Initial configuration of oathkeeper + routing incoming requests through it.

[Pio-kaw]

Hi folks,

I want to use oathkeeper as a policy decision point in my application which is made of several services. One of them for example is serving logs endpoint, which is authorized using OAuth 2.0 proxy. Here's the ingress definition for it:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ .Release.Namespace }}-{{ .Chart.Name }}-logs
  namespace: {{ .Release.Namespace }}
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /logs/
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "360"
    nginx.ingress.kubernetes.io/proxy-body-size: "10m"
    nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Preferred-Username
    nginx.ingress.kubernetes.io/auth-signin: https://{{ .Values.global.external_server_address }}/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: https://{{ .Values.global.external_server_address }}/oauth2/auth
    nginx.ingress.kubernetes.io/limit-connections: '15'
    nginx.ingress.kubernetes.io/limit-rps: '15'
    nginx.ingress.kubernetes.io/limit-rpm: '900'
    nginx.ingress.kubernetes.io/limit-burst-multiplier: '3'
    nginx.ingress.kubernetes.io/configuration-snippet: |
{{ .Values.global.security_headers | indent 6 }}
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - http:
      paths:
      - path: /api/v[^/]*/logs
        pathType: ImplementationSpecific
        backend:
          service:
            name: {{ .Values.gtw_app_name}}
            port:
              number: {{ .Values.gtw_port}}

Currently, I have managed to deploy oathkeeper + oathkeeper-maester on the cluster using this k8s helm charts, however I have no idea how to configure it to start with a completely blank state, where no rules are checked yet. All I want is to route the incoming traffic through it, basically:

1. api/v1.0/logs/ endpoint request is sent to the application hosted on k8s cluster
2. Request is forwarded to oathkeeper, Authorization request header with the bearer token is passed to OAuth 2.0 proxy
3. Authorization successful, 200 auth response received by the oathkeeper
4. Request is sent to the protected service
5. Service sends the response to the user

Later on I'm planning to add some additional request authentication, where oathkeeper will validate received request, but for now I'm trying to keep it as simple as it is possible and get the traffic going through it, where oathkeeper will accept anything as long as authorization passes.

Do you have any examples for similar issues or do you know what should I start with in this case?

[vinckr]

We have some examples for Oathkeeper but not for the helm charts. Maybe @Demonsthere has some pointers?

[Demonsthere]

Hi there!
If I understood what you want to achieve, then you're making one logical error. You don't need to expose the app on ingress, but rather have Oathkeeper acts as a single point of entry:

User -> Oathkeeper (exposed as a LoadBalancer Service) -> Your target service.

Oathkeeper-maester is an optional component, which allows you to define rules for your target services as CRs. This makes it easier to manage a dynamic number of services, but if you have only a single one then you might find it easier to deploy just oathkeeper and a static configuration for the rules :)