I'm currently trying to streamline the OIDC login process using Auth0 with Kubernetes Ingress. In the past, I used Istio IngressGateway, but I found it frustrating to always modify the central cluster config whenever I deployed a new app. I'm looking for a way to let each application manage its own OIDC configuration without needing to adjust the central ingress settings. I recently switched to Envoy Gateway as it feels cleaner and has better OIDC integration. One idea I had was to deploy an `oauth2-proxy` for each app and have those routes prioritized in my `HTTPRoute`. Does anyone have thoughts on whether this is a common approach, or is there a simpler way folks use with Envoy Gateway for OIDC?
5 Answers
With Envoy Gateway, you can set up OIDC either at the gateway level or within your HTTPRoute configurations. This gives you a lot of flexibility!
Authelia might be another option you can consider for authentication.
Using oauth2-proxy with externalAuth is a solid approach. It aligns well with the Gateway API specifications.
I was just about to mention that! This method really streamlines the process.
If anyone wants to explore this further, check out this GitHub solution related to the oauth2-proxy integration!
Why are you looking to handle OIDC at the ingress layer? Have you considered a centralized token service like DEX and managing authentication at the application level instead?
I appreciate all the responses! I've actually found success using Gateway API SecurityPolicy with ExternalAuth, which is way better than what I did with Istio. I'm now able to empower our platform teams to manage app exposure without fear of accidentally exposing anything insecure.
Could you suggest any centralized token services that work well with this setup?