Tekton Dashboard Authentication
OAuth2-Proxy is a versatile tool that serves as a reverse proxy, utilizing the OAuth 2.0 protocol with various providers like Google, GitHub, and Keycloak to provide both authentication and authorization. This guide instructs readers on how to protect their applications' endpoints using OAuth2-Proxy. By following these steps, users can enhance the security of their endpoints without modifying their current application code. In the context of KubeRocketCI, it has integration with the Keycloak OIDC provider, enabling it to connect with any component that lacks built-in authentication.
Prerequisites​
- Keycloak with OIDC authentication is installed.
- Keycloak operator is installed.
Integration OAuth2-Proxy​
To streamline the installation of OAuth2-Proxy in your environment, it is advised to utilize the resources available in the Cluster Add-Ons and their applications.
Enable OAuth2-Proxy on Tekton Dashboard​
The example below illustrates how to use OAuth2-Proxy in practice when using the Tekton dashboard:
- Kubernetes
- Openshift
Edit the Tekton dashboard Ingress annotation by adding auth-signin
and auth-url
of oauth2-proxy by kubectl
command:
kubectl annotate ingress <application-ingress-name> \
nginx.ingress.kubernetes.io/auth-signin='https://<oauth-ingress-host>/oauth2/start?rd=https://$host$request_uri' \
nginx.ingress.kubernetes.io/auth-url='http://oauth2-proxy.oauth2-proxy.svc.cluster.local:80/oauth2/auth'
- Generate a cookie-secret for proxy with the following command:
tekton_dashboard_cookie_secret=$(openssl rand -base64 32 | head -c 32)
- Create
tekton-dashboard-proxy-cookie-secret
in the edp namespace:
kubectl -n edp create secret generic tekton-dashboard-proxy-cookie-secret \
--from-literal=cookie-secret=${tekton_dashboard_cookie_secret}
- Run
helm upgrade
to update edp-install release:
helm upgrade --version <version> --set 'edp-tekton.dashboard.openshift_proxy.enabled=true' edp-install --namespace edp