在Kubernetes中找不到带有OAuth2身份验证404页面的Nginx Ingress [英] Nginx Ingress with OAuth2 authentication 404 page not found in Kubernetes
问题描述
在此链接中,关于堆栈溢出的上一个问题之后,成功认证之后(在Github.com),我在浏览器中找不到 404页面.
following the previous question on Stack Overflow at this link, after successful authentication (at Github.com) i get 404 page not found on my browser.
下面的Ingress配置(供nginx-ingress控制器使用):
The Ingress configuration below (used by nginx-ingress controller):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: nginx-ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
ingressClassName: nginx
rules:
- host: site.example.com
http:
paths:
- path: /v1
backend:
serviceName: web-service
servicePort: 8080
- path: /
backend:
serviceName: oauth2-proxy
servicePort: 4180
tls:
- hosts:
- site.example.com
secretName: example-tls
$ kubectl get ing -n nginx-ingress
NAME CLASS HOSTS ADDRESS PORTS
ingress nginx site.example.com 80, 443
- 浏览器将GET发送到 https://site.example.com/,
- 浏览器被重定向到Github登录页面,
- 成功登录后,浏览器将重定向到 https://site.example.com/,
- 浏览器将GET发送到 https://site.example.com/,其中已填充Cookie _oauth2_proxy
- 响应是 404页未找到
- browser sends GET to https://site.example.com/,
- browser is redirected to Github login page,
- After successful login, browser is redirected to https://site.example.com/,
- browser sends GET to https://site.example.com/ with cookie _oauth2_proxy filled
- the response is 404 page not found
我试图通过oauth2访问的node.js Web应用程序已使用两个路径(/和/v1)构建. Web应用程序位于服务 web-service 后面.
The node.js web application i'm trying to access to via oauth2 has been built with two paths (/ and /v1). Web application is behind Service web-service.
OAuth2 Github应用程序配置:
OAuth2 Github application configuration:
Homepage URL
https://site.example.com/
Authorization callback URL
https://site.example.com/oauth2/callback
OAuth2部署和服务:
OAuth2 deployment and service:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
k8s-app: oauth2-proxy
template:
metadata:
labels:
k8s-app: oauth2-proxy
spec:
containers:
- args:
- --provider=github
- --email-domain=*
- --upstream=file:///dev/null
- --http-address=0.0.0.0:4180
# Register a new application
# https://github.com/settings/applications/new
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: 32066******52
- name: OAUTH2_PROXY_CLIENT_SECRET
value: ff2b0a***************9bd
- name: OAUTH2_PROXY_COOKIE_SECRET
value: deSF_t******03-HQ==
image: quay.io/oauth2-proxy/oauth2-proxy:latest
imagePullPolicy: Always
name: oauth2-proxy
ports:
- containerPort: 4180
protocol: TCP
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: nginx-ingress
spec:
ports:
- name: http
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
来自oauth2-proxy容器的日志:
Logs from oauth2-proxy container:
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51854 - - [2020/11/10 19:47:27] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0
[2020/11/10 19:47:27] [logger.go:508] Error loading cookied session: cookie "_oauth2_proxy" not present, removing session
10.44.0.2:51858 - - [2020/11/10 19:47:27] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:51864 - - [2020/11/10 19:47:28] site.example.com GET - "/oauth2/start?rd=%2F" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52004 - marco.***81@gmail.com [2020/11/10 19:48:33] [AuthSuccess] Authenticated via OAuth2: Session{email:marco.***81@gmail.com user:mafi81 PreferredUsername: token:true created:2020-11-10 19:48:32.494549621 +0000 UTC m=+137.822819581}
10.44.0.2:52004 - - [2020/11/10 19:48:32] site.example.com GET - "/oauth2/callback?code=da9c3af9d8f35728d2d1&state=e3280edf2430c507cd74f3d4655500c1%3A%2F" HTTP/1.1 "Mozilla/5.0 ...
10.44.0.2:52012 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/" HTTP/1.1 "Mozilla/5.0 ....
10.44.0.2:52014 - marco.****81@gmail.com [2020/11/10 19:48:33] site.example.com GET - "/favicon.ico" HTTP/1.1 "Mozilla/5.0 .... Chrome/86.0.4240.193 Safari/537.36" 404 19 0.000
测试环境:
- 带有kubeadm v1.19.3的VirtualBox
- NGINX入口控制器版本= 1.9.0.
我对Ingress资源下的路径配置仍然不确定. 关于如何继续进行故障排除的任何建议都将很棒.
I'm not still confident with paths configuration under Ingress resource. Any suggestion on how to go ahead with troubleshoot would be great.
更新:
遵循Matt的回答,提供测试身份验证的正确方法,这是新环境:
Following the Matt's answer, giving the right way to test the authentication, here is the new environment:
NGINX Ingress controller
Release: v0.41.2
Build: d8a93551e6e5798fc4af3eb910cef62ecddc8938
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.4
OAuth2 Pod
image: quay.io/oauth2-proxy/oauth2-proxy
入口清单:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
namespace: web
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.web.svc.cluster.local:4180/oauth2/auth
nginx.ingress.kubernetes.io/auth-signin: https://site.example.com/oauth2/start?rd=$request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;
access_by_lua_block {
if ngx.var.name_upstream_1 ~= "" then
ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
end
}
spec:
ingressClassName: nginx-oauth
rules:
- host: site.example.com
http:
paths:
- path: /
backend:
serviceName: web-service
servicePort: 8080
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: web
spec:
ingressClassName: nginx-oauth
rules:
- host: site.example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
tls:
- hosts:
- site.example.com
secretName: tls
请注意,我必须更改一个注释才能使其工作:
Note that i had to change one annotation to get it working:
- auth-url:http://oauth2- proxy.web.svc.cluster.local:4180/oauth2/auth(解决了解析失败)
推荐答案
根据 oauth代理文档,您必须使用在这里您可以阅读有关
Here you can read more about differences between nginxinc/kubernetes-ingress and kubernetes/ingress-nginx Ingress Controllers.
在oath2-proxy文档(前面提到)中,您可以找到以下内容:
In oath2-proxy docs (mentioned earlier) you can find the following:
在Kubernetes中使用ingress-nginx时,必须为Ingress使用kubernetes/ingress-nginx(包括Lua模块)和以下配置代码段.当通过proxy_pass处理位置时,使用auth_request_set设置的变量无法在纯nginx配置中设置,然后只能由Lua处理.请注意,nginxinc/kubernetes-ingress不包含Lua模块.
When you use ingress-nginx in Kubernetes, you MUST use kubernetes/ingress-nginx (which includes the Lua module) and the following configuration snippet for your Ingress. Variables set with auth_request_set are not set-able in plain nginx config when the location is processed via proxy_pass and then may only be processed by Lua. Note that nginxinc/kubernetes-ingress does not include the Lua module.
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $name_upstream_1 $upstream_cookie_name_1;
access_by_lua_block {
if ngx.var.name_upstream_1 ~= "" then
ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
end
}
因此,如果我们可以信任文档,则您的身份验证将无法进行,因为您使用的是错误的nginx控制器,并且缺少注释.
So if we can trust documentation, your authentication won't work because you are using wrong nginx controller and you are missing annotations.
这篇关于在Kubernetes中找不到带有OAuth2身份验证404页面的Nginx Ingress的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
