IBM Cloud:如何使用 K8s Ingress 和 ALB OAuth 代理在 Kubernetes 集群上启用应用程序 ID?
[英]IBM Cloud: How to enable App ID for app on Kubernetes cluster with K8s Ingress and ALB OAuth Proxy?
问题描述
I am trying to configure App ID-based authentication for an app deployed to IBM Cloud Kubernetes Service (IKS) running in a VPC.
我正在尝试为部署到在 VPC 中运行的 IBM Cloud Kubernetes 服务 (IKS) 的应用程序配置基于 App ID 的身份验证。 In the past it worked well with IBM's own Ingress .过去,它与IBM 自己的 Ingress配合得很好。 However, that has been deprecated.但是,这已被弃用。 Now, I am following the guide here which is using the community Ingress and talks about adding IBM App Id .现在,我正在按照这里的指南使用社区 Ingress 并讨论添加 IBM App Id 。
I seem to have configured everything, but the host / site cannot be reached.我似乎已经配置了所有内容,但无法访问主机/站点。 Here is how the Ingress resource looks like:下面是 Ingress 资源的样子:
"apiVersion": "networking.k8s.io/v1beta1",
"kind": "Ingress",
"metadata": {
"annotations": {
"kubernetes.io/ingress.class": "public-iks-k8s-nginx",
"nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2-myappid/start?rd=$escaped_request_uri",
"nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2-myappid",
"nginx.ingress.kubernetes.io/configuration-snippet": "auth_request_set $access_token $upstream_http_x_auth_request_access_token;
access_by_lua_block {
if ngx.var.access_token ~= \"\" then
ngx.req.set_header(\"Authorization\", \"Bearer \" .. ngx.var.access_token)
end
}
"
},
"name": "ingress-for-mytest",
"namespace": "sfs"
},
"spec": {
"rules": [
{
"host": "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud",
"http": {
"paths": [
{
"backend": {
"serviceName": "my-service",
"servicePort": 8081
},
"path": "/"
}
]
}
}
],
"tls": [
{
"hosts": [
"myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud"
],
"secretName": "henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000"
}
]
}
}
1 个解决方案
解决方案1
1 已采纳 2020-12-11 08:53:02
I got it to work with the following definition:我让它与以下定义一起工作:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-for-mytest
annotations:
kubernetes.io/ingress.class: "public-iks-k8s-nginx"
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-myappid/auth
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-myappid/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $access_token $upstream_http_x_auth_request_access_token;
auth_request_set $id_token $upstream_http_authorization;
access_by_lua_block {
if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
end
}
spec:
tls:
- hosts:
- myhost
secretName: ingress-secret-for-mytest
rules:
- host: myhost
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 8081
It is important to note that the OAuth2 proxy (see the steps regarding the proxy add-on and App ID integration ) will only deploy successfully to a non-default Kubernetes namespace if the (cluster) Ingress secret is copied into that namespace.需要注意的是,OAuth2 代理(请参阅有关代理插件和 App ID 集成的步骤)只会成功部署到非默认 Kubernetes 命名空间(如果将(集群)入口密钥复制到该命名空间)。
You can find the Ingress secret using the following command and watching for the secret in the default namespace:您可以使用以下命令找到 Ingress 密钥,并在默认命名空间中查看该密钥:
ibmcloud ks ingress secret ls -c your-cluster-name
Thereafter, (re)create that secret in the non-default namespace, copying the CRN and name of that secret:此后,在非默认命名空间中(重新)创建该密钥,复制 CRN 和该密钥的名称:
ibmcloud ks ingress secret create -c your-cluster-name -n your-namespace
--cert-crn the-crn-shown-in-the-output-above --name the-secret-name-shown-above
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.