Cluster information:
Kubernetes version:
Client Version: v1.30.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.4
Cloud being used: Azure
Installation method: Helm charts
Issue Description:
I have using Kubernetes Dashboard v7.13.0 behind an OAuth2 Proxy (via NGINX Ingress and Kong gateway). The OAuth2 proxy correctly authenticates the user and responds with an Authorization: Bearer header. The ingress is configured with annotations to forward this header to the Kubernetes Dashboard.
Despite successful authentication and the presence of the bearer token in the ingress response (verified via /oauth2/auth returning 202 and including the Authorization header), the dashboard still prompts for manual token input on the login screen.
However we suspect Kong is either stripping or not receiving the Authorization header, as the token is not visible in Kong logs or the requests reaching the dashboard. Even with nginx.kubernetes.io/auth-response-headers and other annotations configured, the dashboard does not detect the token.
Does anyone have any inputs on resolving this issue?
dashboard-ingress.yaml annotations:
annotations:
#konghq.com/plugins: "preserve-auth-header"
nginx.ingress.kubernetes.io/auth-url: "https://<host>/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://<host>/oauth2/start?rd=https://$host$request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: >-
X-Auth-Request-Email,X-Auth-Request-Preferred-,X-Auth-Request-Access-Token,
X-Auth-Request-Roles,X-Auth-Request-User,X-Auth-Request-Groups,X-Forwarded-Groups,
Authorization
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-buffer-size: "256k"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: "/"
nginx.ingress.kubernetes.io/proxy-buffers: "4 512k"
nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "512k"
oauth2-proxy configs:
--set config.clientID="clientid" \
--set config.clientSecret="clientsecret" \
--set config.cookieSecret="cookiesecret" \
--set image.repository="docker.io/oauth2-proxy/oauth2-proxy" \
--set image.tag="v7.9.0" \
--set extraArgs.provider="oidc" \
--set extraArgs.azure-tenant="azuretenant" \
--set extraArgs.oidc-issuer-url="https://login.microsoftonline.com/azuretenant/v2.0" \
--set extraArgs.redirect-url="https://<host>/oauth2/callback" \
--set extraArgs.scope="openid profile email offline_access" \
--set extraArgs.email-domain="*" \
--set extraArgs.upstream="https://kubernetes-dashboard-kong-proxy.kubernetes-dashboard.svc.cluster.local:443" \
--set extraArgs.whitelist-domain="whitelist" \
--set extraArgs.cookie-domain=".cloud.cookie.net" \
--set extraArgs.cookie-csrf-expire="59m" \
--set extraArgs.cookie-csrf-per-request=true \
--set extraArgs.cookie-expire="1h" \
--set extraArgs.cookie-refresh="59m" \
--set extraArgs.cookie-secure=true \
--set extraArgs.cookie-name="_oauth2_proxy_csrf" \
--set extraArgs.reverse-proxy=true \
--set extraArgs.set-authorization-header=true \
--set extraArgs.pass-authorization-header=true \
--set extraArgs.pass-access-token=true \
--set extraArgs.show-debug-on-error=true \
--set extraArgs.ssl-upstream-insecure-skip-verify=true \
--set extraArgs.ssl-insecure-skip-verify=true \
--set extraArgs.skip-auth-strip-headers=false \
--set extraArgs.pass-user-headers=true \
--set extraArgs.pass-host-header=true \
--set extraArgs.set-xauthrequest=true \
--set extraArgs.skip-provider-button=true \
--set extraArgs.skip-jwt-bearer-tokens=true \
--set ingress.enabled=true \
--set ingress.className="nginx" \
--set ingress.path="/oauth2" \
--set ingress.hosts[0]="<host>" \
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-buffer-size"="256k" \
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/proxy-body-size"="5000m"