使用 master - minion Nginx 入口和 oauth2-proxy 身份验证
[英]Using master - minion Nginx ingress with oauth2-proxy authentication
问题描述
I have an app running in a kubernetes cluster that uses TLS and oauth2 authentication as part of the Nginx ingress.
我有一个在 kubernetes 集群中运行的应用程序,它使用 TLS 和 oauth2 身份验证作为 Nginx 入口的一部分。 It all runs fine but I now want to split my ingresses so that I have a master and a number of minions, making sure that all the authentication is handles for the complete host domain.这一切都运行良好,但我现在想拆分我的入口,以便我有一个主人和一些仆从,确保所有身份验证都是完整主机域的句柄。 When I do this the forced signin breaks.当我这样做时,强制登录会中断。 I can still reach it if I add the path manually but it is no longer required to reach the application.如果我手动添加路径,我仍然可以访问它,但不再需要访问应用程序。 Is this possible to solve?这有可能解决吗?
Example例子
Regular ingress定期进入
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-app-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/auth-url: "https://my-app.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://my-app.com/oauth2/start?rd=https%3A%2F%2F$host$request_uri"
spec:
tls:
- secretName: my-app-com-tls
hosts:
- my-app.com
rules:
- host: my-app.com
http:
paths:
- path: /(.*)
backend:
serviceName: my-app
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
annotations:
cert-manager.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx
labels:
app: oauth2-proxy
app.kubernetes.io/managed-by: Helm
chart: oauth2-proxy-3.1.0
heritage: Helm
release: oauth2-proxy
spec:
rules:
- host: my-app.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /oauth2
tls:
- hosts:
- my-app.com
secretName: my-app-com-tls
Master - minion大师 - 仆从
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-app-ingress-master
annotations:
kubernetes.io/ingress.class: nginx
nginx.org/mergeable-ingress-type: "master"
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/auth-url: "https://my-app.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://my-app.com/oauth2/start?rd=https%3A%2F%2F$host$request_uri"
spec:
tls:
- secretName: my-app-com-tls
hosts:
- my-app.com
rules:
- host: my-app.com
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: my-app-ingress-minion
annotations:
kubernetes.io/ingress.class: nginx
nginx.org/mergeable-ingress-type: "minion"
nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
- host: my-app.com
http:
paths:
- path: /(.*)
backend:
serviceName: my-app
servicePort: 80
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
annotations:
kubernetes.io/ingress.class: nginx
nginx.org/mergeable-ingress-type: minion
labels:
app: oauth2-proxy
app.kubernetes.io/managed-by: Helm
chart: oauth2-proxy-3.1.0
heritage: Helm
release: oauth2-proxy
spec:
rules:
- host: my-app.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /oauth2
1 个解决方案
解决方案1
0 2020-05-22 14:20:07
It turns out that I had unintentionally found features that were defined in two different nginx-ingress-controller packages ( nginxinc and kubernetes ).事实证明,我无意中发现了在两个不同的 nginx-ingress-controller 包( nginxinc和kubernetes )中定义的功能。 So the reason that it breaks is simply that there is no support for master - minion hierarchy in the controller I am actually using in my cluster.所以它中断的原因仅仅是我在集群中实际使用的 controller 中不支持主从层次结构。 And there seems not to be any support for the authentication in the other package.并且似乎不支持其他 package 中的身份验证。
I have created a feature suggestion.我创建了一个功能建议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.