Per NDS-791, it looks like we should be able to use the new ingress controller annotations to add namespace-aware external authentication via Oauth2 or other external services.

To demonstrate how this would work, create an authentication service that conforms to the ingress requirements but uses the workbench API server. This will likely look:

• /auth target that returns 200, 401, 403
• /sign_in target that displays a login form, collects credentials and authenticates against the api server
• /logout target that deletes cookies, etc

This can be configured similar to the oauth2 or cauth services demonstrated in NDS-791. An open issue is how we can use this for namespace-aware auth.