/duo-kubernetes

Put Duo Access Gateway and Duo Network Gateway in your kube cluster

Primary LanguageSmarty

Duo Kubernetes

Duo has a IdP (the duo access gateway, compatible with G-Suite SAML) and a reverse proxy (the duo networkg gateway). They provide docker containers but it requires a little bit of work to get running in a kubernetes cluster.

I use the tool kompose to take a first stab at converting the office docker-compose files to kubernetes deployments/services/pvcs. I ended up needing to initialize some of the pvc storage because kube doesn't copy volume contents quite like docker would.

Assumptions

I put all these components in a duo namespace. These scripts will create two LoadBalancers, admin and portal. You can't use the nginx ingress controller because it does not support TLS-passthrough, the duo containers want to terminate all the traffic.

kubectl create namespace duo

Duo Access Gateway

The simplest to enable.

kubectl create -f duo-access-gateway-pvc.yaml
kubectl create -f duo-access-gateway-service.yaml
kubectl create -f duo-access-gateway-deployment.yaml
kubectl -n duo get all --watch # ctrl-c whenever, just so you can watch for errors

Duo Network Gateway

More complex. This is a trio of an Admin application, a Redis coordination layer, and the active component, the Portal.

Set up Redis first:

kubectl create -f duo-network-gateway-redis-pvc.yaml
kubectl create -f duo-network-gateway-redis-service.yaml
kubectl create -f duo-network-gateway-redis-deployment.yaml
kubectl -n duo get all --watch # ctrl-c whenever, just so you can watch for errors

Then the Admin app:

kubectl create -f duo-network-gateway-admin-service.yaml
kubectl create -f duo-network-gateway-admin-deployment.yaml
kubectl -n duo get all --watch # ctrl-c whenever, just so you can watch for errors

Finally, the portal:

kubectl create -f duo-network-gateway-redis-pvc.yaml
kubectl create -f duo-network-gateway-redis-service.yaml
kubectl create -f duo-network-gateway-redis-deployment.yaml
kubectl -n duo get all --watch # ctrl-c whenever, just so you can watch for errors

Once the portal is up you need to swap it out with a customized version,

cd duo-network-gateway-portal-image
make create-repository
make deploy

This will build/push/swap out the running image with a better nginx template. The root issue is the hard-coded resolver line, nginx will not be able to resolve internal services without this change, and a failure to talk to any DNS will cause it to error on requests. Not good.

Keeping things up to date

Unfortunately Duo doesn't have a release page. They don't named numbered versions. No semver. You can't even find a git repository showing changes. You are really at their mercy until they adopt standard best practices.

But hey, it's enterprise software!

If you do want to look for new versions:

curl -L https://dl.duosecurity.com/network-gateway-latest.yml