Authorization
By-default, dashboard is not protected and available for everyone.
To restrict access ingress-dashboard supports following methods:
- basic authorization
- OIDC provider
Regardless of selected authorization ALWAYS use secured connection (ie: TLS/HTTPS)
Basic authorization
Basic authorization assumes static username and password. It is not the best option from security perspective, but good enough for internal usage or for testing.
For proper protection and for enterprise usage consider using OIDC.
To enable basic authorization, provide following environment variables:
AUTH=basic- switch auth mode to HTTP basicBASIC_USER=<your user name>- desired user name (commonlyadmin)BASIC_PASSWORD=<password>- desired user password
Password is critical value so consider using secrets to store it.
OIDC
OIDC is industry standard for OAuth 2 Identity Providers (IDP) integration.
OIDC supported by many providers including (incomplete list):
- Auth0
- Microsoft
- Oracle
- Okta
- Keycloak
- and many more
To connect ingress-dashboard to IDP you need to obtain:
- issuer URL
- client ID and client secret
To enable OIDC authorization, provide following environment variables:
AUTH=oidc- switch auth mode to OIDCOIDC_ISSUER=<issuer-url>- IDP URL (ex: for Keycloak it will behttps://<domain>/auth/realms/<realm>)CLIENT_ID=<client-id>- client ID from IDPCLIENT_SECRET=<password>- client secret from IDP (sensitive information - use secrets to store)SERVER_URL=<public URL>- (optional) URL of ingress-dashboard, used for redirects. If not set, dashboard will rely on Host header.
Example
---
apiVersion: apps/v1
kind: Deployment
metadata:
# ...
name: dashboard
namespace: ingress-dashboard
spec:
# ...
template:
# ...
spec:
containers:
- name: dashboard
# ...
env:
# ...
- name: AUTH
value: "oidc"
- name: CLIENT_ID
value: my-client-id-in-idp
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: my-secret-storage
key: client_secret
- name: OIDC_ISSUER
value: https://my-idp.example.com/
- name: SERVER_URL
value: https://example.com
# ...