From 20bb7766253dfa806780e93275dfa4a090e7fc8f Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Sun, 7 Dec 2025 11:14:25 -0300 Subject: [PATCH] auth: add 401 redirect middleware to oauth2-proxy --- infrastructure/longhorn/ui-ingress/ingress.yaml | 2 +- services/oauth2-proxy/kustomization.yaml | 1 + services/oauth2-proxy/middleware-errors.yaml | 14 ++++++++++++++ services/vault/ingress.yaml | 2 +- services/zot/ingress.yaml | 2 +- 5 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 services/oauth2-proxy/middleware-errors.yaml diff --git a/infrastructure/longhorn/ui-ingress/ingress.yaml b/infrastructure/longhorn/ui-ingress/ingress.yaml index 8f55b82..ac68471 100644 --- a/infrastructure/longhorn/ui-ingress/ingress.yaml +++ b/infrastructure/longhorn/ui-ingress/ingress.yaml @@ -7,7 +7,7 @@ metadata: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-forward-auth@kubernetescrd,sso-oauth2-proxy-errors@kubernetescrd,longhorn-system-longhorn-headers@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/services/oauth2-proxy/kustomization.yaml b/services/oauth2-proxy/kustomization.yaml index e79ae66..ff4705a 100644 --- a/services/oauth2-proxy/kustomization.yaml +++ b/services/oauth2-proxy/kustomization.yaml @@ -7,3 +7,4 @@ resources: - service.yaml - ingress.yaml - middleware.yaml + - middleware-errors.yaml diff --git a/services/oauth2-proxy/middleware-errors.yaml b/services/oauth2-proxy/middleware-errors.yaml new file mode 100644 index 0000000..ee0c786 --- /dev/null +++ b/services/oauth2-proxy/middleware-errors.yaml @@ -0,0 +1,14 @@ +# services/oauth2-proxy/middleware-errors.yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oauth2-proxy-errors + namespace: sso +spec: + errors: + status: + - "401" + service: + name: oauth2-proxy + port: 80 + query: /oauth2/start?rd={url} diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml index 6115e38..1c274fb 100644 --- a/services/vault/ingress.yaml +++ b/services/vault/ingress.yaml @@ -7,7 +7,7 @@ metadata: annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: vault-vault-forward-auth@kubernetescrd,sso-oauth2-proxy-errors@kubernetescrd traefik.ingress.kubernetes.io/service.serversscheme: https traefik.ingress.kubernetes.io/service.serversTransport: vault-vault-to-https@kubernetescrd spec: diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml index 75ec998..1d9307a 100644 --- a/services/zot/ingress.yaml +++ b/services/zot/ingress.yaml @@ -8,7 +8,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,zot-zot-resp-headers@kubernetescrd + traefik.ingress.kubernetes.io/router.middlewares: zot-zot-forward-auth@kubernetescrd,sso-oauth2-proxy-errors@kubernetescrd,zot-zot-resp-headers@kubernetescrd spec: ingressClassName: traefik tls: