如何使用Kubernetes Ingress处理Azure AD身份验证 [英] How to handle Azure AD Authentication with Kubernetes Ingress
问题描述
我有一个运行在Pod中的ASP.NET Core 2应用程序.
I have an ASP.NET Core 2 application running in a pod.
这没什么好看的.只是由Visual Studio创建的默认应用,启用了学校/工作帐户"身份验证.
It is nothing fancy. Just the default app created by Visual Studio, with "School/Work account"-authentication enabled.
我的入口指向/
- path: /
backend:
serviceName: debug-ui
servicePort: 80
当我命中该终结点(/
)时,我将被重定向到Azure AD登录.我进行身份验证,Azure AD重定向到/signin-oidc
,这对于AD登录是正常的.到目前为止,一切都按预期进行.
When i hit that endpoint (/
) i am being redirected to Azure AD login. I authenticate and Azure AD redirects to /signin-oidc
which is normal for AD login. So far everything works as expected.
问题在于,入口使用"502-错误的网关"进行响应,可能是因为入口将/signin-oidc
视为到另一个(不存在)服务的路由,但它应该是应用程序上的终结点,位于/
本身.
The problem is that the ingress responds with a "502 - Bad gateway", probably because the ingress sees /signin-oidc
as a route to another (non-existing) service, but it should have been an endpoint on the application at /
itself.
在/
运行的应用程序还具有/about
和/contact
-在禁用身份验证时可以正常工作
The application running at /
also have /about
and a /contact
- which works fine when auth is disabled
/signin-oidc
被称为带有身份验证令牌的HTTP POST. (JWT)
The /signin-oidc
is called as HTTP POST with the authentication token. (JWT)
如何解决这个问题?
技术:
- Azure ACS上的Kubernetes
- nginx-ingress-controller
- Azure Active Directory
- .NET Core 2
推荐答案
使用Flask(而不是.NET)和AAD与nginx入口一起使用,如下所示:
Using Flask (instead of .NET) and AAD works with nginx ingress with something like below:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: flask-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
tls:
- hosts:
- example.com
secretName: flask-auth
rules:
- host: example.com
http:
paths:
- backend:
serviceName: flask-app
servicePort: 80
path: /app(/|$)(.*)
---
这类似于:
AAD
example.com/app
example.com/app/login
example.com/app/other-logins-urls
提供HTML模板
example.com/app/app-name
这篇关于如何使用Kubernetes Ingress处理Azure AD身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!