在Kubernetes中使用Nginx进行外部OAuth身份验证 [英] External OAuth authentication with Nginx in Kubernetes

问题描述

在nginx入口后面为Web应用程序设置外部身份验证时遇到麻烦.当我尝试从外部访问URL https://site.example.com 时，我无法重定向到Github登录，然后直接访问Web应用程序.

Having trouble setting up external authentication for a web application behind nginx ingress. When i try to access the URL https://site.example.com from external i get no redirection to Github login, and direct access to web application happens.

在我的环境中运行Pod:

Running Pods for my environment:

NAME                              READY   STATUS   
nginx-ingress-68df4dfc4f-wpj5t    1/1     Running  
oauth2-proxy-6675d4b57c-cspw8     1/1     Running   
web-deployment-7d4bd85b46-blxb8   1/1     Running   
web-deployment-7d4bd85b46-nqjgl   1/1     Running   

活动服务:

NAME            TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)                      
nginx-ingress   LoadBalancer   10.96.156.157    192.168.1.82   80:31613/TCP,443:32437/TCP   
oauth2-proxy    ClusterIP      10.100.101.251   <none>         4180/TCP                     
web-service     ClusterIP      10.108.237.188   <none>         8080/TCP                     

两个Ingress资源:

Two Ingress resources:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  namespace: nginx-ingress
  annotations:
     kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
     nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
  labels:
    app: webapp
spec:
  rules:
  - host: site.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web-service
          servicePort: 8080
  tls:
  - hosts:
    - site.example.com
    secretName: example-tls

---

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
  labels:
    app: oauth2-proxy
spec:
  rules:
  - host: site.example.com
    http:
      paths:
      - backend:
          serviceName: oauth2-proxy
          servicePort: 4180
        path: /oauth2

  tls:
  - hosts:
    - site.example.com
    secretName: example-tls

入口输出:

NAME           CLASS    HOSTS              ADDRESS        PORTS     
ingress        <none>   site.example.com   192.168.1.82   80, 443   
oauth2-proxy   <none>   site.example.com                  80, 443   

我在Ingress oauth2-proxy事件中看到以下错误:

I see these errors in Ingress oauth2-proxy events:

Events:
  Type     Reason    Age   From                      Message
  ----     ------    ----  ----                      -------
  Warning  Rejected  54m   nginx-ingress-controller  All hosts are taken by other resources

通过部署此处，其中包含根据我在Github帐户中创建的OAuth应用的客户端ID，客户端机密和SECRET.

Oauth2-proxy built from deployment here with Client ID, Client Secret and SECRET according to the OAuth app created in my Github account.

我想在oauth2-proxy日志中找不到任何日志，因为在此过程中未调用它.

No logs found in oauth2-proxy logs, i suppose because it's not invoked in the process.

更新:

这个问题是不完整的，我忘了提及丰富的NGINX映像(来自

This question was incomplete, i forgot to mention the NGINX image empolyed (NGINX 1.9.0 from installation guide).

使用以下内容更改图像:

Changing the image with the below:

NGINX Ingress controller
Release: v0.41.2
Build: d8a93551e6e5798fc4af3eb910cef62ecddc8938
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.4

错误消失.简而言之，两个Ingress配置都有效，一个来自我的问题，另一个来自答案.

the error disappears. In brief both Ingress configuration, the one from my question and the other from the answer are working.

推荐答案

在您的配置中，您使用的是2个入口.如您对oauth2-proxy Ingress所述，在Event部分中，您可以找到信息:

In your configuration, you are using 2 Ingress. As you described you oauth2-proxy Ingress, in Event section you can find information:

所有主机都被其他资源占用

All hosts are taken by other resources

您在这里遇到的问题称为主机冲突.就像您使用的两个Ingress一样发生:

Issue you have encounter here is called Host Collisions. It occured as in your both Ingress you have used:

spec:
  rules:
  - host: site.example.com

在这种情况下，Ingress使用的默认算法为

In that kind of situation, Ingress is using default algorith called Choosing the Winner.

如果有多个资源争用同一台主机，则Ingress Controller将根据资源的creationTimestamp选择获胜者:最早的资源将获胜.

If multiple resources contend for the same host, the Ingress Controller will pick the winner based on the creationTimestamp of the resources: the oldest resource will win.

对于您的问题，快速的解决方案是创建一个具有2条路径的Ingress.

As fast solution for your issue is to create one Ingress with 2 paths.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress
  namespace: nginx-ingress
  annotations:
     kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
     nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
spec:
  rules:
  - host: site.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: web-service
          servicePort: 8080
      - path: /oauth2
        backend:
          serviceName: oauth2-proxy
          servicePort: 4180      
  tls:
  - hosts:
    - site.example.com
    secretName: example-tls

解决此问题的另一种方法是使用

Another way to resolve this issue is to use Merging Configuration for the Same Host, however it shouldn't be applied in this scenario.

最后，您可以按照Nginx Ingress官方教程进行操作-

As last thing, you can follow official Nginx Ingress tutorial - External OAUTH Authentication

请帮助我.

这篇关于在Kubernetes中使用Nginx进行外部OAuth身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！