IBM Cloud:如何使用 K8s Ingress 和 ALB OAuth Proxy 为 Kubernetes 集群上的应用程序启用 App ID?

IBM Cloud: How to enable App ID for app on Kubernetes cluster with K8s Ingress and ALB OAuth Proxy?

我正在尝试为部署到 VPC 中的 IBM Cloud Kubernetes Service (IKS) 运行 的应用程序配置基于 App ID 的身份验证。过去它与 IBM's own Ingress. However, that has been deprecated. Now, I am following the guide here which is using the community Ingress and talks about adding IBM App Id.

配合使用效果很好

我似乎已经配置了所有内容,但是无法访问主机/站点。 Ingress 资源如下所示:

"apiVersion": "networking.k8s.io/v1beta1",
    "kind": "Ingress",
    "metadata": {
        "annotations": {
            "kubernetes.io/ingress.class": "public-iks-k8s-nginx",
            "nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2-myappid/start?rd=$escaped_request_uri",
            "nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2-myappid",
            "nginx.ingress.kubernetes.io/configuration-snippet": "auth_request_set $access_token $upstream_http_x_auth_request_access_token;
        access_by_lua_block {
         if ngx.var.access_token ~= \"\" then
           ngx.req.set_header(\"Authorization\", \"Bearer \" .. ngx.var.access_token)
         end
        }
        "
        },
        "name": "ingress-for-mytest",
        "namespace": "sfs"
    },
    "spec": {
        "rules": [
            {
                "host": "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud",
                "http": {
                    "paths": [
                        {
                            "backend": {
                                "serviceName": "my-service",
                                "servicePort": 8081
                            },
                            "path": "/"
                        }
                    ]
                }
            }
        ],
        "tls": [
            {
                "hosts": [
                    "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud"
                ],
                "secretName": "henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000"
            }
        ]
    }
}

我让它可以使用以下定义:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-for-mytest
  annotations:
    kubernetes.io/ingress.class: "public-iks-k8s-nginx"
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-myappid/auth
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-myappid/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $access_token $upstream_http_x_auth_request_access_token;
      auth_request_set $id_token $upstream_http_authorization;
      access_by_lua_block {
        if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
          ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
        end
      }
spec:
  tls:
  - hosts:
    - myhost
    secretName: ingress-secret-for-mytest
  rules:
  - host: myhost
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port: 
              number: 8081

重要的是要注意 OAuth2 代理(参见 steps regarding the proxy add-on and App ID integration)只有在(集群)Ingress 秘密被复制到该命名空间时才能成功部署到该命名空间。

您可以使用以下命令找到 Ingress 机密并在默认命名空间中监视该机密:

ibmcloud ks ingress secret ls -c your-cluster-name

此后,在非默认命名空间中(重新)创建该机密,复制该机密的 CRN 和名称:

ibmcloud ks ingress secret create -c your-cluster-name -n your-namespace
    --cert-crn the-crn-shown-in-the-output-above --name the-secret-name-shown-above