We are trying to deploy our kafkaui application on our kubernetes cluster behind an oauth2-proxy; using Auth0 as an IDP. To do so, we have the following manifest for kafkaui:
# Source - https://stackoverflow.com/q/79940567
# Posted by Aniss Chohra
# Retrieved 2026-05-13, License - CC BY-SA 4.0
apiVersion: apps/v1
kind: Deployment
metadata:
name: kafka-ui-deployment
labels:
app: kafka-ui
spec:
replicas: 1
selector:
matchLabels:
app: kafka-ui
template:
metadata:
labels:
app: kafka-ui
spec:
containers:
- name: kafka-ui
image: provectuslabs/kafka-ui:latest
env:
- name: KAFKA_CLUSTERS_0_NAME
value: "kafka-cluster"
- name: KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS
value: "10.6.0.0:9094"
- name: KAFKA_CLUSTERS_0_PROPERTIES_SECURITY_PROTOCOL
value: "SASL_PLAINTEXT"
- name: KAFKA_CLUSTERS_0_PROPERTIES_SASL_MECHANISM
value: "SCRAM-SHA-512"
- name: KAFKA_CLUSTERS_0_PROPERTIES_SASL_JAAS_CONFIG
value: 'org.apache.kafka.common.security.scram.ScramLoginModule required username="kafka-username" password="kafka-password";'
imagePullPolicy: Always
resources:
requests:
memory: "1Gi"
cpu: "250m"
limits:
memory: "2Gi"
cpu: "1"
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: kafka-ui-service
labels:
app: kafka-ui
spec:
selector:
app: kafka-ui
type: LoadBalancer
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kafkaui-ingress
annotations:
haproxy.ingress.kubernetes.io/ssl-redirect: "true"
haproxy.ingress.kubernetes.io/service-upstream: "true"
# cert-manager.io/issuer: letsencrypt
# cert-manager.io/issuer-kind: ClusterIssuer
external-dns.alpha.kubernetes.io/hostname: mydomain.ca
external-dns.alpha.kubernetes.io/ttl: "120"
external-dns.alpha.kubernetes.io/target: "my-public-ip"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
haproxy.ingress.kubernetes.io/auth-url: "http://kafka-ui-oauth2-proxy.default.svc.cluster.local:4180/oauth2/auth"
haproxy.ingress.kubernetes.io/auth-signin: "http://kafka-ui-oauth2-proxy.default.svc.cluster.local:4180/oauth2/start?rd=http://kafka-ui-oauth2-proxy.default.svc.cluster.local:4180/oauth2/callback"
haproxy.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-Email:email,X-Auth-Request-User:user,authorization"
labels:
app: kafkaui-ingress
spec:
ingressClassName: haproxy
rules:
- host: mydomain.ca
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kafka-ui-service
port:
number: 80
tls:
- hosts:
- mydomain.ca
secretName: kafkaui-ingress
and the following oauth2-proxy manifest:
# Source - https://stackoverflow.com/q/79940567
# Posted by Aniss Chohra
# Retrieved 2026-05-13, License - CC BY-SA 4.0
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: kafka-ui-oauth2-proxy
name: kafka-ui-oauth2-proxy
spec:
replicas: 1
selector:
matchLabels:
k8s-app: kafka-ui-oauth2-proxy
template:
metadata:
labels:
k8s-app: kafka-ui-oauth2-proxy
spec:
containers:
- args:
- --provider=oidc
- --oidc-issuer-url=https://my-auth0-domain.com/ # replace with your OIDC IdP's issuer url
- --scope=openid profile email
- --email-domain=*
- --upstream=http://kafka-ui-service.default.svc.cluster.local:80
- --pass-authorization-header=true
- --set-authorization-header=true
- --pass-access-token=true
- --reverse-proxy=true
- --cookie-refresh=1h
- --cookie-expire=24h
- --cookie-samesite=lax
- --skip-provider-button=true
- --skip-oidc-discovery=true
- --oidc-jwks-url=https://my-auth0-domain.com/.well-known/jwks.json
- --set-xauthrequest=true
- --redirect-url=https://mydomain.ca/oauth2/callback
env:
- name: OAUTH2_PROXY_HTTP_ADDRESS
value: "0.0.0.0:4180"
- name: OAUTH2_PROXY_CLIENT_ID
value: "client-id"
- name: OAUTH2_PROXY_CLIENT_SECRET
value: "client-secret"
- name: OAUTH2_PROXY_COOKIE_SECRET
value: "cookie-secret"
- name: OAUTH2_PROXY_LOGIN_URL
value: "https://my-auth0-domain.com/authorize"
- name: OAUTH2_PROXY_REDEEM_URL
value: "https://my-auth0-domain.com/oauth/token"
- name: OAUTH2_PROXY_VALIDATE_URL
value: "https://my-auth0-domain.com/userinfo"
- name: OAUTH2_PROXY_PROFILE_URL
value: "https://my-auth0-domain.com/userinfo"
- name: OAUTH2_PROXY_OIDC_EXTRA_AUDIENCES
value: "https://mydomain.ca"
image: quay.io/oauth2-proxy/oauth2-proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: kafka-ui-oauth2-proxy
name: kafka-ui-oauth2-proxy
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: kafka-ui-oauth2-proxy
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kafka-ui-oauth2-proxy
annotations:
haproxy.org/rate-limit-requests: "1000" # Required: The limit
haproxy.org/rate-limit-period: "1s" # Recommended: The window
haproxy.org/rate-limit-status-code: "429" # Your desired status code
haproxy.ingress.kubernetes.io/proxy-body-size: "2000m"
spec:
ingressClassName: haproxy
rules:
- host: "mydomain.ca" # change to your domain
http:
paths:
- path: /oauth2
pathType: Prefix
backend:
service:
name: kafka-ui-oauth2-proxy
port:
number: 4180
We also created an auth0 regular web application in our dashboard with the following configuration parameters:
Application Login URIs: https://mydomain.ca/oauth2/start
Allowed Callback URLs: https://mydomain.ca/oauth2/callback
Allowed Logout URLs: https://mydomain.ca
Allowed Web Origins: https://mydomain.ca
This application (has RBAC enabled) is linked to an API which has an identifier/audience parameter set to:
https://mydomain.ca
Finally, we create a security group in our authorization portal to which we assigned a role and permission. These are assigned to our web application; and users members of this security group inherit them automatically (role and permission)
When we deploy these manifests; we can connect to our website and access the Kafkaui portal directly; we do not get asked to authenticate first, which should be the normal behaviour. Could anyone help us figure out what we misconfigured in our manifests or web application config? Thanks.