apiVersion: apps/v1 kind: Deployment metadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy namespace: kube-system spec: replicas: 1 selector: matchLabels: k8s-app: oauth2-proxy template: metadata: labels: k8s-app: oauth2-proxy spec: containers: - args: - --provider=github - --email-domain=* - --upstream=file:///dev/null - --http-address=0.0.0.0:4180 # Register a new application # https://github.com/settings/applications/new env: - name: OAUTH2_PROXY_CLIENT_ID value: - name: OAUTH2_PROXY_CLIENT_SECRET value: # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));' - name: OAUTH2_PROXY_COOKIE_SECRET value: SECRET # Recommended: remove email-domain=* in args and set an allowlist # - name: OAUTH2_PROXY_GITHUB_USERS # value: alice,bob image: quay.io/oauth2-proxy/oauth2-proxy:latest imagePullPolicy: Always name: oauth2-proxy ports: - containerPort: 4180 protocol: TCP --- apiVersion: v1 kind: Service metadata: labels: k8s-app: oauth2-proxy name: oauth2-proxy namespace: kube-system spec: ports: - name: http port: 4180 protocol: TCP targetPort: 4180 selector: k8s-app: oauth2-proxy --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: oauth2-proxy namespace: kube-system spec: ingressClassName: nginx rules: - host: __INGRESS_HOST__ http: paths: - path: /oauth2 pathType: Prefix backend: service: name: oauth2-proxy port: number: 4180 tls: - hosts: - __INGRESS_HOST__ secretName: __INGRESS_SECRET__ --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" name: external-auth-oauth2 namespace: kube-system spec: ingressClassName: nginx rules: - host: __INGRESS_HOST__ http: paths: - path: / pathType: Prefix backend: service: name: kubernetes-dashboard port: number: 80