K8s Oauth2 and no Endpoint
When creating an Oauth-protected endpoint, make sure the endpoint does not respond with 3xx or 4xx errors. Otherwise you’ll see a login screen after being successfully logged in.
To create a new protected IngressRoute:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: example-ing
spec:
routes:
- match: Host(`SUBDOMAIN.EXAMPLE.COM`)
kind: Rule
middlewares:
- name: oauth-errors
- name: oauth-auth
services:
- name: service-that-needs-to-be-behind-oauth
port: 80
Resources to adjust and deploy:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: oauth-auth
spec:
forwardAuth:
address: https://SUBDOMAIN.EXAMPLE.COM/oauth2/auth
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: proxy-{{ item }}-ing
spec:
routes:
- kind: Rule
match: Host(`SUBDOMAIN.EXAMPLE.COM`) && PathPrefix(`/oauth2/`)
middlewares:
- name: auth-headers
services:
- name: oauth2-oauth2-proxy
port: "http"
Resources that need no adjustments:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: auth-headers
spec:
headers:
stsSeconds: 315360000
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
frameDeny: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: oauth-errors
spec:
errors:
status: #needs to be here for the proxying to happen
- "401-403"
service:
name: oauth2-oauth2-proxy
port: 80
query: "/oauth2/sign_in"