The openshift/oauth-proxy repository is a reverse proxy and static file server written in Go that provides authentication and authorization to OpenShift OAuth servers and Kubernetes clusters. It is designed specifically for use within OpenShift clusters to secure services that lack built-in authentication mechanisms. The project is a fork of the bitly/oauth2_proxy project, with other providers removed to focus exclusively on OpenShift integration.
The proxy performs zero-configuration OAuth when deployed as a pod in OpenShift by leveraging service account tokens for authentication. It can conduct authorization checks against OpenShift and Kubernetes RBAC policy engines to grant or deny access to protected resources. The proxy also supports bearer token validation and Kubernetes client certificate verification. On OpenShift 3.6 and later clusters, it enables zero-configuration end-to-end TLS through the built-in router.
A primary use case for oauth-proxy is as a sidecar container in Kubernetes pods, protecting upstream services that listen only on localhost. When configured with the openshift-service-account flag, the proxy automatically reads OAuth credentials from the service account information injected by OpenShift, eliminating manual credential management. The proxy supports multiple authorization strategies including Subject Access Review (SAR) checks that delegate authorization decisions to the OpenShift master, allowing administrators to leverage existing RBAC and group mappings for centralized permission management.
The repository includes configuration options for limiting access to specific users via email domain matching or authenticated email files, and supports per-host authorization rules through the openshift-sar-by-host flag. For infrastructure services, the proxy can delegate both authentication and authorization to the OpenShift master using bearer tokens or client certificates. The project provides comprehensive documentation including a sidecar example in contrib/sidecar.yaml that demonstrates integration with OpenShift TLS service serving certificates and external routes.
According to GitGenius activity tracking, the repository shows relatively slow issue and pull request response latency with a median of 992.1 hours and mean of 7151.4 hours across tracked items. The most active issue labels indicate lifecycle concerns, with rotten and frozen classifications appearing frequently. Primary contributors tracked include andrewazores, ibihim, and andthum. The repository shares contributors with cryostatio/cryostat, zed-industries/zed, and openshift/coredns, suggesting cross-project collaboration within the OpenShift ecosystem.
The proxy supports discovery of OAuth configuration through the standard /.well-known/oauth-authorization-server endpoint, allowing it to automatically detect authorization and token URLs from OpenShift clusters. Development requires Go 1.7 or later, and the project includes end-to-end testing capabilities through test/e2e.sh for validation against live OpenShift clusters. Docker images are built through the OpenShift release process and published to official registries. Configuration can be managed via config files, command-line options, or environment variables, providing flexibility for different deployment scenarios.