GitHunt
SE

sebastianczech/k8s-ingress-auth

Configuration of ingress Nginx controller with multiple authentication options

Ingress Nginx controller with authentication

Ingress

Prerequisites

  1. Create Kubernetes cluster using kind:
task cluster-create
  1. Configure ingress
task cluster-ingress-setup
  1. Define DNS names on local machine e.g.:
vi /etc/hosts

and add 3 FQDNs for localhost:

127.0.0.1       localhost podtato.example.com podinfo.example.com foobar.example.com

Bearer Token

  1. Setup Kubernetes dashboard:
task dashboard-ingress-setup
  1. Access dashboard https://localhost:8443

OAuth proxy

GitHub

  1. Configure GitHub OAuth application in https://github.com/settings/applications/new:
  2. Provision OAuth proxy:
task oauth-proxy-setup
  1. Create podinfo app:
task app-podinfo-setup
  1. Check app https://podinfo.example.com/

Microsoft Entra ID

  1. Configure app registration
az login

terraform init
terraform apply -auto-approve
terraform output -raw client_id > client_id.txt
terraform output -raw client_secret > client_secret.txt
terraform output -raw sp_id > sp_id.txt
terraform output -raw tenant_id > tenant_id.txt
terraform output -raw group_id > group_id.txt
terraform output -raw oidc_issuer_url > oidc_issuer_url.txt
  1. Check app registration
az account subscription list
az ad app list
  1. Provision OAuth proxy:
task oauth-proxy-setup
  1. Create podinfo app:
task app-podinfo-setup
  1. Check app https://podinfo.example.com/

Basic authentication

  1. Provision Basic authentication
  2. Create podtato:
task app-podtato-setup
  1. Access app https://podtato.example.com/

Client certificate authentication

  1. Provision Client certificate authentication
  2. Create foo-bar app:
task app-foo-bar-setup
  1. Check app bar and foo:
task app-foo-bar-check

More information:

Gateway API

Prerequisites

  1. Create Kubernetes cluster using kind:
kind create cluster --config code/single-node-extra-port-mapping-gateway-api.yaml --name home-lab
  1. Deploy blixt
kubectl apply -k https://github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.2.1

cd ..
git clone https://github.com/kubernetes-sigs/blixt

make build.all.images TAG=latest
make load.all.images TAG=latest
kubectl apply -k config/default
  1. Deploy ``:
kubectl kustomize "https://github.com/nginx/nginx-gateway-fabric/config/crd/gateway-api/standard?ref=v1.6.2" | kubectl apply -f -

helm install ngf oci://ghcr.io/nginx/charts/nginx-gateway-fabric --create-namespace -n nginx-gateway --set service.create=false

kubectl apply -f code/gateway-api-node-port.yaml
  1. Create cafe application:
kubectl apply -f code/app-cafe.yaml
  1. Define DNS names on local machine e.g.:
vi /etc/hosts

and add 1 FQDNs for localhost:

127.0.0.1       localhost cafe.example.com
  1. Check application:
kubectl describe httproutes
kubectl describe gateways

curl --resolve cafe.example.com:8080:127.0.0.1 http://cafe.example.com:8080/coffee
curl --resolve cafe.example.com:8080:127.0.0.1 http://cafe.example.com:8080/tea

Languages

Shell49.1%HCL45.8%Python5.2%

Contributors

SE
Apache License 2.0
Created February 14, 2025
Updated May 16, 2025
sebastianczech/k8s-ingress-auth | GitHunt