IBM Cloud:如何使用 K8s Ingress 和 ALB OAuth Proxy 为 Kubernetes 集群上的应用程序启用 App ID?
IBM Cloud: How to enable App ID for app on Kubernetes cluster with K8s Ingress and ALB OAuth Proxy?
我正在尝试为部署到 VPC 中的 IBM Cloud Kubernetes Service (IKS) 运行 的应用程序配置基于 App ID 的身份验证。过去它与 IBM's own Ingress. However, that has been deprecated. Now, I am following the guide here which is using the community Ingress and talks about adding IBM App Id.
配合使用效果很好
我似乎已经配置了所有内容,但是无法访问主机/站点。 Ingress 资源如下所示:
"apiVersion": "networking.k8s.io/v1beta1",
"kind": "Ingress",
"metadata": {
"annotations": {
"kubernetes.io/ingress.class": "public-iks-k8s-nginx",
"nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2-myappid/start?rd=$escaped_request_uri",
"nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2-myappid",
"nginx.ingress.kubernetes.io/configuration-snippet": "auth_request_set $access_token $upstream_http_x_auth_request_access_token;
access_by_lua_block {
if ngx.var.access_token ~= \"\" then
ngx.req.set_header(\"Authorization\", \"Bearer \" .. ngx.var.access_token)
end
}
"
},
"name": "ingress-for-mytest",
"namespace": "sfs"
},
"spec": {
"rules": [
{
"host": "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud",
"http": {
"paths": [
{
"backend": {
"serviceName": "my-service",
"servicePort": 8081
},
"path": "/"
}
]
}
}
],
"tls": [
{
"hosts": [
"myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud"
],
"secretName": "henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000"
}
]
}
}
我让它可以使用以下定义:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-for-mytest
annotations:
kubernetes.io/ingress.class: "public-iks-k8s-nginx"
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-myappid/auth
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-myappid/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $access_token $upstream_http_x_auth_request_access_token;
auth_request_set $id_token $upstream_http_authorization;
access_by_lua_block {
if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
end
}
spec:
tls:
- hosts:
- myhost
secretName: ingress-secret-for-mytest
rules:
- host: myhost
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 8081
重要的是要注意 OAuth2 代理(参见 steps regarding the proxy add-on and App ID integration)只有在(集群)Ingress 秘密被复制到该命名空间时才能成功部署到该命名空间。
您可以使用以下命令找到 Ingress 机密并在默认命名空间中监视该机密:
ibmcloud ks ingress secret ls -c your-cluster-name
此后,在非默认命名空间中(重新)创建该机密,复制该机密的 CRN 和名称:
ibmcloud ks ingress secret create -c your-cluster-name -n your-namespace
--cert-crn the-crn-shown-in-the-output-above --name the-secret-name-shown-above
我正在尝试为部署到 VPC 中的 IBM Cloud Kubernetes Service (IKS) 运行 的应用程序配置基于 App ID 的身份验证。过去它与 IBM's own Ingress. However, that has been deprecated. Now, I am following the guide here which is using the community Ingress and talks about adding IBM App Id.
配合使用效果很好我似乎已经配置了所有内容,但是无法访问主机/站点。 Ingress 资源如下所示:
"apiVersion": "networking.k8s.io/v1beta1",
"kind": "Ingress",
"metadata": {
"annotations": {
"kubernetes.io/ingress.class": "public-iks-k8s-nginx",
"nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2-myappid/start?rd=$escaped_request_uri",
"nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2-myappid",
"nginx.ingress.kubernetes.io/configuration-snippet": "auth_request_set $access_token $upstream_http_x_auth_request_access_token;
access_by_lua_block {
if ngx.var.access_token ~= \"\" then
ngx.req.set_header(\"Authorization\", \"Bearer \" .. ngx.var.access_token)
end
}
"
},
"name": "ingress-for-mytest",
"namespace": "sfs"
},
"spec": {
"rules": [
{
"host": "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud",
"http": {
"paths": [
{
"backend": {
"serviceName": "my-service",
"servicePort": 8081
},
"path": "/"
}
]
}
}
],
"tls": [
{
"hosts": [
"myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud"
],
"secretName": "henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000"
}
]
}
}
我让它可以使用以下定义:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-for-mytest
annotations:
kubernetes.io/ingress.class: "public-iks-k8s-nginx"
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-myappid/auth
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-myappid/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $access_token $upstream_http_x_auth_request_access_token;
auth_request_set $id_token $upstream_http_authorization;
access_by_lua_block {
if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
end
}
spec:
tls:
- hosts:
- myhost
secretName: ingress-secret-for-mytest
rules:
- host: myhost
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 8081
重要的是要注意 OAuth2 代理(参见 steps regarding the proxy add-on and App ID integration)只有在(集群)Ingress 秘密被复制到该命名空间时才能成功部署到该命名空间。
您可以使用以下命令找到 Ingress 机密并在默认命名空间中监视该机密:
ibmcloud ks ingress secret ls -c your-cluster-name
此后,在非默认命名空间中(重新)创建该机密,复制该机密的 CRN 和名称:
ibmcloud ks ingress secret create -c your-cluster-name -n your-namespace
--cert-crn the-crn-shown-in-the-output-above --name the-secret-name-shown-above