I am running an app in a kubernetes service on Azure and have had it set up with an NGINX ingress controller and a public IP address with a FQDN. This was all working fine.
I then wanted to add security through using the oauth2-proxy for third party sign-in. I would like to keep my setup to one ingress-controller and one oauth2_proxy per namespace, with multiple apps running together. As Azure does not support the use of sub-domains for this I have been using paths to route to the correct app. I've seen examples, like this, on how to use one oauth2_proxy for multiple sub-domains but is it possible to get it working with multiple paths instead?
This is the current working setup with only one app, located on root
/. I would like to switch to an app specific path and the ability to run multiple apps on different paths. eg.
config: existingSecret: oauth2-proxy-creds extraArgs: whitelist-domain: my-fqdn.uksouth.cloudapp.azure.com cookie-domain: my-fqdn.uksouth.cloudapp.azure.com email-domain: example.com provider: github ingress: enabled: true path: /oauth2 hosts: - my-fqdn.uksouth.cloudapp.azure.com annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod # cert-manager cluster issuer set up for Let's Encrypt tls: - secretName: my-fqdn-tls # TLS generated by letsencrypt-prod hosts: - my-fqdn.uksouth.cloudapp.azure.com
This is installed with the following helm command
helm upgrade oauth2-proxy --install stable/oauth2-proxy --namespace $NAMESPACE --reuse-values --values oauth2-proxy-config.yaml
apiVersion: networking.k8s.io/v1beta1 # for versions before 1.14 use extensions/v1beta1 kind: Ingress metadata: name: nginx-ingress annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod # nginx.ingress.kubernetes.io/rewrite-target: /$2 # Not working with the /oauth2 path and not needed when using root path for the app nginx.ingress.kubernetes.io/auth-url: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/auth" nginx.ingress.kubernetes.io/auth-signin: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/start?rd=https%3A%2F%2F$host$request_uri" spec: tls: - secretName: my-fqdn-tls hosts: - my-fqdn.uksouth.cloudapp.azure.com rules: - host: my-fqdn.uksouth.cloudapp.azure.com http: paths: - path: / # I would like to be able to use something like '/path1(/|$)(.*)' instead of root. backend: serviceName: my-app servicePort: 80
Sure, it's doable with multiple ingress paths inside single Ingress resource definition, please check this working example:
apiVersion: extensions/v1beta1 kind: Ingress metadata: labels: app: hello-worlds name: hello-wrolds annotations: cert-manager.io/issuer: selfsigned-issuer kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/auth-signin: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/start?rd=$escaped_request_uri" nginx.ingress.kubernetes.io/auth-url: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/auth" nginx.ingress.kubernetes.io/rewrite-target: /$1 spec: rules: - host: my-fqdn.uksouth.cloudapp.azure.com http: paths: - path: /my-app/(.*) backend: serviceName: my-app servicePort: 5000 - path: /another-app/(.*) backend: serviceName: another-app servicePort: 5000 tls: - hosts: - my-fqdn.uksouth.cloudapp.azure.com secretName: certmgr-selfsign-tls-requires-ouath
In my case, for both backends the app root folder is '/hello', so the requested URL is respectively: