TazLab K8s: Dex + OAuth2 Proxy Detail
Level 3 (Detail) — OIDC authentication flow and protected service configuration.
Concept
The cluster uses Dex as an OIDC provider (backed by Google OAuth) and OAuth2 Proxy as a ForwardAuth gate. Protected services (Grafana, PGAdmin, Longhorn) require Google authentication before traffic reaches the application.
Architecture
User → Traefik → ForwardAuth Middleware → OAuth2 Proxy → Dex → Google OAuth
↓
(if authenticated)
↓
Protected App
Dex (OIDC Provider)
Manifests
| File | Purpose |
|---|---|
infrastructure/operators/dex/namespace.yaml | Namespace declaration |
infrastructure/instances/dex/configmap.yaml | Dex configuration template |
infrastructure/instances/dex/deployment.yaml | Dex server (v2.41.1) |
infrastructure/instances/dex/service.yaml | ClusterIP on port 5556 |
infrastructure/instances/dex/ingress.yaml | HTTPS ingress at dex.tazlab.net |
infrastructure/instances/dex/rbac.yaml | ServiceAccount + Roles |
infrastructure/instances/dex/wildcard-tls-secret.yaml | TLS cert from ExternalSecret |
infrastructure/configs/dex/ | OIDC client secrets ExternalSecret |
Configuration
Issuer URL: https://dex.tazlab.net
Connector:
- Type:
google - Client ID/Secret: sourced from Vault via ExternalSecret (rendered into
dex-rendered-config)
| Client Secret | From Vault (tazlab-secrets-vault) |
| Cookie Domain | .tazlab.net |
| Redirect URL | https://auth.tazlab.net/oauth2/callback |
| Upstream | static://200 (no proxy to backend) |
| Email file | /etc/oauth2-proxy/allowed-emails.txt |
| Key flags | --set-xauthrequest=true, --reverse-proxy=true |
Email Allowlist
File: infrastructure/auth/oauth2-proxy/allowed-emails-configmap.yaml
Only explicitly listed emails can authenticate. Uses ${ADMIN_EMAIL} substitution from cluster-vars plus hardcoded roberto.tazzoli@gmail.com.
ForwardAuth Middleware
File: infrastructure/auth/oauth2-proxy/middleware.yaml
The middleware is defined in namespace auth and referenced globally as auth-oauth2-proxy@kubernetescrd. It forwards auth requests to OAuth2 Proxy and injects X-Auth-Request-User, X-Auth-Request-Email, and Authorization headers into the upstream request.
Protected Services
| Service | Hostname | Middleware Annotation |
|---|---|---|
| Grafana | grafana.tazlab.net | auth-oauth2-proxy@kubernetescrd |
| PGAdmin | pgadmin.tazlab.net | auth-oauth2-proxy@kubernetescrd |
| Longhorn | longhorn.tazlab.net | auth-oauth2-proxy@kubernetescrd |
Authentication Flow
- User visits
https://grafana.tazlab.net - Traefik applies
auth-oauth2-proxy@kubernetescrdmiddleware - OAuth2 Proxy redirects to
https://dex.tazlab.net - Dex redirects to Google OAuth consent screen
- User authenticates with Google
- Google redirects back to Dex with auth code
- Dex exchanges code for tokens, creates session
- Dex redirects to
https://auth.tazlab.net/oauth2/callback - OAuth2 Proxy validates the OIDC response
- If email is in allowlist, sets auth cookie and redirects to original URL
- Subsequent requests include auth cookie, OAuth2 Proxy validates transparently
DAG Position
operators-core (Level 0, creates dex + auth namespaces)
→ configs (Level 2, creates dex OIDC secrets)
→ instances (Level 3, creates Dex + OAuth2 Proxy Deployments)
→ auth (Level 4, creates ForwardAuth middleware — depends on instances)
See Also
- Parent topic: Ingress & Auth
- Sibling details: Traefik Detail, External Secrets Detail