oauth2 github

介绍 (Introduction)

Kubernetes ingresses make it easy to expose web services to the internet. When it comes to private services, however, you will likely want to limit who can access them. oauth2_proxy can serve as a barrier between the public internet and private services. oauth2_proxy is a reverse proxy and server that provides authentication using different providers, such as GitHub, and validates users by their email address or other properties.

Kubernetes 入节点可以很容易地暴露Web服务到互联网。 但是，当涉及到私人服务时，您可能希望限制谁可以访问它们。 oauth2_proxy可以成为公共Internet和私有服务之间的障碍。 oauth2_proxy是一个反向代理和服务器，它使用不同的提供程序(例如GitHub)提供身份验证，并通过用户的电子邮件地址或其他属性来验证用户。

In this tutorial you’ll use oauth2_proxy with GitHub to protect your services. When you’re done, you will have an authorization system that looks like the one in the following diagram:

在本教程中，您将oauth2_proxy与GitHub一起使用以保护您的服务。 完成后，您将获得一个授权系统，如下图所示：

先决条件 (Prerequisites)

To complete this tutorial, you’ll need:

要完成本教程，您需要：

• A Kubernetes cluster with two web services running with an Nginx ingress and Let’s Encrypt. This tutorial builds on How to Set Up an Nginx Ingress with Cert-Manager on DigitalOcean Kubernetes. Be sure to follow it to the very end in order to complete this tutorial.

  一个Kubernetes集群，其中包含两个运行有Nginx入口和Let's Encrypt的Web服务。 本教程基于如何在DigitalOcean Kubernetes上使用Cert-Manager设置Nginx入口 。 为了完成本教程，请务必紧随其后。

• A GitHub account.

  GitHub帐户。

• Python installed on your local machine. If you do not have it installed, follow the installation instructions for your operating system.

  Python安装在您的本地计算机上。 如果尚未安装，请按照操作系统的安装说明进行操作 。

第1步-配置您的域 (Step 1 — Configuring Your Domains)

After following the tutorial linked in the Prerequisites section, you will have two web services running on your cluster: echo1 and echo2. You will also have one ingress that maps echo1.your_domain and echo2.your_domain to their corresponding services.

遵循“先决条件”部分中链接的教程之后，您将在集群上运行两个Web服务： echo1和echo2 。 您还将拥有一个映射echo1. your_domain入口echo1. your_domain echo1. your_domain和echo2. your_domain echo2. your_domain为其提供相应的服务。

In this tutorial, we will use the following conventions:

在本教程中，我们将使用以下约定：

• All private services will fall under the .int.your_domain subdomain, like service.int.your_domain. Grouping private services under one subdomain is ideal because the authentication cookie will be shared across all *.int.your_domain subdomains.

  所有私有服务都将属于.int. your_domain .int. your_domain子域，例如service.int. your_domain service.int. your_domain 。 将私有服务分组在一个子域下是理想的，因为身份验证cookie将在所有*.int. your_domain之间共享*.int. your_domain *.int. your_domain子域。

• The login portal will be served on auth.int.your_domain.

  登录门户将在auth.int. your_domain上auth.int. your_domain auth.int. your_domain 。

Note: Be sure to replace your_domain with your own domain name wherever it appears in this tutorial.

注意：确保在本教程中出现的任何地方都用您自己的域名替换your_domain 。

To start, update the existing ingress definition to move the echo1 and echo2 services under .int.your_domain. Open echo_ingress.yaml in your text editor so you can change the domains:

首先，更新现有的入口定义以将echo1和echo2服务移至.int. your_domain下.int. your_domain .int. your_domain 。 在文本编辑器中打开echo_ingress.yaml ，以便您可以更改域：

Rename all instances of echo1.your_domain to echo1.int.your_domain, and replace all instances of echo2.your_domain with echo2.int.your_domain:

重命名echo1. your_domain所有实例echo1. your_domain echo1. your_domain到echo1.int. your_domain echo1.int. your_domain ，并替换echo2. your_domain所有实例echo2. your_domain echo2. your_domain与echo2. int.your_domain echo2. int.your_domain ：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echo-ingress
  annotations:  
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - echo1.int.your_domain
    - echo2.int.your_domain
    secretName: letsencrypt-prod
  rules:
  - host: echo1.int.your_domain
    http:
      paths:
      - backend:
          serviceName: echo1
          servicePort: 80
  - host: echo2.int.your_domain
    http:
      paths:
      - backend:
          serviceName: echo2
          servicePort: 80

Save the file and apply the changes:

保存文件并应用更改：

This will update the TLS certificates for your echo1 and echo2 services as well.

这还将为您的echo1和echo2服务更新TLS证书。

Now update your DNS configuration to reflect the changes you made. First, look up the IP address of your Nginx ingress by running the following command to print its details:

现在更新您的DNS配置以反映您所做的更改。 首先，通过运行以下命令以显示其详细信息来查找Nginx入口的IP地址：

You will see the IP address under EXTERNAL-IP in the output:

您将在输出中看到EXTERNAL-IP下的IP地址：

   

    Output
   
NAME            TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)                      AGE
ingress-nginx   LoadBalancer   10.245.247.67   203.0.113.0   80:32486/TCP,443:32096/TCP   20h

Copy the external IP address to your clipboard. Browse to your DNS management service and locate the A records for echo1-2.your_domain to point to that external IP address. If you are using DigitalOcean to manage your DNS records, see How to Manage DNS Records for instructions.

将外部IP地址复制到剪贴板。 浏览到您的DNS管理服务，并找到echo1-2. your_domain的A记录echo1-2. your_domain echo1-2. your_domain指向该外部IP地址。 如果您使用DigitalOcean来管理DNS记录，请参阅如何管理DNS记录以获取指示。

Delete the records for echo1 and echo2. Add a new A record for the hostname *.int.your_domain and point it to the External IP address of the ingress.

删除echo1和echo2的记录。 为主机名*.int. your_domain添加一个新的A记录*.int. your_domain *.int. your_domain并将其指向入口的外部IP地址。

Now any request to any subdomain under *.int.your_domain will be routed to the Nginx ingress, so you can use these subdomains within your cluster.

现在，任何对*.int. your_domain下任何子域的请求*.int. your_domain *.int. your_domain将被路由到Nginx入口，因此您可以在集群中使用这些子域。

Next you’ll configure GitHub as your login provider.

接下来，您将GitHub配置为您的登录提供程序。

第2步-创建GitHub OAuth应用程序 (Step 2 — Creating a GitHub OAuth Application)

oauth2_proxy supports various login providers. In this tutorial, you will use the GitHub provider. To get started, create a new GitHub OAuth App.

oauth2_proxy支持各种登录提供程序。 在本教程中，您将使用GitHub提供程序。 首先，创建一个新的GitHub OAuth App。

In the OAuth Apps tab of the Developer settings page of your account, click the New OAuth App button.

在您帐户的“开发人员设置”页面的OAuth应用程序标签中 ，点击新建OAuth应用程序按钮。

The Application name and Homepage URL fields can be anything you want. In the Authorization callback URL field, enter https://auth.int.your_domain/oauth2/callback.

应用程序名称和主页URL字段可以是您想要的任何内容。 在“ 授权回调URL”字段中，输入https://auth.int. your_domain /oauth2/callback https://auth.int. your_domain /oauth2/callback 。

After registering the application, you will receive a Client ID and Secret. Note the two as you will need them in the next step.

注册该应用程序后，您将收到一个客户端ID和密码。 注意这两个，因为下一步将需要它们。

Now that you’ve created a GitHub OAuth application, you can install and configure oauth2_proxy.

现在，您已经创建了GitHub OAuth应用程序，可以安装和配置oauth2_proxy。

步骤3 –设置登录门户 (Step 3 – Setting Up the Login Portal)

You’ll use Helm to install oauth2proxy onto the cluster. First, you’ll create a Kubernetes secret to hold the GitHub application’s Client ID and Secret, as well as an encryption secret for browser cookies set by oauth2proxy.

您将使用Helm将oauth2 代理安装到集群上。 首先，您将创建一个Kubernetes机密，以保存GitHub应用程序的客户端ID和机密，以及由oauth2代理设置的浏览器cookie的加密机密 。

Run the following command to generate a secure cookie secret:

运行以下命令以生成安全的cookie机密：

Copy the result to your clipboard

将结果复制到剪贴板

Then, create the Kubernetes secret, substituting the highlighted values for your cookie secret, your GitHub client ID, and your GitHub secret key:

然后，创建Kubernetes机密，将高亮显示的值替换为Cookie机密，GitHub客户端ID和GitHub密钥：

You’ll see the following output:

您将看到以下输出：

   

    Output
   
secret/oauth2-proxy-creds created

Next, create a new file named oauth2-proxy-config.yaml which will contain the configuration for oauth2_proxy:

接下来，创建一个名为oauth2-proxy-config.yaml的新文件，其中将包含oauth2_proxy的配置：

The values you’ll set in this file will override the Helm chart’s defaults. Add the following code to the file:

您将在此文件中设置的值将覆盖Helm图表的默认值。 将以下代码添加到文件中：

config:
  existingSecret: oauth2-proxy-creds

extraArgs:
  whitelist-domain: .int.your_domain
  cookie-domain: .int.your_domain
  provider: github

authenticatedEmailsFile:
  enabled: true
  restricted_access: |-
    allowed@user1.com
    allowed@user2.com

ingress:
  enabled: true
  path: /
  hosts:
    - auth.int.your_domain
  annotations:
    kubernetes.io/ingress.class: nginx
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
  tls:
    - secretName: oauth2-proxy-https-cert
      hosts:
        - auth.int.your_domain

This code does the following:

此代码执行以下操作：

1. Instructs oauth2_proxy to use the secret you created.
   指示oauth2_proxy使用您创建的密码。
2. Sets the domain name and provider type.
   设置域名和提供商类型。
3. Sets a list of allowed email addresses. If a GitHub account is associated with one of these email addresses, it will be allowed access to the private services.
   设置允许的电子邮件地址列表。 如果GitHub帐户与这些电子邮件地址之一相关联，将被允许访问私有服务。

4. Configures the ingress that will serve the login portal on auth.int.your_domain with a TLS certificate from Let’s Encrypt.

   在auth.int. your_domain上配置将用于登录门户的入口auth.int. your_domain auth.int. your_domain和来自Let's Encrypt的TLS证书。

Now that you have the secret and configuration file ready, you can install oauth2_proxy. Run the following command:

现在您已经准备好密码和配置文件，可以安装oauth2_proxy 。 运行以下命令：

It might take a few minutes for the Let’s Encrypt certificate to be issued and installed.

颁发和安装“让我们加密”证书可能需要几分钟。

To test that the deployment was successful, browse to https://auth.int.your_domain. You’ll see a page that prompts you to log in with GitHub.

要测试部署是否成功，请浏览至https://auth.int. your_domain https://auth.int. your_domain 。 您会看到一个页面，提示您使用GitHub登录。

With oauth2_proxy set up and running, all that is left is to require authentication on your services.

设置并运行oauth2_proxy后，剩下的就是要求对服务进行身份验证。

步骤4 —保护私人服务 (Step 4 — Protecting the Private Services)

In order to protect a service, configure its Nginx ingress to enforce authentication via oauth2_proxy. Nginx and nginx-ingress support this configuration natively, so you only need to add a couple of annotations to the ingress definition.

为了保护服务，请将其Nginx入口配置为通过oauth2_proxy强制执行身份验证。 Nginx和nginx-ingress本机支持此配置，因此您只需要在入口定义中添加几个注释即可。

Let’s protect the echo1 and echo2 services that you set up in the prerequisite tutorial. Open echo_ingress.yaml in your editor:

让我们保护在先决条件教程中设置的echo1和echo2服务。 在编辑器中打开echo_ingress.yaml ：

Add these two additional annotations to the file to require authentication:

将这两个附加注释添加到文件中以要求身份验证：

annotations:
     kubernetes.io/ingress.class: nginx
     certmanager.k8s.io/cluster-issuer: letsencrypt-prod
     nginx.ingress.kubernetes.io/auth-url: "https://auth.int.your_domain/oauth2/auth"
     nginx.ingress.kubernetes.io/auth-signin: "https://auth.int.your_domain/oauth2/start?rd=https%3A%2F%2F$host$request_uri"

Save the file and apply the changes:

保存文件并应用更改：

Now when you browse to https://echo1.int.your_domain, you will be asked to log in using GitHub in order to access it. After logging in with a valid account, you will be redirected back to the echo1 service. The same is true for echo2.

现在，当您浏览到https://echo1.int. your_domain https://echo1.int. your_domain ，将要求您使用GitHub登录才能访问它。 使用有效帐户登录后，您将被重定向回echo1服务。 echo2也是如此。

结论 (Conclusion)

In this tutorial, you set up oauth2_proxy on your Kubernetes cluster and protected a private service behind a GitHub login. For any other services you need to protect, simply follow the instructions outlined in Step 4.

在本教程中，您将在Kubernetes集群上设置oauth2_proxy并在GitHub登录名后保护私有服务。 对于您需要保护的任何其他服务，只需按照步骤4中概述的说明进行操作。

oauth2_proxy supports many different providers other than GitHub. To learn more about different providers, see the official documentation.

除了GitHub之外，oauth2_proxy还支持许多其他提供程序。 要了解有关其他提供程序的更多信息，请参阅官方文档 。

Additionally, there are many configuration parameters that you might need to adjust, although the defaults will suit most needs. For a list of parameters, see the Helm chart’s documentation and oauth2_proxy’s documentation.

此外，尽管默认设置可以满足大多数需求，但您可能还需要调整许多配置参数。 有关参数的列表，请参见Helm图表的文档和oauth2_proxy的文档 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-protect-private-kubernetes-services-behind-a-github-login-with-oauth2_proxy

oauth2 github