Kubernetes和AAD身份验证 [英] Kubernetes and AAD authentication
问题描述
在配置的AKS上,存在带有使用AAD身份验证的应用程序的docker容器.
On configured AKS there is docker container with application that is using AAD authentication.
根据本文,还配置了入口. API运行良好.
Based on this article there is also configured ingress. API is working well.
当我添加带有https前缀的Azure Active Directory应用程序注册回复URL时,出现错误请求中指定的回复URL与为该应用程序配置的回复URL不匹配".而且我发现在浏览器地址行中redirect_uri以http开头.
When I add to Azure Active Directory application registration reply URL with https prefix I receive error "The reply url specified in the request does not match the reply urls configured for the application". And I see that in browser address line redirect_uri is starting with http.
当我添加以http开头的回复URL时,我会收到异常:关联失败".
When I add reply URL that is starting with http, then I receive "Exception: Correlation failed".
我尝试过的操作:添加到ingress.yaml设置中ingress.kubernetes.io/force-ssl-redirect:"true"
What I have tried: Add to ingress.yaml setting ingress.kubernetes.io/force-ssl-redirect: "true"
也许有某种方法可以强制入口运行https而不是http,或者可能有一些AAD重定向配置?有什么想法吗?
May be there is some way to force ingress run https instead of http, or there might be some AAD redirect configuration? Any ideas?
更新2:可能是http重定向是由于ADAL造成的.
UPDATE 2: Probably http redirect is because of ADAL.
PS:能够找到类似主题没有答案
PS: Was able to find similar topic without an answer
UPDATE3: 我决定不使用nginx作为入口.相反,我现在正在使用负载均衡器.很快将有可能使用Azure应用程序网关入口控制器
UPDATE3: I have decided not to use nginx as ingress. Instead I am using now Load balancer. Soon it would be possible to use Azure Application Gateway Ingress Controller
推荐答案
您尝试过吗?
默认情况下,如果该入口启用了TLS,则控制器使用308永久重定向响应将HTTP客户端重定向到HTTPS端口443.
By default the controller redirects HTTP clients to the HTTPS port 443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.
可以使用NGINX配置映射中的ssl-redirect: "false"全局禁用此功能,也可以在特定资源的每个入口中使用nginx.ingress.kubernetes.io/ssl-redirect: "false"批注禁用该功能.
This can be disabled globally using ssl-redirect: "false" in the NGINX config map, or per-Ingress with the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.
这篇关于Kubernetes和AAD身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
