
$
</pre></div>
</code></pre></div>
<p>Test 1: no username/password (expect code 401)</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span>
<span class="go">* Rebuilt URL to: http://172.17.4.99/</span>
<span class="go">* Trying 172.17.4.99...</span>
<span class="go">* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)</span>
@ -1260,10 +1260,10 @@ $
<span class="go">&lt;/body&gt;</span>
<span class="go">&lt;/html&gt;</span>
<span class="go">* Connection #0 to host 172.17.4.99 left intact</span>
</pre></div>
</code></pre></div>
<p>Test 2: valid username/password (expect code 200)
<div class="codehilite"><pre><span></span>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
<div class="codehilite"><pre><span></span><code>$ curl -k http://172.17.4.99 -v -H <span class="s1">&#39;Host: external-auth-01.sample.com&#39;</span> -u <span class="s1">&#39;user:passwd&#39;</span>
* Rebuilt URL to: http://172.17.4.99/
* Trying <span class="m">172</span>.17.4.99...
* Connected to <span class="m">172</span>.17.4.99 <span class="o">(</span><span class="m">172</span>.17.4.99<span class="o">)</span> port <span class="m">80</span> <span class="o">(</span><span class="c1">#0)</span>
@ -1306,9 +1306,9 @@ x-real-ip<span class="o">=</span><span class="m">10</span>.2.60.1
BODY:
* Connection <span class="c1">#0 to host 172.17.4.99 left intact</span>
-no body in request-
</pre></div></p>
</code></pre></div></p>
<p>Test 3: invalid username/password (expect code 401)
<div class="codehilite"><pre><span></span>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
<div class="codehilite"><pre><span></span><code>curl -k http://172.17.4.99 -v -H &#39;Host: external-auth-01.sample.com&#39; -u &#39;user:user&#39;
* Rebuilt URL to: http://172.17.4.99/
* Trying 172.17.4.99...
* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
@ -1336,10 +1336,11 @@ BODY:
<span class="nt">&lt;/body&gt;</span>
<span class="nt">&lt;/html&gt;</span>
* Connection #0 to host 172.17.4.99 left intact
</pre></div></p>
</code></pre></div></p>
@ -1394,9 +1395,9 @@ BODY:
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1406,7 +1407,7 @@ BODY:
</div>
<script src="../../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../../.."}})</script>

53
examples/auth/oauth-external-auth/index.html
View file

@ -34,7 +34,7 @@
<meta name="lang:search.tokenizer" content="[\s\-]+">
<link rel="shortcut icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.4.3">
<meta name="generator" content="mkdocs-1.0.4, mkdocs-material-4.6.2">
@ -42,7 +42,7 @@
<link rel="stylesheet" href="../../../assets/stylesheets/application.30686662.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application.adb8469c.css">
<link rel="stylesheet" href="../../../assets/stylesheets/application-palette.a8b3c06d.css">
@ -53,12 +53,12 @@
<script src="../../../assets/javascripts/modernizr.74668098.js"></script>
<script src="../../../assets/javascripts/modernizr.86422ebf.js"></script>
<link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700|Roboto+Mono&display=fallback">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback">
<style>body,input{font-family:"Roboto","Helvetica Neue",Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono","Courier New",Courier,monospace}</style>
@ -114,7 +114,7 @@
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
<a href="#external-oauth-authentication" tabindex="1" class="md-skip">
<a href="#external-oauth-authentication" tabindex="0" class="md-skip">
Skip to content
</a>
@ -123,7 +123,7 @@
<nav class="md-header-nav md-grid">
<div class="md-flex">
<div class="md-flex__cell md-flex__cell--shrink">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<a href="https://kubernetes.github.io/ingress-nginx" title="NGINX Ingress Controller" aria-label="NGINX Ingress Controller" class="md-header-nav__button md-logo">
<i class="md-icon">public</i>
@ -154,7 +154,7 @@
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<input type="text" class="md-search__input" aria-label="search" name="query" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="query" data-md-state="active">
<label class="md-icon md-search__icon" for="__search"></label>
<button type="reset" class="md-icon md-search__icon" data-md-component="reset" tabindex="-1">
&#xE5CD;
@ -1251,45 +1251,45 @@
<h1 id="external-oauth-authentication">External OAUTH Authentication<a class="headerlink" href="#external-oauth-authentication" title="Permanent link"></a></h1>
<h3 id="overview">Overview<a class="headerlink" href="#overview" title="Permanent link"></a></h3>
<p>The <code class="codehilite">auth-url</code> and <code class="codehilite">auth-signin</code> annotations allow you to use an external
<p>The <code class="codehilite"><span class="err">auth-url</span></code> and <code class="codehilite"><span class="err">auth-signin</span></code> annotations allow you to use an external
authentication provider to protect your Ingress resources.</p>
<div class="admonition important">
<p class="admonition-title">Important</p>
<p>This annotation requires <code class="codehilite">nginx-ingress-controller v0.9.0</code> or greater.)</p>
<p>This annotation requires <code class="codehilite"><span class="err">nginx-ingress-controller v0.9.0</span></code> or greater.)</p>
</div>
<h3 id="key-detail">Key Detail<a class="headerlink" href="#key-detail" title="Permanent link"></a></h3>
<p>This functionality is enabled by deploying multiple Ingress objects for a single host.
One Ingress object has no special annotations and handles authentication.</p>
<p>Other Ingress objects can then be annotated in such a way that require the user to
authenticate against the first Ingress's endpoint, and can redirect <code class="codehilite">401</code>s to the
authenticate against the first Ingress's endpoint, and can redirect <code class="codehilite"><span class="err">401</span></code>s to the
same endpoint.</p>
<p>Sample:</p>
<div class="codehilite"><pre><span></span><span class="nn">...</span>
<div class="codehilite"><pre><span></span><code><span class="nn">...</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">application</span>
<span class="nt">annotations</span><span class="p">:</span>
<span class="nt">nginx.ingress.kubernetes.io/auth-url</span><span class="p">:</span> <span class="s">&quot;https://$host/oauth2/auth&quot;</span>
<span class="nt">nginx.ingress.kubernetes.io/auth-signin</span><span class="p">:</span> <span class="s">&quot;https://$host/oauth2/start?rd=$escaped_request_uri&quot;</span>
<span class="nn">...</span>
</pre></div>
</code></pre></div>
<h3 id="example-oauth2-proxy-kubernetes-dashboard">Example: OAuth2 Proxy + Kubernetes-Dashboard<a class="headerlink" href="#example-oauth2-proxy-kubernetes-dashboard" title="Permanent link"></a></h3>
<p>This example will show you how to deploy <a href="https://github.com/pusher/oauth2_proxy"><code class="codehilite">oauth2_proxy</code></a>
<p>This example will show you how to deploy <a href="https://github.com/pusher/oauth2_proxy"><code class="codehilite"><span class="err">oauth2_proxy</span></code></a>
into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using github as oAuth2 provider</p>
<h4 id="prepare">Prepare<a class="headerlink" href="#prepare" title="Permanent link"></a></h4>
<ol>
<li>Install the kubernetes dashboard</li>
</ol>
<div class="codehilite"><pre><span></span><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml</span>
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="go">kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml</span>
</code></pre></div>
<ol>
<li>Create a <a href="https://github.com/settings/applications/new">custom Github OAuth application</a></li>
</ol>
<p><img alt="Register OAuth2 Application" src="images/register-oauth-app.png" /></p>
<ul>
<li>Homepage URL is the FQDN in the Ingress rule, like <code class="codehilite">https://foo.bar.com</code></li>
<li>Authorization callback URL is the same as the base FQDN plus <code class="codehilite">/oauth2</code>, like <code class="codehilite">https://foo.bar.com/oauth2</code></li>
<li>Homepage URL is the FQDN in the Ingress rule, like <code class="codehilite"><span class="c">https://foo.bar.com</span></code></li>
<li>Authorization callback URL is the same as the base FQDN plus <code class="codehilite"><span class="err">/oauth2</span></code>, like <code class="codehilite"><span class="c">https://foo.bar.com/oauth2</span></code></li>
</ul>
<p><img alt="Register OAuth2 Application" src="images/register-oauth-app-2.png" /></p>
<ol>
@ -1297,9 +1297,9 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<p>Configure oauth2_proxy values in the file oauth2-proxy.yaml with the values:</p>
</li>
<li>
<p>OAUTH2_PROXY_CLIENT_ID with the github <code class="codehilite">&lt;Client ID&gt;</code></p>
<p>OAUTH2_PROXY_CLIENT_ID with the github <code class="codehilite"><span class="err">&lt;Client ID&gt;</span></code></p>
</li>
<li>OAUTH2_PROXY_CLIENT_SECRET with the github <code class="codehilite">&lt;Client Secret&gt;</code></li>
<li>OAUTH2_PROXY_CLIENT_SECRET with the github <code class="codehilite"><span class="err">&lt;Client Secret&gt;</span></code></li>
<li>
<p>OAUTH2_PROXY_COOKIE_SECRET with value of <code class="codehilite"><span class="n">python</span> <span class="o">-</span><span class="n">c</span> <span class="s1">&#39;import os,base64; print(base64.b64encode(os.urandom(16)).decode(&quot;ascii&quot;))&#39;</span></code></p>
</li>
@ -1307,20 +1307,21 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<p>Customize the contents of the file dashboard-ingress.yaml:</p>
</li>
</ol>
<p>Replace <code class="codehilite">__INGRESS_HOST__</code> with a valid FQDN and <code class="codehilite">__INGRESS_SECRET__</code> with a Secret with a valid SSL certificate.</p>
<p>Replace <code class="codehilite"><span class="err">__INGRESS_HOST__</span></code> with a valid FQDN and <code class="codehilite"><span class="err">__INGRESS_SECRET__</span></code> with a Secret with a valid SSL certificate.</p>
<ol>
<li>Deploy the oauth2 proxy and the ingress rules running:</li>
</ol>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
</pre></div>
<div class="codehilite"><pre><span></span><code><span class="gp">$</span> kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml
</code></pre></div>
<p>Test the oauth integration accessing the configured URL, like <code class="codehilite">https://foo.bar.com</code></p>
<p>Test the oauth integration accessing the configured URL, like <code class="codehilite"><span class="c">https://foo.bar.com</span></code></p>
<p><img alt="Register OAuth2 Application" src="images/github-auth.png" /></p>
<p><img alt="Github authentication" src="images/oauth-login.png" /></p>
<p><img alt="Kubernetes dashboard" src="images/dashboard.png" /></p>
@ -1375,9 +1376,9 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
<div class="md-footer-copyright">
powered by
<a href="https://www.mkdocs.org">MkDocs</a>
<a href="https://www.mkdocs.org" target="_blank" rel="noopener">MkDocs</a>
and
<a href="https://squidfunk.github.io/mkdocs-material/">
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs</a>
</div>
@ -1387,7 +1388,7 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using g
</div>
<script src="../../../assets/javascripts/application.ac79c3b0.js"></script>
<script src="../../../assets/javascripts/application.c33a9706.js"></script>
<script>app.initialize({version:"1.0.4",url:{base:"../../.."}})</script>