[英]Kubernetes NGINX Ingress Controller 404 Not found / Object not found
[英]Nginx Ingress with OAuth2 authentication 404 page not found in Kubernetes
遵循此鏈接上有關堆棧溢出的上一個問題,在成功進行身份驗證后(在 Github.com),我在瀏覽器上找不到 404 頁面。
下面的 Ingress 配置(由 nginx-ingress 控制器使用):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: nginx-ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
ingressClassName: nginx
rules:
- host: site.example.com
http:
paths:
- path: /v1
backend:
serviceName: web-service
servicePort: 8080
- path: /
backend:
serviceName: oauth2-proxy
servicePort: 4180
tls:
- hosts:
- site.example.com
secretName: example-tls
$ kubectl get ing -n nginx-ingress
NAME CLASS HOSTS ADDRESS PORTS
ingress nginx site.example.com 80, 443
我試圖通過 oauth2 訪問的 node.js Web 應用程序已構建有兩個路徑(/ 和 /v1)。 Web 應用程序位於 Service web-service 之后。
OAuth2 Github 應用配置:
Homepage URL
https://site.example.com/
Authorization callback URL
https://site.example.com/oauth2/callback
OAuth2 部署和服務:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=github
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
# Register a new application
# https://github.com/settings/applications/new
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: 32066******52
- name: OAUTH2_PROXY_CLIENT_SECRET
value: ff2b0a***************9bd
- name: OAUTH2_PROXY_COOKIE_SECRET
value: deSF_t******03-HQ==
image: quay.io/oauth2-proxy/oauth2-proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: nginx-ingress
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
來自 oauth2-proxy 容器的日志:
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51854 - - [2020/11/10 19:47:27] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51858 - - [2020/11/10 19:47:27] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:51864 - - [2020/11/10 19:47:28] site.example.com GET - "/oauth2/start?rd=%2F" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52004 - marco.***81@gmail.com [2020/11/10 19:48:33] [AuthSuccess] Authenticated via OAuth2: Session{email:marco.***81@gmail.com user:mafi81 PreferredUsername: token:true created:2020-11-10 19:48:32.494549621 +0000 UTC m=+137.822819581}
10.44.0.2:52004 - - [2020/11/10 19:48:32] site.example.com GET - "/oauth2/callback?code=da9c3af9d8f35728d2d1&state=e3280edf2430c507cd74f3d4655500c1%3A%2F" HTTP/1.1 "Mozilla/5.0 ...
10.44.0.2:52012 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52014 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 .... Chrome/86.0.4240.193 Safari/537.36" 404 19 0.000
測試環境:
我對 Ingress 資源下的路徑配置仍然沒有信心。 關於如何繼續進行故障排除的任何建議都會很棒。
更新:
按照馬特的回答,給出了測試身份驗證的正確方法,這是新環境:
NGINX Ingress controller
Release: v0.41.2
Build: d8a93551e6e5798fc4af3eb910cef62ecddc8938
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.4
OAuth2 Pod
image: quay.io/oauth2-proxy/oauth2-proxy
入口清單:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: web
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.web.svc.cluster.local:4180/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://site.example.com/oauth2/start?rd=$request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;
access_by_lua_block {
if ngx.var.name_upstream_1 ~= "" then
ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
end
}
spec:
ingressClassName: nginx-oauth
rules:
- host: site.example.com
http:
paths:
- path: /
backend:
serviceName: web-service
servicePort: 8080
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: web
spec:
ingressClassName: nginx-oauth
rules:
- host: site.example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
tls:
- hosts:
- site.example.com
secretName: tls
請注意,我必須更改一個注釋才能使其正常工作:
根據oauth-proxy 文檔,您必須使用kubernetes/ingress-nginx 。
在這里您可以閱讀有關nginxinc/kubernetes-ingress 和 kubernetes/ingress-nginx Ingress Controllers 之間差異的更多信息。
在 oath2-proxy 文檔(前面提到過)中,您可以找到以下內容:
當您在 Kubernetes 中使用 ingress-nginx 時,您必須使用 kubernetes/ingress-nginx(包括 Lua 模塊)和以下用於您的 Ingress 的配置片段。 當通過 proxy_pass 處理位置時,使用 auth_request_set 設置的變量不能在普通 nginx 配置中設置,然后只能由 Lua 處理。 請注意,nginxinc/kubernetes-ingress 不包含 Lua 模塊。
nginx.ingress.kubernetes.io/auth-response-headers: Authorization nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth nginx.ingress.kubernetes.io/configuration-snippet: | auth_request_set $name_upstream_1 $upstream_cookie_name_1; access_by_lua_block { if ngx.var.name_upstream_1 ~= "" then ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)") end }
因此,如果我們可以信任文檔,您的身份驗證將無法工作,因為您使用了錯誤的 nginx 控制器並且您缺少注釋。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.