[英]What is proper design for authentication in kubernetes using nginx-ingress and keycloak
[英]nginx application authentication using keycloak - issue with ingress
我正在尝试按照这篇文章 - https://cloud.redhat.com/blog/adding-authentication-to-your-kubernetes-web-applications-with-keycloak获取使用 keycloak 身份提供程序进行身份验证的 nginx 应用程序
这是我尝试应用的设置和配置详细信息。
入口 controller - https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.1.0/deploy/static/provider/baremetal/deploy.Z6373C023A68AFF699
CNI - https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubeadmin@kubemaster:/etc/kubernetes/manifests$ kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
kubemaster Ready control-plane,master 4d11h v1.23.1 192.168.122.54 <none> Ubuntu 20.04.3 LTS 5.11.0-43-generic docker://20.10.12
kubenode Ready <none> 4d10h v1.23.1 192.168.122.198 <none> Ubuntu 20.04.3 LTS 5.11.0-43-generic docker://20.10.12
部署、服务和入口文件尝试申请
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: default
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
- name: gatekeeper
image: carlosedp/keycloak-gatekeeper:latest
args:
- --config=/etc/keycloak-gatekeeper.conf
ports:
- containerPort: 3000
name: service
volumeMounts:
- name: gatekeeper-config
mountPath: /etc/keycloak-gatekeeper.conf
subPath: keycloak-gatekeeper.conf
- name: gatekeeper-files
mountPath: /html
volumes:
- name : gatekeeper-config
configMap:
name: gatekeeper-config
- name : gatekeeper-files
configMap:
name: gatekeeper-files
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gatekeeper-config
namespace: default
creationTimestamp: null
data:
keycloak-gatekeeper.conf: |+
# is the url for retrieve the OpenID configuration - normally the <server>/auth/realms/<realm_name>
discovery-url: https://192.168.122.54:8443/auth/realms/local
# skip tls verify
skip-openid-provider-tls-verify: true
# the client id for the 'client' application
client-id: gatekeeper
# the secret associated to the 'client' application
client-secret: 50f6177f-4c66-4def-81f9-a4bd4ec2491b
# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix://<REL_PATH>|</ABS PATH>
listen: :3000
# whether to enable refresh tokens
enable-refresh-tokens: true
# the location of a certificate you wish the proxy to use for TLS support
#tls-cert:
# the location of a private key for TLS
#tls-private-key:
# the redirection url, essentially the site url, note: /oauth/callback is added at the end
redirection-url: http://kubemaster
secure-cookie: false
# the encryption key used to encode the session state
encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa
# the upstream endpoint which we should proxy request
upstream-url: http://127.0.0.1:80/
forbidden-page: /html/access-forbidden.html
resources:
- uri: /*
groups:
- my-app
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gatekeeper-files
namespace: default
creationTimestamp: null
data:
access-forbidden.html: |+
<html lang="en"><head> <title>Access Forbidden</title><style>*{font-family: "Courier", "Courier New", "sans-serif"; margin:0; padding: 0;}body{background: #233142;}.whistle{width: 20%; fill: #f95959; margin: 100px 40%; text-align: left; transform: translate(-50%, -50%); transform: rotate(0); transform-origin: 80% 30%; animation: wiggle .2s infinite;}@keyframes wiggle{0%{transform: rotate(3deg);}50%{transform: rotate(0deg);}100%{transform: rotate(3deg);}}h1{margin-top: -100px; margin-bottom: 20px; color: #facf5a; text-align: center; font-size: 90px; font-weight: 800;}h2, a{color: #455d7a; text-align: center; font-size: 30px; text-transform: uppercase;}</style> </head><body> <use> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve" class="whistle"><g><g transform="translate(0.000000,511.000000) scale(0.100000,-0.100000)"><path d="M4295.8,3963.2c-113-57.4-122.5-107.2-116.8-622.3l5.7-461.4l63.2-55.5c72.8-65.1,178.1-74.7,250.8-24.9c86.2,61.3,97.6,128.3,97.6,584c0,474.8-11.5,526.5-124.5,580.1C4393.4,4001.5,4372.4,4001.5,4295.8,3963.2z"/><path d="M3053.1,3134.2c-68.9-42.1-111-143.6-93.8-216.4c7.7-26.8,216.4-250.8,476.8-509.3c417.4-417.4,469.1-463.4,526.5-463.4c128.3,0,212.5,88.1,212.5,224c0,67-26.8,97.6-434.6,509.3c-241.2,241.2-459.5,449.9-488.2,465.3C3181.4,3180.1,3124,3178.2,3053.1,3134.2z"/><path d="M2653,1529.7C1644,1445.4,765.1,850,345.8-32.7C62.4-628.2,22.2-1317.4,234.8-1960.8C451.1-2621.3,947-3186.2,1584.6-3500.2c1018.6-501.6,2228.7-296.8,3040.5,515.1c317.8,317.8,561,723.7,670.1,1120.1c101.5,369.5,158.9,455.7,360,553.3c114.9,57.4,170.4,65.1,1487.7,229.8c752.5,93.8,1392,181.9,1420.7,193.4C8628.7-857.9,9900,1250.1,9900,1328.6c0,84.3-67,172.3-147.4,195.3c-51.7,15.3-790.8,19.1-2558,15.3l-2487.2-5.7l-55.5-63.2l-55.5-61.3v-344.6V719.8h-411.7h-411.7v325.5c0,509.3,11.5,499.7-616.5,494C2921,1537.3,2695.1,1533.5,2653,1529.7z"/></g></g></svg></use><h1>403</h1><h2>Not this time, access forbidden!</h2><h2><a href="/oauth/logout?redirect=https://google.com">Logout</h2></body></html>
---
apiVersion: v1
kind: Service
metadata:
labels:
app: nginx
name: nginx
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 3000
selector:
app: nginx
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: kubemaster
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
defaultBackend:
service:
name: nginx
port:
number: 80
应用 yml 定义后,pod、服务和入口一切都在运行
kubeadmin@kubemaster:~/stack/keycloak$ kubectl get pods,svc,rs,ingress -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
pod/nginx-bb47fbd49-sbqhv 2/2 Running 0 34m 192.168.1.30 kubenode <none> <none>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 4d11h <none>
service/nginx ClusterIP 10.100.36.168 <none> 80/TCP 34m app=nginx
NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
replicaset.apps/nginx-bb47fbd49 1 1 1 34m nginx,gatekeeper nginx,carlosedp/keycloak-gatekeeper:latest app=nginx,pod-template-hash=bb47fbd49
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/nginx <none> kubemaster 80 34m
但是我无法在 http://kubemaster:80/ 上启动应用程序,根据流程应该路由到托管网守代理的 nginx 服务后端。
服务描述显示了 pod 的端点,我也可以直接访问服务后端,即http://192.168.1.30:3000/ ,这会将我带到 keycloak 身份验证页面。
kubeadmin@kubemaster:~/stack/keycloak$ kubectl describe service nginx
Name: nginx
Namespace: default
Labels: app=nginx
Annotations: <none>
Selector: app=nginx
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.100.36.168
IPs: 10.100.36.168
Port: http 80/TCP
TargetPort: 3000/TCP
Endpoints: 192.168.1.30:3000
Session Affinity: None
Events: <none>
错误 -
kubeadmin@kubemaster:~/stack/keycloak$ curl http://kubemaster/
curl: (7) Failed to connect to kubemaster port 80: Connection refused
任何建议或方向都会有很大帮助..
谢谢苏迪尔
如果客户端 URL(域+端口)不同并且服务器不知道此 URL,则在 keycloak 容器中设置环境变量“KEYCLOAK_FRONTEND_URL”。
jfi,此属性存在于 keycloak 配置文件夹中的 Standalone.xml (/standalone-ha.xml) 中,您也可以在此处对值进行硬编码。
在阅读了 nginx 入口 controller 文档后,我能够解决我的入口问题。 以下是为解决此问题而采取的步骤。
“nginx”部署 yml 定义保持不变。
"gatekeeper-config" 更新为 "redirection-url: http://demo.localdev.me:8080/" 。
“gatekeeper-files” yml 定义保持不变。
“nginx”服务 yml 定义保持不变。
“nginx”入口 yml 定义更新如下所示。 它基本上将“demo.localdev.me”映射到“localhost”
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
namespace: default
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
ingressClassName: nginx
rules:
- host: demo.localdev.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80
在所需的更改之后,应用 yml 定义来创建部署、配置映射、服务和入口资源。 组件运行后,需要将本地端口转发到入口 controller,如下所示。
kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8080:80
现在,我可以看到分配给我的入口资源的 IP 地址,如下所示。
kubeadmin@kubemaster:~$ kubectl get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
nginx nginx demo.localdev.me 192.168.122.198 80 75m
使用“http://demo.localdev.me:8080”启动应用程序,该应用程序在内部路由到端口 80 上的入口 controller。然后请求路由到服务后端,即 keycloak,它对请求进行身份验证并路由回应用程序。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.