Skip to content

OIDC Auth for Funnel, k8s state support#1

Draft
lstoll wants to merge 26 commits intomainfrom
lstoll-k8s-oidc
Draft

OIDC Auth for Funnel, k8s state support#1
lstoll wants to merge 26 commits intomainfrom
lstoll-k8s-oidc

Conversation

@lstoll
Copy link
Collaborator

@lstoll lstoll commented Mar 29, 2024
edited
Loading

This adds OIDC auth for funnel usage. By default all funnel requests will require this, unless explicitly overridden.

Because this makes the config more complex, move to just using a file for it.

Add support for persisting state in a k8s secret too.

Add CI build, with docker image.

TODO

  • Update README
  • Resolve local tailscale daemon usage

lstoll added 8 commits March 29, 2024 16:32
@lstoll
Move config to file
fea3ef1 
Going to get more complex with k8s config + OIDC, make it a file.
@lstoll
Kubernetes state backend
2cd2edf 
Want to run it in k8s, add a backend that uses a secret to store the data.
While tailscale has one in their codebase, it's not suitable for our usage so
we just add a simple one.
@lstoll
use the hujson power
0a06b11
@lstoll
Break out funnel listener
a54d002 
Want a dedicated listener, so we can selectively apply auth etc. So just add a
new listener/server for that.

Redirect to https for internal requests on funnel fqdn's, to keep URLs
consistent.

Rework startup/shutdown a little to be more graceful.
@lstoll
OIDC auth for funnel
605d549 
Adds OIDC auth to funnel endpoints, setting user header consistently.

Optionally paths can be specified to be authless.
@lstoll
an example config
b86757c
@lstoll
CI build + docker publish
2db2f47
@lstoll
Disable local tailscale usage
c95b8e8 
When running in a container, tailscale doesn't already exist so we can't talk
to it.

Just use a local listener, need to think about this more.
@lstoll
Copy link
Collaborator Author

lstoll commented Mar 29, 2024

Need to think about the local tailscale daemon usage - it's there to figure out where to bind the discovery and metrics endpoints, but this doesn't work when it's running in a container.

Might make a config option (ugh, checkboxes) for metrics listen - either set it to a fixed ip/port, or fallback to daemon discovery. But will think on it more

sr
sr reviewed Mar 29, 2024
View reviewed changes
k8s_state.go
@@ -0,0 +1,117 @@
package main
Copy link
Owner

@sr sr Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

may be able to use https://pkg.go.dev/tailscale.com/kube:

https://github.com/tailscale/tailscale/blob/main/cmd/containerboot/kube.go#L21-L23

I don't mind client-go tho, it's fine

main.go

for i, upstream := range upstreams {
// https://go.dev/doc/faq#closures_and_goroutines
i := i
Copy link
Owner

@sr sr Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hehe nice

config.go
// OIDCClientID sets the OIDC client ID
OIDCClientID string `json:"oidcClientID"`
// OIDCClientSecret sets the OIDC client secret
OIDCClientSecret string `json:"oidcClientSecret"`
Copy link
Owner

@sr sr Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

be cool to support a file too, play nice with systemd-creds. For flags I usually do this:

	if _, path, ok := strings.Cut(*cliSecret, "file://"); ok {
		b, err := os.ReadFile(path)
		if err != nil {
			return err
		}
		s := strings.TrimSpace(string(b))
		cliSecret = &s
	}

but doesn't really work w/ a config file. Maybe oidcClientSecretFile?

Copy link
Owner

@sr sr Mar 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also wondering if this should be on the root config struct, or do you plan on using a different issuer for some upstream(s)?

config.go
StateDir string `json:"stateDir"`
// Kubernetes configures the proxy to run in a kubernetes cluster. In this
// case the StateDir is ignored, and state managed in a secret.
Kubernetes kubernetesConfig `json:"kubernetes"`
Copy link
Owner

@sr sr Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

*kubernetesConfig? then can drop the enabled field.

main.go
}
listeners = append(listeners, ln)
}*/
ln, err := net.Listen("tcp", "0.0.0.0:"+p)
Copy link
Owner

@sr sr Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I use http://nuc10i5/sd in my prom config, I guess I could make tsproxy.service listen on the node's tailscale IP using some ansible: {{ ansible_facts.tailscale0.ipv4.address }

alternatively could you check for the presence of a local socket? will think about it too.

main.go
// Proxy requests from non-funnel tagged nodes as is.
//
// TODO(lstoll) figure out why - and if end-user nodes would be tagged?
if whois.Node.IsTagged() && !isFunnel {
Copy link
Owner

@sr sr Mar 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I guess a config w/ a list of tags, or maybe node id to consider as end-users??

@lstoll
Add support for client registration + group enforcement
3d135ee 
If configured, dynamically register and renew a client.

Add support for filtering groups to allow access.
@lstoll lstoll force-pushed the lstoll-k8s-oidc branch 4 times, most recently from f462549 to 2bd0d27 Compare February 6, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sr sr sr left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lstoll @sr