在Kubernetes中使用Nginx进行外部OAuth身份验证 [英] External OAuth authentication with Nginx in Kubernetes
问题描述
在nginx入口后面为Web应用程序设置外部身份验证时遇到麻烦.当我尝试从外部访问URL https://site.example.com 时,我无法重定向到Github登录,然后直接访问Web应用程序.
Having trouble setting up external authentication for a web application behind nginx ingress. When i try to access the URL https://site.example.com from external i get no redirection to Github login, and direct access to web application happens.
在我的环境中运行Pod:
Running Pods for my environment:
NAME READY STATUS
nginx-ingress-68df4dfc4f-wpj5t 1/1 Running
oauth2-proxy-6675d4b57c-cspw8 1/1 Running
web-deployment-7d4bd85b46-blxb8 1/1 Running
web-deployment-7d4bd85b46-nqjgl 1/1 Running
活动服务:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S)
nginx-ingress LoadBalancer 10.96.156.157 192.168.1.82 80:31613/TCP,443:32437/TCP
oauth2-proxy ClusterIP 10.100.101.251 <none> 4180/TCP
web-service ClusterIP 10.108.237.188 <none> 8080/TCP
两个Ingress资源:
Two Ingress resources:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: nginx-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
labels:
app: webapp
spec:
rules:
- host: site.example.com
http:
paths:
- path: /
backend:
serviceName: web-service
servicePort: 8080
tls:
- hosts:
- site.example.com
secretName: example-tls
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: nginx-ingress
annotations:
kubernetes.io/ingress.class: nginx
labels:
app: oauth2-proxy
spec:
rules:
- host: site.example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
tls:
- hosts:
- site.example.com
secretName: example-tls
入口输出:
NAME CLASS HOSTS ADDRESS PORTS
ingress <none> site.example.com 192.168.1.82 80, 443
oauth2-proxy <none> site.example.com 80, 443
我在Ingress oauth2-proxy事件中看到以下错误:
I see these errors in Ingress oauth2-proxy events:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Rejected 54m nginx-ingress-controller All hosts are taken by other resources
通过部署此处,其中包含根据我在Github帐户中创建的OAuth应用的客户端ID,客户端机密和SECRET.
Oauth2-proxy built from deployment here with Client ID, Client Secret and SECRET according to the OAuth app created in my Github account.
我想在oauth2-proxy日志中找不到任何日志,因为在此过程中未调用它.
No logs found in oauth2-proxy logs, i suppose because it's not invoked in the process.
更新:
This question was incomplete, i forgot to mention the NGINX image empolyed (NGINX 1.9.0 from installation guide).
使用以下内容更改图像:
Changing the image with the below:
NGINX Ingress controller
Release: v0.41.2
Build: d8a93551e6e5798fc4af3eb910cef62ecddc8938
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.4
错误消失.简而言之,两个Ingress配置都有效,一个来自我的问题,另一个来自答案.
the error disappears. In brief both Ingress configuration, the one from my question and the other from the answer are working.
推荐答案
在您的配置中,您使用的是2个入口.如您对oauth2-proxy Ingress
所述,在Event
部分中,您可以找到信息:
In your configuration, you are using 2 Ingress. As you described you oauth2-proxy Ingress
, in Event
section you can find information:
所有主机都被其他资源占用
All hosts are taken by other resources
您在这里遇到的问题称为主机冲突.就像您使用的两个Ingress
一样发生:
Issue you have encounter here is called Host Collisions. It occured as in your both Ingress
you have used:
spec:
rules:
- host: site.example.com
In that kind of situation, Ingress
is using default algorith called Choosing the Winner.
如果有多个资源争用同一台主机,则
Ingress Controller
将根据资源的creationTimestamp
选择获胜者:最早的资源将获胜.
If multiple resources contend for the same host, the
Ingress Controller
will pick the winner based on thecreationTimestamp
of the resources: the oldest resource will win.
对于您的问题,快速的解决方案是创建一个具有2条路径的Ingress
.
As fast solution for your issue is to create one Ingress
with 2 paths.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: nginx-ingress
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
rules:
- host: site.example.com
http:
paths:
- path: /
backend:
serviceName: web-service
servicePort: 8080
- path: /oauth2
backend:
serviceName: oauth2-proxy
servicePort: 4180
tls:
- hosts:
- site.example.com
secretName: example-tls
Another way to resolve this issue is to use Merging Configuration for the Same Host, however it shouldn't be applied in this scenario.
最后,您可以按照Nginx Ingress官方教程进行操作-
As last thing, you can follow official Nginx Ingress tutorial - External OAUTH Authentication
请帮助我.
这篇关于在Kubernetes中使用Nginx进行外部OAuth身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!