-
Notifications
You must be signed in to change notification settings - Fork 700
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable login screen when authenticating with an external reverse proxy #6881
Comments
Thanks @mlbiam . Although I agree that skipping the login page is the ideal behavior here in the situation described, I'm unsure why you're seeing the login page if the Ah right, as you say, because you've got
This tells Kubeapps that you are using an auth proxy, but an external one (not the one bundled with the chart). |
Hi @mlbiam, did you finally test the above-mentioned options? |
i haven't, though i still have it setup. i'll also ping my customer that was planning to roll this out and see if they've tried it. I'm being lazy, but does the reverse proxy integration support impersonation header passthrough along with passing the token along? (ie like the way the kubernetes dashboard will pass impersonation headers when present?). I'm doing a session on securing dashboards in Kubernetes next month at civo navigate and want to include kubeapps. Thanks |
Thanks for the update! I'd say, from memory, we have a Look luck in your |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Summary
provide a flag that bypasses login when a token is present in the
Authorization
headerBackground and rationale
I've integrated KubeApps with OpenUnison's reverse proxy, which injects a token that is accepted by the API server, instead of the bundled oauth2-proxy. I didn't integrate via the oauth2 proxy because it doesn't handle very short lived tokens (1 min) well and so each page was refreshing the authentication back to OpenUnison's identity provider. Integrating this way lets me inject a short lived (1 min) token that the API server will recognize without having to get a new token via OIDC every minute and without having to deal with refresh tokens.
While the setup with OpenUnison works, I'm presented with a login screen asking for a token. providing any value bypasses this screen without issue. (this isn't a security issue, because the token thats injected into the header is used). Setting
authProxy.skipKubeappsLoginPage
totrue
has no impact (probably becauseauthPRoxy.enabled
isfalse
This request is similar to how the Kubernetes Dashboard and Kiali both work with external proxies.
Description
Add a helm chart option similar to
frontend.skipLogin
or just detect that there's a token and skip the login page.Acceptance criteria
If
frontend.skipLoginPage
istrue
, trust theAuthorization
header and do not present a login screen.Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: