/secure-pacman

Secure access to the arcade game Pac-Man using Oauth2-proxy, Dex and an OpenLDAP server.

Overview

This tutorial shows how to secure access to the arcade game Pac-Man using Oauth2-proxy, Dex and an OpenLDAP server - without requiring code changes to the Pac-Man app itself.

Prerequisites

In order to complete this tutorial, you will need an environment with the following prerequisites.

NOTE: The current version of this tutorial only works on x86 based platforms.

  • (macOS Only) Homebrew - Package manager used to install prereqs
  • (Windows Only) Chocolatey - Package manager used to install prereqs
  • git - Used to clone the Pac-Man application
  • docker - Container runtime
  • kind - Running a local Kubernetes cluster using Docker container “nodes”
  • kubectl - Kubernetes command-line tool
  • helm - Kubernetes package manager
  • openldap - Used to populate OpenLDAP instance with user/group data

Homebrew

Run the following in your Terminal to install brew (from brew.sh):

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Chocolatey

Follow the linked instructions from chocolatey.org to install choco.

git

Alternatively, you can install GitHub Desktop.

docker

Alternatively, you can install Docker Desktop.

kind

  • macOS: brew install kind
  • Windows: choco install kind
  • Linux (from kind.sigs.k8s.io): 
    curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.13.0/kind-linux-amd64
chmod +x ./kind
mv ./kind /some-dir-in-your-$PATH/kind

kubectl

helm

openldap

  • macOS: brew install openldap
  • Windows: choco install openldap
  • Debian/Ubuntu: apt-get install ldap-utils
  • RedHat/CentOS: yum -y install openldap

Tutorial

The following steps correspond to the live tutorial walkthrough, which will provide great insight into the individual steps.

Environment Setup

  1. Create your Kind K8s cluster

    kind create cluster --name <Name of the cluster>

  2. Verify kubectl context matches your new Kind cluster (i.e., kind-<Name of the cluster>)

    kubectl config current-context

  3. Clone repository

    git clone https://github.com/onkarbhat/secure-pacman.git

  4. Change working directory to secure-pacman

OpenLDAP

  1. Create Namespace and Secret​

    kubectl create ns openldap
kubectl create secret generic openldap --from-literal=adminpassword=adminpassword --from-literal=users=productionadmin,productionbasic,productionconfig --from-literal=passwords=testpasswordadmin,testpasswordbasic,testpasswordconfig -n openldap

  2. Create Deployment​

    cd openldap
kubectl create -n openldap -f openldap-deployment.yaml

  3. Create Service

    kubectl create -n openldap -f openldap-service.yaml

  4. Verify installation

    watch kubectl get pod -n openldap

    Wait for listed pod to be Ready/Running, press Ctrl+C and proceed to the next step.

  5. (In a separate terminal) Initiate service/openldap port-forward

    kubectl port-forward service/openldap -n openldap 1389:1389

  6. Add a Group​

    ldapadd -x -H ldap://127.0.0.1:1389 -D "cn=admin,dc=example,dc=org" -w adminpassword -f pacman-admin-group.ldif

  7. Verify LDIF Import

    ldapsearch -x -H ldap://127.0.0.1:1389 -b dc=example,dc=org -D 'cn=admin,dc=example,dc=org' -w adminpassword

Dex

  1. Add Dex repo to Helm

    helm repo add dex https://charts.dexidp.io
helm repo update dex
cd ../dex

  2. Update bindPW in dex-values.yaml to match imported admin user

  3. Install Dex via Helm

    kubectl create ns dex
helm install dex dex/dex -n dex -f dex-values.yaml

  4. Verify installation

    helm status dex -n dex
watch kubectl get pod -n dex

    Wait for listed pod to be Ready/Running, press Ctrl+C and proceed to the next step.

  5. (In a separate terminal) Initiate service/dex port-forward

    kubectl port-forward service/dex -n dex 5556:5556

OAuth2 Proxy

  1. Create Deployment and Service

    cd ../oauth2-proxy
kubectl create ns pacman
kubectl create -f oauth2-proxy-deployment.yaml -n pacman
kubectl create -f oauth2-proxy-service.yaml -n pacman

  2. Verify installation

    watch kubectl get pod -n pacman

    Wait for listed pods to be Ready/Running, press Ctrl+C and proceed to the next step.

  3. (In a separate terminal) Initiate service/oauth2-proxy port-forward

    kubectl port-forward service/oauth2-proxy -n pacman 4180:4180

  4. Add dex.dex and oauth2-proxy.pacman entry into hosts file:

    • Linux/macOS: sudo vi /etc/hosts
    • Windows: notepad C:\windows\system32\drivers\etc\hosts

    Add the following entry, save, and close:

    127.0.0.1 dex.dex
127.0.0.1 oauth2-proxy.pacman

Pac-man

  1. Install via Helm

    helm repo add pacman https://shuguet.github.io/pacman/
helm repo update pacman
helm install pacman pacman/pacman -n pacman

  2. Verify installation

    watch kubectl get pod -n pacman

    Wait for listed pods to be Ready/Running, press Ctrl+C and proceed to the next step.

  3. (In a separate terminal) Initiate service/pacman port-forward

    kubectl port-forward service/pacman -n pacman 9090:80

  4. Open your browser to: http://127.0.0.1:9090/ and attempt to login to your application

  5. Patch the service/pacman configuration to use OAuth-Proxy port and selector

    kubectl patch svc pacman -n pacman --type='json' -p='[{"op": "replace", "path": "/spec/ports/0/targetPort", "value":4180}]'
kubectl patch svc pacman -n pacman --type='json' -p='[{"op": "replace", "path": "/spec/selector", "value":{"k8s-app": "oauth2-proxy"}}]'

  6. Stop (Ctrl+C) and restart service/pacman port-forward

    kubectl port-forward service/pacman -n pacman 9090:80

  7. Open your browser again to: http://127.0.0.1:9090/

  8. Create Service

    kubectl create -f pacman-actual-service.yaml -n pacman

  9. Stop (Ctrl+C) and restart service/pacman port-forward a final time

    kubectl port-forward service/pacman -n pacman 9090:80

  10. Open your browser again to: http://127.0.0.1:9090/

  11. Play Pac-man!