Secured Tekton approvals based on Automatiko

Securing Approval Tasks for Tekton with OAuth Proxy

Posted by Automatiko team on March 06, 2022 · 4 mins read

Secure access to approval tasks with OAuth Proxy

In previous article, Approval Tasks for Tekton has been introduced. Though that version lacked support for authentication to first of all secure the application and second to simplify usage for approvers - no need to manually enter user id or email to verify they are eligible to work on given approval task.

This article will exmplain on high level what to do to secure Automatiko Approval Tasks for Tekton by using OAuth Proxy as a side car container.

OAuth Proxy allows to use various providers, to name the few

Each provider has various configuration options and features. So best to go through the offical documentation to understand what is needed and what can be expected. In this article, GitHub will be used as provider. So let's get started!

First of all, in GitHub you need to create an application. Just go to and create it

GitHub application creation GitHub application creation.

Make sure that the Authorization callback URL is set to your domain name and has following path /oauth2/callback. So it could look like this

This will give you all the details you need to know to configure OAuth Proxy as side car container. Especially important ones are

  • client id
  • client secret

Let's configure the Approval Tasks deployment to make use of OAuth based authentication with GitHub as provider. This will consists of following additions to the default deployment manifest file.

  • enable secured profile via environment variables
  • add second (oauth-proxy) container
  • configure service to use OAuth Proxy instead the Approval Task

Enable secured profile via environment variables

Automatiko Approval Task come with various application profiles (like email, secured etc). Here we need to enable the secured profile

    value: secured

Add second (oauth-proxy) container

Add new container into the deployment object that will run as side car to the Approval Tasks container

  - name: oauth-proxy
      - --provider=github
      - --https-address=
      - --http-address=:8888
      - --email-domain=*
      - --prefer-email-to-user=true
      - --upstream=http://localhost:8080
      - --client-id=GITHUB_CLIENT_ID
      - --client-secret=GITHUB_CLIENT_SECRET
      - --cookie-secret=0rM16Iv8aSvlOZYXuabusXO98_y6Yf7QYjcIhXk67Dw=
      - --pass-access-token=true
    imagePullPolicy: IfNotPresent
      - name: oauth-proxy
        containerPort: 8888
        protocol: TCP
Adding OAuth Proxy container Replace GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET with values for your GitHub application. Note as well the cookie-secret that should be generated for production deployments explicitly, see various hase to generate it here

Configure service to use OAuth Proxy instead the Approval Task

As last step, let's change the service object to use OAuth proxy as entry point instead of the Approval Task

  apiVersion: v1
  kind: Service
    labels: automatiko-approval-task 0.1.0
    name: automatiko-approval-task
      - name: http
        port: 80
        targetPort: 8888
    selector: automatiko-approval-task 0.1.0
    type: ClusterIP
Use OAuth proxy as entry point

A complete manifest file with OAuth Proxy and GitHub can be found here

And that's it. Just deploy the Approval Task to your Kubernetes cluster and you can now enjoy secured Approval Tasks for Tekton pipelines.

This is just the minimal setup and further tuning can be done based on needs, like changing to another provider, using groups to authorize and so on.

As a final wrap, a short video demonstrating secured with OAuth Proxy and GitHub approval tasks can be watched below.

The source code of approval tasks can be found here

Thanks for reading and make sure to drop us feedback or ask questions about this article.

Photographs by Unsplash.