Hello, I am new to Oathkeeper and am trying to install and integrate oathkeeper with the Nginx ingress controller. I felt the official documentation is limited, can someone share with me a link that I can refer to implement oathkeeper with Nginx ingress controller?

Hello. What’s your usecase? Oathkeeper supports at least two work modes 1. Act as reverse proxy 2. Act as a decision API

Hi Andrew, Thanks for your update. I have a bare metal Kubernetes cluster and Nginx is running as an ingress controller. I would like to have an authentication and authorization layer on Ingresses to be validated before an end-user can access the backend service. I hope oathkeeper can be used for this? and later I want to connect it to user manager like krato or LDAP, this is my use case.

Yep. Looks like the example above is exactly for your case. Oathkeeper acts as a decision API

Thanks for the confirmation. 1. Could you let me know how I can deploy oathkeeper in a k8s? 2. How to integrate it with Nginx?

You can use Nginx annotations

<http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://oathkeeper>.<NameSpace>.svc.cluster.local/decisions$request_uri

Thanks, Andrew for the update. I have deployed oathkeeper in demo mode using Helm (https://k8s.ory.sh/helm/oathkeeper.html) and I can see my services are running.

$ k get svc -n oath-ns
NAME                     TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
ory-oathkeeper-api       ClusterIP   10.43.97.53     <none>        4456/TCP   23h
ory-oathkeeper-metrics   ClusterIP   10.43.61.175    <none>        80/TCP     23h
ory-oathkeeper-proxy     ClusterIP   10.43.164.197   <none>        4455/TCP   23h

then I have created a ingress to connect to this service as follows. I hope the service name which I need to use is ory-oathkeeper-api?

kind: Ingress
metadata:
  name: oath-ingress
  namespace: oath-ns
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
spec:
  rules:
  - host: "<http://oathkeeper-test.com|oathkeeper-test.com>"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: ory-oathkeeper-api
            port:
              number: 80

Could you please confirm the next step is to add the annotation (nginx.ingress.kubernetes.io/auth-url: http://oathkeeper.oath-ns.svc.cluster.local/decisions$request_uri) to my Nginx ingress controller ?

Yes. I think that @User Can help you with configs. He made a success recently 😃

I have added the annotation in the ingress but getting 500 internal server error.

There's a typo in your annotation, which could be the cause of you

500

The auth-url should be

<http://ory-oathkeeper-api.oath-ns.svc.cluster.local:4456/decisions$request_uri>

based on your

svc

output

Thanks Adam, I have changed the svc file as follows.

annotations:
  <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
  <http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://ory-oathkeeper-api.oathkeeper.svc.cluster.local:4456/decisions$request_uri> 
 rules:
 - host: "<http://oathkeeper-test.com|oathkeeper-test.com>"
  http:
   paths:
   - pathType: Prefix
  # - pathType: ImplementationSpecific
    path: "/"
    backend:
     service: 
      name: ory-oathkeeper-api
      port:
       number: 4456

But still getting 500 internal server error, added the log snippet from pods

time=2022-04-10T05:36:20Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 x-forwarded-for:172.27.219.58 x-request-id:74f1d6ca85353588962696772cae841b] host:ory-oathkeeper-api.oathkeeper.svc.cluster.local method:GET path:/decisions/ query:<nil> remote:10.42.0.0:48711 scheme:http]
time=2022-04-10T05:36:20Z level=warning msg=Access request denied audience=application error=map[debug: message:Requested url does not match any rules reason: status:Not Found status_code:404] granted=false http_host=ory-oathkeeper-api.oathkeeper.svc.cluster.local http_method=GET http_url=<http://ory-oathkeeper-api.oathkeeper.svc.cluster.local/> http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 service_name=ORY Oathkeeper service_version=v0.38.19-beta.1
time=2022-04-10T05:36:20Z level=error msg=An error occurred while handling a request code=404 debug= details=map[] error=The requested resource could not be found reason= request-id=74f1d6ca85353588962696772cae841b status=404 writer=JSON

It never worked for me by directly adding Oathkeeper as the auth-url in the annotation. Instead, I deployed an NGNIX instance and used that in the annotation. On the

nginx.conf

I configured oathkeeper as a

proxy_pass

. This was the only way I managed to have it working

Thanks @User the suggestion worked for me. But I think there is some issue with my rule configuration. My first rule says that

{
  "id": "rule-1",
  "version": "v0.38.19-beta.1",
  "description": "",
  "match": {
    "methods": [
      "GET",
      "POST",
      "PUT",
      "DELETE",
      "PATCH"
    ],
    "url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop"
  },
  "authenticators": [
    {
      "handler": "noop",
      "config": null
    }
  ],
  "authorizer": {
    "handler": "allow",
    "config": null
  },
  "mutators": [
    {
      "handler": "noop",
      "config": null
    }
  ],
  "errors": null,
  "upstream": {
    "preserve_host": false,
    "strip_path": "",
    "url": "<https://httpbin.org/anything>"
  }
}

If I access the URL http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop it should be redirected to https://httpbin.org/anything to display the content from it, right? or here am missing something. When I access the URL http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop am getting below output

$ curl  <http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop>
{
  "args": {}, 
  "data": "", 
  "files": {}, 
  "form": {}, 
  "headers": {
    "Accept": "*/*", 
    "Accept-Encoding": "gzip", 
    "Host": "<http://httpbin.org|httpbin.org>", 
    "User-Agent": "curl/7.78.0", 
    "X-Amzn-Trace-Id": "Root=1-6253c622-75ff250c2f8e7d5e111f23fd", 
    "X-Forwarded-Host": "<http://oathkeeper-proxy.com|oathkeeper-proxy.com>", 
    "X-Forwarded-Scheme": "http", 
    "X-Scheme": "http"
  }, 
  "json": null, 
  "method": "GET", 
  "origin": "172.27.219.64, 10.42.0.0, 2.23.93.13", 
  "url": "<https://oathkeeper-proxy.com/anything/authenticator/noop/authorizer/allow/mutator/noop>"
}

Is my configuration is correct? can somebody help me here?

Hello, Rayan. The example you shown says that configuration is correct. So oathkeeper is reverse proxy which means that you can configure oathkeeper that proxies all content from upstream to your domain. In your case you proxy the content from https://httbin.org/anything

Thanks @User for the help so far. As I mentioned earlier my actual requirement is to use the oathkeeper as an authorization layer for our backend service which is running Kubernetes. to achieve this what other configuration is required? do I need to integrate it with Hydra or adding few rules will help to achieve this?

Why do you need Hydra? Do you need any oauth2 flows?