# Authorization and authentification

Follow official helm chart repository for oauth2-proxy. Don't forget to update the version to a more recent.

# Chart.yaml
apiVersion: v2
name: azure-oauth2-proxy
description: Kubernetes deployment of azure-oauth2-proxy
type: application
version: 6.1.0
maintainers:
  - name: FRINX
dependencies:
  - name: oauth2-proxy
    repository: https://oauth2-proxy.github.io/manifests
    version: 7.7.4
    condition: oauth2-proxy.enabled

# templates/oauth2-proxy-secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: oauth2-proxy
  namespace: frinx
data:
  client-id: <FILL YOUR ID BASE64>
  client-secret: <FILL YOUR SECRET BASE64>
  cookie-secret: <FILL YOUR COOKIE BASE64>

Follow oauth2-proxy official documentation to configure Azure AD.

# templates/azure-redis-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Chart.Name }}-redis-secret
type: Opaque
data:
  redis-password: {{ .Values.redisPassword.password | b64enc }}

# values.yaml

x-frinx-image-pull-secret: &frinx-image-pull-secret regcred

oauth2-proxy:
  enabled: true

  fullnameOverride: "oauth2-proxy"

  image:
    repository: "frinxio/oauth2-proxy"
    tag: "6.1.0-alpine"

    imagePullSecrets:
      - name: *frinx-image-pull-secret

  redis:
    enabled: true
    architecture: standalone

  sessionStorage:
    type: redis
    redis:
      existingSecret: "azure-oauth2-proxy-redis-secret"
      passwordKey: "redis-password"

  config:
    existingSecret: oauth2-proxy

    configFile: |-
      # DEFAULT CONFIGURATION
      # https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview

      custom_sign_in_logo = "/tmp/frinx/frinx.png"
      upstreams = "file:///dev/null"

      cookie_secure = true
      cookie_expire = 0
      # cookie_httponly = true

      pass_authorization_header = false
      proxy_websockets = true

      email_domains = [ "*" ]

      # DEPENDS ON DEPLOYMENT SETUP, INGRESS CONFIGURATION
      cookie_domains = [ "fm.127.0.0.1.nip.io" ]
      whitelist_domains = [ "fm.127.0.0.1.nip.io" ]

      provider = "azure"
      azure_tenant = "YOUR_TENANT_ID"
      oidc_issuer_url = "https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0"

      login_url = "https://login.microsoftonline.com"
      redirect_url = "https://fm.127.0.0.1.nip.io/oauth2/callback"

      ssl_insecure_skip_verify = false
      pass_access_token = false
      set_xauthrequest = true
      skip_jwt_bearer_tokens = true
      reverse_proxy = true

  extraArgs:
    azure-graph-group-field: displayName

redisPassword:
  password: "yourPassword"

# Install Oauth2-Proxy

helm dependency update
helm install -n frinx oauth2-proxy . -f values.yaml

# Configure RBAC

Rbac functionality can be configured on subchart level.

https://artifacthub.io/packages/helm/frinx-helm-charts/krakend?modal=values&path=rbac
https://artifacthub.io/packages/helm/frinx-helm-charts/workflow-manager?modal=values&path=rbac
https://artifacthub.io/packages/helm/frinx-helm-charts/topology-discovery?modal=values&path=rbac

env: X_AUTH_USER_GROUP: *frinx-rbac-admin-role

# values.yaml

https://artifacthub.io/packages/helm/frinx-helm-charts/krakend?modal=values&path=rbac