Hello, I am new to Oathkeeper and am trying to in...
# talk-oathkeeper
p
Hello, I am new to Oathkeeper and am trying to install and integrate oathkeeper with the Nginx ingress controller. I felt the official documentation is limited, can someone share with me a link that I can refer to implement oathkeeper with Nginx ingress controller?
d
Hello. What’s your usecase? Oathkeeper supports at least two work modes 1. Act as reverse proxy 2. Act as a decision API
Anyway. Here’s an example for oathkeeper with nginx (I left comments to describe important things) This works ONLY for clean setup of nginx.
Configuration for k8s nginx ingress controller is different
p
Hi Andrew, Thanks for your update. I have a bare metal Kubernetes cluster and Nginx is running as an ingress controller. I would like to have an authentication and authorization layer on Ingresses to be validated before an end-user can access the backend service. I hope oathkeeper can be used for this? and later I want to connect it to user manager like krato or LDAP, this is my use case.
d
Yep. Looks like the example above is exactly for your case. Oathkeeper acts as a decision API
p
Thanks for the confirmation. 1. Could you let me know how I can deploy oathkeeper in a k8s? 2. How to integrate it with Nginx?
d
You can use Nginx annotations
Copy code
<http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://oathkeeper>.<NameSpace>.svc.cluster.local/decisions$request_uri
You can find some examples here
p
Thanks, Andrew for the update. I have deployed oathkeeper in demo mode using Helm (https://k8s.ory.sh/helm/oathkeeper.html) and I can see my services are running.
Copy code
$ k get svc -n oath-ns
NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
ory-oathkeeper-api       ClusterIP   10.43.97.53     <none>        4456/TCP   23h
ory-oathkeeper-metrics   ClusterIP   10.43.61.175    <none>        80/TCP     23h
ory-oathkeeper-proxy     ClusterIP   10.43.164.197   <none>        4455/TCP   23h
then I have created a ingress to connect to this service as follows. I hope the service name which I need to use is ory-oathkeeper-api?
Copy code
kind: Ingress
metadata:
  name: oath-ingress
  namespace: oath-ns
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
spec:
  rules:
  - host: "<http://oathkeeper-test.com|oathkeeper-test.com>"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: ory-oathkeeper-api
            port:
              number: 80
Could you please confirm the next step is to add the annotation (nginx.ingress.kubernetes.io/auth-url: http://oathkeeper.oath-ns.svc.cluster.local/decisions$request_uri) to my Nginx ingress controller ?
d
Yes. I think that @User Can help you with configs. He made a success recently 😃
1
p
I have added the annotation in the ingress but getting 500 internal server error.
t
There's a typo in your annotation, which could be the cause of you
500
The auth-url should be
<http://ory-oathkeeper-api.oath-ns.svc.cluster.local:4456/decisions$request_uri>
based on your
svc
output
p
Thanks Adam, I have changed the svc file as follows.
Copy code
annotations:
  <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
  <http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://ory-oathkeeper-api.oathkeeper.svc.cluster.local:4456/decisions$request_uri> 
 rules:
 - host: "<http://oathkeeper-test.com|oathkeeper-test.com>"
  http:
   paths:
   - pathType: Prefix
  # - pathType: ImplementationSpecific
    path: "/"
    backend:
     service: 
      name: ory-oathkeeper-api
      port:
       number: 4456
But still getting 500 internal server error, added the log snippet from pods
Copy code
time=2022-04-10T05:36:20Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 x-forwarded-for:172.27.219.58 x-request-id:74f1d6ca85353588962696772cae841b] host:ory-oathkeeper-api.oathkeeper.svc.cluster.local method:GET path:/decisions/ query:<nil> remote:10.42.0.0:48711 scheme:http]
time=2022-04-10T05:36:20Z level=warning msg=Access request denied audience=application error=map[debug: message:Requested url does not match any rules reason: status:Not Found status_code:404] granted=false http_host=ory-oathkeeper-api.oathkeeper.svc.cluster.local http_method=GET http_url=<http://ory-oathkeeper-api.oathkeeper.svc.cluster.local/> http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 service_name=ORY Oathkeeper service_version=v0.38.19-beta.1
time=2022-04-10T05:36:20Z level=error msg=An error occurred while handling a request code=404 debug= details=map[] error=The requested resource could not be found reason= request-id=74f1d6ca85353588962696772cae841b status=404 writer=JSON
l
It never worked for me by directly adding Oathkeeper as the auth-url in the annotation. Instead, I deployed an NGNIX instance and used that in the annotation. On the
nginx.conf
I configured oathkeeper as a
proxy_pass
. This was the only way I managed to have it working
However, seeing these logs I can see another problem. Oathkeeper is getting the wrong URL as the host, and for that reason it is not matching it with any of the rules. Can you try adding the following annotation:
Copy code
<http://nginx.ingress.kubernetes.io/auth-proxy-set-headers|nginx.ingress.kubernetes.io/auth-proxy-set-headers>: my-namespace/custom-auth-headers
and then inside a configmap
my-namespace/custom-auth-headers
try adding the data:
Copy code
Host: <http://your-app-host.com|your-app-host.com>
p
Thanks @User the suggestion worked for me. But I think there is some issue with my rule configuration. My first rule says that
Copy code
{
  "id": "rule-1",
  "version": "v0.38.19-beta.1",
  "description": "",
  "match": {
    "methods": [
      "GET",
      "POST",
      "PUT",
      "DELETE",
      "PATCH"
    ],
    "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop"
  },
  "authenticators": [
    {
      "handler": "noop",
      "config": null
    }
  ],
  "authorizer": {
    "handler": "allow",
    "config": null
  },
  "mutators": [
    {
      "handler": "noop",
      "config": null
    }
  ],
  "errors": null,
  "upstream": {
    "preserve_host": false,
    "strip_path": "",
    "url": "<https://httpbin.org/anything>"
  }
}
If I access the URL http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop it should be redirected to https://httpbin.org/anything to display the content from it, right? or here am missing something. When I access the URL http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop am getting below output
Copy code
$ curl  <http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop>
{
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": {
    "Accept": "*/*", 
    "Accept-Encoding": "gzip", 
    "Host": "<http://httpbin.org|httpbin.org>", 
    "User-Agent": "curl/7.78.0", 
    "X-Amzn-Trace-Id": "Root=1-6253c622-75ff250c2f8e7d5e111f23fd", 
    "X-Forwarded-Host": "<http://oathkeeper-proxy.com|oathkeeper-proxy.com>", 
    "X-Forwarded-Scheme": "http", 
    "X-Scheme": "http"
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "172.27.219.64, 10.42.0.0, 2.23.93.13", 
  "url": "<https://oathkeeper-proxy.com/anything/authenticator/noop/authorizer/allow/mutator/noop>"
}
Is my configuration is correct? can somebody help me here?
d
Hello, Rayan. The example you shown says that configuration is correct. So oathkeeper is reverse proxy which means that you can configure oathkeeper that proxies all content from upstream to your domain. In your case you proxy the content from https://httbin.org/anything
So as a response you get the content from upstream URL and it seems that everything is fine with your configuration
p
Thanks @User for the help so far. As I mentioned earlier my actual requirement is to use the oathkeeper as an authorization layer for our backend service which is running Kubernetes. to achieve this what other configuration is required? do I need to integrate it with Hydra or adding few rules will help to achieve this?
d
Why do you need Hydra? Do you need any oauth2 flows?
184 Views