Auth with Authorization header problem

[rory-ye-nv]

We use oauth2_proxy which connect to okta with OIDC method, after the verification, the dashboard will get an Authorization header from the proxy, in the previous version v1.10.1, the dashboard will response to logged with Auth header and all the api request will be limited to the default service account role.

after upgrade to v2.0.0, I can still login to the UI with the same config, and see the logged with Auth Header in the user icon, but for all the api request, it will return 401.

I have to provide the default service account role token to the Authorization header manually in the ingress of dashboard.

is this expected? is their anyway to use the default service account role when dashboard is behind an auth proxy? can we hide the login page in this case by default?

Please see my deployment config below:
oauth2_proxy args in deployment

            - '--http-address=0.0.0.0:4180'
            - '--cookie-domain=.example.com'
            - '--cookie-secure=false'
            - '--email-domain=*'
            - '--oidc-issuer-url=https://example.okta.com'
            - '--provider=oidc'
            - '--redeem-url=https://example.okta.com/oauth2/v1/authorize'
            - >-
              --redirect-url=https://example.com/oauth2/callback
            - '--set-authorization-header=true'
            - '--silence-ping-logging=true'
            - '--upstream=file:///dev/null'
            - '--whitelist-domain=.example.com'
            - '--config=/etc/oauth2_proxy/oauth2_proxy.cfg'

deployment options of kubernetes dashboard:

            - --namespace={{ .Release.Namespace }}
            - --insecure-bind-address=0.0.0.0
            - --insecure-port=9000
            - --enable-insecure-login
            - --enable-skip-login

ingress for kubernetes dashboard that is not work (return 401 on all api request):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    # See the bottom of https://oauth2-proxy.github.io/oauth2-proxy/configuration
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $name_upstream_1 $upstream_cookie_name_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
          ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }
  name: dashboard-ingress
  namespace: {{ .Release.Namespace }}
  labels:
    app: kubernetes-dashboard
spec:
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 80
        path: /

ingress for kubernetes dashboard that works:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      # Hacker the token, currently, the dashboard will not work with default service account as previously(v1.10.1).
      # So we have to get the service account token of `kubernetes-dashboard-token-xxx` and put it here.
      #,
      proxy_set_header 'Authorization' 'Bearer {{ .Values.token }}';
  name: dashboard-ingress
  namespace: {{ .Release.Namespace }}
  labels:
    app: kubernetes-dashboard
spec:
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: kubernetes-dashboard
          servicePort: 80
        path: /

Environment

Installation method: helm
Kubernetes version: v1.16
Dashboard version: v2.0.0
Operating system: linux
Node.js version ('node --version' output):
Go version ('go version' output):

Steps to reproduce

Observed result

Expected result

Comments

[floreks]

This is our config. We are actually using predefined token as authorization header instead of per user access. Oauth works only as an authentication layer.

EDIT. In v2 auth logic has changed a bit due to security reasons. Related to #3400.

Ingress configuration

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app.kubernetes.io/name: kubernetes-dashboard
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: '{{ .Chart.Version }}'
    app.kubernetes.io/managed-by: helm
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/auth-url: "https://{{ .Values.dashboard.domain }}/{{ .Values.dashboard.oauth.ingress.path }}/auth"
    ingress.kubernetes.io/auth-signin: "https://{{ .Values.dashboard.domain }}/{{ .Values.dashboard.oauth.ingress.path }}/start?rd=https://$host$request_uri$is_args$args"
    # Proxy Authentication header to Dashboard
    ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $token $upstream_http_authorization;
      proxy_set_header Authorization "Bearer {{ .Values.dashboard.token }}";
      proxy_pass_header Authorization;
  name: '{{ template "dashboard-name" . }}'
spec:
  rules:
    - host: {{ .Values.dashboard.domain }}
      http:
        paths:
          - backend:
              serviceName: '{{ template "dashboard-name" . }}'
              servicePort: 80
            path: {{ .Values.dashboard.ingress.path }}
  tls:
    - hosts:
      - {{ .Values.dashboard.domain }}

Dashboard arguments

--namespace={{ .Release.Namespace }}
--enable-insecure-login

Oauth2 arguments

 --email-domain={{ .Values.dashboard.oidc.emailDomain }}
 --provider=oidc
 --redirect-url=https://{{ .Values.dashboard.domain }}/{{ .Values.dashboard.oauth.ingress.path }}/callback
 --oidc-issuer-url={{ .Values.dashboard.oidc.issuerUrl }}
 --cookie-secure=false
 --upstream=file:///dev/null
 --http-address=0.0.0.0:4180
 --ssl-insecure-skip-verify
 --set-authorization-header=true

[rory-ye-nv]

OK, then this make scene. I am doing the same thing by put the token in the configuration-snippet. I think it's better to add this to the document in some place, I have searched for this whole day.

[floreks]

We try not to provide documentation for advanced configurations as it heavily relies on the software you choose to use as a proxy, your internal network configuration, etc. We would have to then support different configurations, tools, scenarios. There would be dozens of issues related to our configurations, because they would not work OOTB for some people, etc. We just don't have resources to do all this. We are simply saying instead that you can use Authorization header. If you correctly pass it to the Dashboard in any way, it will use it. How you choose to do this is up to you.

[shabbskagalwala]

Apologies for commenting on this long lost issue, but after 2 days of struggling i finally ran into this issue and was able to get the dashboard login working. I am trying to set up the dashboard in GKE to give our devs read only access and would love to know what is the workaround for automating the dashboard installation process with helm.

Adding the service account token in the ingress annotation is a manual step which needs to be done after the helm chart is installed. Any suggestions on how to automate this or if we can just use the authorization header from oauth2 proxy and let users view resources in the dashboard?

[floreks]

You can for sure use an OAuth reverse proxy and let it inject token into the authorization header. As long as API server will accept the token everything should work.