Authentication Service (oauth2 proxy)

[DevSecNinja]

Hello,

Thanks for this fantastic project! I have been struggling in the past to figure out what a good setup would look like in terms of folder structures, how to standardize the services and I think you nailed it!

Over the weekend I have implemented a 3-node cluster based on your template. One crucial service I believe can't be missed is a solid oauth2 proxy. In my case, I'm using the oauth-proxy HELM chart for authentication with Azure AD, but the chart supports many other services like GitHub Auth or Google Auth.

I'm fairly new to managing Kubernetes at scale and I was able to implement the chart in my repository here: https://github.com/DevSecNinja/k3s-home/tree/main/kubernetes/apps/security

I still have some things I would like to implement like Redis, but it should be a good starter.

Curious to hear everybody's thoughts.

Thanks.

[onedr0p]

Thanks for the kind words! Glad you find this useful. Iteration is quite quick sometimes, I just pushed a commit to drop metallb in favor of Cilium L2 Announcements.

It is my understanding that using oauth2-proxy is good if using an external OIDC/OAuth provider like Auth0/Github etc.. I don't think this would be needed as default in the template thou if that is what you are asking.

[DevSecNinja]

Haha, that's very quick indeed :) Understood! I thought it would be nice to add it to the template, but it's also an additional 'setup' step that makes the template a bit more complex/difficult.

Would it be useful to have a list / table of repositories that have adopted your template and added a new asset/solution to it? A table entry could refer to my public repo for the oauth2-proxy implementation, and there are probably many others that have additional solutions. Community members can then raise a PR to get their project added.

[onedr0p]

Have you seen this?

https://nanne.dev/k8s-at-home-search/

Not repos follow the template exactly but they are all Flux and pretty good for getting ideas on configuration of apps that the community here runs.

[alex-matthews]

I had the same thought. Auth seems important for internet-facing apps.

Everyone using this template has a GitHub account and a Cloudflare account. In view of this, might Cloudflare Zero Trust be a good solution?

A related observation: Cloudflare is a critical piece of infrastructure, with many settings. Sane defaults would be nice. Currently the user is left to do ClickOps on a provider they aren't necessarily familiar with.