[keycloak-user] Using Gatekeeper with ingress-nginx

David Leonard David.Leonard at flexential.com
Tue Nov 20 00:50:29 EST 2018


Hello everyone,

We're attempting to use Gatekeeper to integrate into a workflow with auth_request to provide authorization from Keycloak. We're wanting to use this in our Kubernetes stack to sidecar Gatekeeper to our nginx-ingress controller.

We're attempting to follow a setup similar to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth but replacing oauth2_proxy with Gatekeeper. We are able to complete a full authorization cycle using /oauth/expired to test if we have a current token.

This doesn't seem to work though because the X-Auth-* headers get passed only into the "proxied" application. Specifically oauth2_proxy provides the following config item:

  -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)

We're wanting to sidecar Gatekeeper because we get the infinite flexibility of nginx-ingress. Is it possible to set a flag similar to -set-xauthrequest? Looking at the code itself it seems this is not possible, as the headers are only ever set in the middleware.

Thanks!


--

David Leonard

Director of Professional Services, South Region

303.245.4509

3010 Waterview Parkway, Richardson, TX, 75080



This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.


More information about the keycloak-user mailing list