TazLab K8s: Dex + OAuth2 Proxy Detail

Level 3 (Detail) — OIDC authentication flow and protected service configuration.

Concept

The cluster uses Dex as an OIDC provider (backed by Google OAuth) and OAuth2 Proxy as a ForwardAuth gate. Protected services (Grafana, PGAdmin, Longhorn) require Google authentication before traffic reaches the application.

Architecture

User → Traefik → ForwardAuth Middleware → OAuth2 Proxy → Dex → Google OAuth
                      ↓
               (if authenticated)
                      ↓
               Protected App

Dex (OIDC Provider)

Manifests

FilePurpose
infrastructure/operators/dex/namespace.yamlNamespace declaration
infrastructure/instances/dex/configmap.yamlDex configuration template
infrastructure/instances/dex/deployment.yamlDex server (v2.41.1)
infrastructure/instances/dex/service.yamlClusterIP on port 5556
infrastructure/instances/dex/ingress.yamlHTTPS ingress at dex.tazlab.net
infrastructure/instances/dex/rbac.yamlServiceAccount + Roles
infrastructure/instances/dex/wildcard-tls-secret.yamlTLS cert from ExternalSecret
infrastructure/configs/dex/OIDC client secrets ExternalSecret

Configuration

Issuer URL: https://dex.tazlab.net

Connector:

  • Type: google
  • Client ID/Secret: sourced from Vault via ExternalSecret (rendered into dex-rendered-config)

| Client Secret | From Vault (tazlab-secrets-vault) | | Cookie Domain | .tazlab.net | | Redirect URL | https://auth.tazlab.net/oauth2/callback | | Upstream | static://200 (no proxy to backend) | | Email file | /etc/oauth2-proxy/allowed-emails.txt | | Key flags | --set-xauthrequest=true, --reverse-proxy=true |

Email Allowlist

File: infrastructure/auth/oauth2-proxy/allowed-emails-configmap.yaml

Only explicitly listed emails can authenticate. Uses ${ADMIN_EMAIL} substitution from cluster-vars plus hardcoded roberto.tazzoli@gmail.com.

ForwardAuth Middleware

File: infrastructure/auth/oauth2-proxy/middleware.yaml

The middleware is defined in namespace auth and referenced globally as auth-oauth2-proxy@kubernetescrd. It forwards auth requests to OAuth2 Proxy and injects X-Auth-Request-User, X-Auth-Request-Email, and Authorization headers into the upstream request.

Protected Services

ServiceHostnameMiddleware Annotation
Grafanagrafana.tazlab.netauth-oauth2-proxy@kubernetescrd
PGAdminpgadmin.tazlab.netauth-oauth2-proxy@kubernetescrd
Longhornlonghorn.tazlab.netauth-oauth2-proxy@kubernetescrd

Authentication Flow

  1. User visits https://grafana.tazlab.net
  2. Traefik applies auth-oauth2-proxy@kubernetescrd middleware
  3. OAuth2 Proxy redirects to https://dex.tazlab.net
  4. Dex redirects to Google OAuth consent screen
  5. User authenticates with Google
  6. Google redirects back to Dex with auth code
  7. Dex exchanges code for tokens, creates session
  8. Dex redirects to https://auth.tazlab.net/oauth2/callback
  9. OAuth2 Proxy validates the OIDC response
  10. If email is in allowlist, sets auth cookie and redirects to original URL
  11. Subsequent requests include auth cookie, OAuth2 Proxy validates transparently

DAG Position

operators-core (Level 0, creates dex + auth namespaces)
→ configs (Level 2, creates dex OIDC secrets)
→ instances (Level 3, creates Dex + OAuth2 Proxy Deployments)
→ auth (Level 4, creates ForwardAuth middleware — depends on instances)

See Also