如何在一个域下的kubernetes中获取 oauth2_proxy 运行 以重定向回需要身份验证的原始域?
How to get oauth2_proxy running in kubernetes under one domain to redirect back to original domain that required authentication?
我一直在设置一个 kubernetes 集群,想保护 bitly/oauth2_proxy(运行 在 [=16] 后面的仪表板(运行 在 kube.example.com) =] 在图像 a5huynh/oauth2_proxy:latest) 上,因为我想将 OAuth 代理重新用于其他服务,我将 运行。身份验证工作正常,但在用户登录后,即回调 returns,它们将被发送到 example.com,而它们应该被发送到启动流程的原始主机 kube.example.com。我怎样才能做到这一点? (我正在使用 nginx-ingress-controller)。
OAuth2 代理上的注释:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
仪表板上的注释:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start",
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth",
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"
我希望在 OAuth 流程完成后被重定向到原始主机 kube.example.com,但正在被发送回 OAuth2 主机 example.com
搜索了一下后,我发现 blog post about performing this in a super simple manor. Unfortunately I found the provided yaml 没有完全正常工作,因为 oauth2_proxy 由于 nginx 拦截了所有请求而从未被命中(我不确定我的是否不是由于我希望 oauth-proxy url 成为 example.com/oauth2 而不是 oauth2.example.com,所以工作。为了解决这个问题,我将 oauth2-proxy 路径添加回代理的入口,即
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
并确保该服务仍然暴露,即
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: http-proxy
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
然后为了保护 oauth 代理背后的服务,我只需要在 Ingress 注释中放置以下内容:
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"
我一直在设置一个 kubernetes 集群,想保护 bitly/oauth2_proxy(运行 在 [=16] 后面的仪表板(运行 在 kube.example.com) =] 在图像 a5huynh/oauth2_proxy:latest) 上,因为我想将 OAuth 代理重新用于其他服务,我将 运行。身份验证工作正常,但在用户登录后,即回调 returns,它们将被发送到 example.com,而它们应该被发送到启动流程的原始主机 kube.example.com。我怎样才能做到这一点? (我正在使用 nginx-ingress-controller)。
OAuth2 代理上的注释:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
仪表板上的注释:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start",
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth",
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"
我希望在 OAuth 流程完成后被重定向到原始主机 kube.example.com,但正在被发送回 OAuth2 主机 example.com
搜索了一下后,我发现 blog post about performing this in a super simple manor. Unfortunately I found the provided yaml 没有完全正常工作,因为 oauth2_proxy 由于 nginx 拦截了所有请求而从未被命中(我不确定我的是否不是由于我希望 oauth-proxy url 成为 example.com/oauth2 而不是 oauth2.example.com,所以工作。为了解决这个问题,我将 oauth2-proxy 路径添加回代理的入口,即
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
并确保该服务仍然暴露,即
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: http-proxy
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
然后为了保护 oauth 代理背后的服务,我只需要在 Ingress 注释中放置以下内容:
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"