I have icinga running in my Azure Kubernetes Cluster, I want to use external web authentication when logging into the icingaweb2 application. I have configured external auth using the icinga UI as stated in the documentation (Authentication - Icinga Web)
Navigate into Configuration > Application > Authentication. Authentication methods are configured in the /etc/icingaweb2/authentication.ini file.
External Authentication → Authentication to the web server can be delegated with the autologin section which specifies an external backend.
I can see the config change in authentication.ini
I am using an OAuth2 proxy which is running as a pod inside my icinga kubernetes cluster to manage the authentication against Azure Active Directory and I can successfully login to the application using my Azure Identity. The problem is after I login through Microsoft I am brought to the basic authentication login page for icinga, which tells me icinga is not recognizing the external authentication.
Sign in using OAuth2 endpoint login.microsoft…
But then I am brought to icinga login page, is there something I am missing or could this be a bug?
I can see the following cookies in the session, maybe I need to inform icinga somehow of the auth token AzAD.EasyAuthForK8s?
Hi, if you want to use autologin as the primary authentication method, you need to put it at the top of the authentication.ini file (order matters).
Secondly, how does your web server configuration looks like? Are you using nginx? If you are using nginx, you need to forward the REMOTE_USER http header to Icinga Web 2 as follows (you need to place this inside the icingaweb2 location).
Hi @yhabteab , thank you for getting back to me. Yes I am using an nginx ingress controller in kubernetes. For the OAuth2 proxy I am using EasyAuthForK8s
I don’t see an icingaweb2 location in my nginx.conf when I copy the conf file out of the running pod in the cluster (kubectl cp default/ingress-nginx-controller-694b5c54d7-6cxhg:/etc/nginx/nginx.conf) I only see the following locations:
I’ll investigate how to forward that header in a kubernetes ingress. Here is what the OAuth2 ingress currently looks like:
Ah alright, you are using an Ingress controller! I can’t see in your Ingress configuration if Authorization is also included in the nginx.ingress.kubernetes.io/auth-response-headers list, but if not, then that’s probably the cause of your problem, otherwise you may want to set the proxy header manually via the ingress.kubernetes.io/configuration-snippet annotation.
