Oauth2-proxy 和 Traefik:重定向太多

Oauth2-proxy and Traefik: too many redirect

为了让这个东西与 Traefik 一起工作,我已经尝试了好几天和无数小时,但是无论我尝试了什么,到目前为止都没有任何效果。

我首先尝试使用 Nginx 入口控制器并设法让它工作,所以我确信我的提供商 (Cognito) 和 oauth2-proxy pod 工作正常。

所以,我使用的是 EKS 1.20 集群,我们通过 helm chart 安装了 Traefik

replicas: 1

rbac:
  enabled: true

accessLogs:
  enabled: false

service:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "my-certs"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"

externalTrafficPolicy: Local

ssl:
  enabled: true
  enforced: true
  upstream: true
helm upgrade -i traefik traefik/traefik -f traefik-values.yaml

这是我的 oauth 代理的配置,它与 Nginx 一起工作。 在 Oauth-proxy 中没有提到 Traefik 所以我想这也应该有效:

config:
  clientID: "xxxxx"
  clientSecret: "xxxxxx"
  cookieSecret: "xxxx"
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]

extraArgs:
  oidc-issuer-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>"
  oidc-jwks-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>/.well-known/jwks.json"
  provider: oidc
  provider-display-name: "Cognito SSO"
  cookie-secure: false
  cookie-name: "_oauth2_proxy"
  skip-provider-button: true
  scope: openid
  reverse-proxy: true
  real-client-ip-header: X-Forwarded-For
  whitelist-domain: mycompany.com
  cookie-domain: mycompany.com
  set-authorization-header: true
  

这些是他们转换为 Kubernetes 的文档中建议的配置:https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-traefik-v2-forwardauth-middleware

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-headers
spec:
  headers:
    sslRedirect: true
    stsSeconds: 315360000
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    stsIncludeSubdomains: true
    stsPreload: true
    frameDeny: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth-auth
spec:
  forwardAuth:
    address: https://mycompany.com/oauth2/auth
    trustForwardHeader: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth-errors
spec:
  errors:
    status:
      - "401-403"
    service:
      name: oauth2-proxy
      port: 80
    query: "/oauth2/sign_in"

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: oauth2-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`mycompany.com`) && PathPrefix(`/oauth2/`)"
      kind: Rule
      services:
        - kind: Service
          name: oauth2-proxy
          port: 80
      middlewares:
        - name: auth-headers

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: linkerd-dashboard-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`mycompany.com`)"
      kind: Rule
      services:
        - name: nginx-service
          kind: Service
          port: 8080
      priority: 1
      middlewares:
        - name: oauth-auth
        - name: oauth-errors

现在有了这个配置,它会被重定向,但是它会进入循环,我有 ERR_TOO_MANY_REDIRECTS

如果我跟随 curl 它将进入循环:

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84

...

我已经通过简单地不使用显然不适用于 Traefik 的 oauth2-proxy 解决了问题,相反我找到了另一个项目:https://github.com/thomseddon/traefik-forward-auth

更简单一些,而且有效。

我已经设法让 Oauth-Proxy 与 Traefik 一起工作。查看此练习。

OAuth2 Proxy with k8s Treafik to protect Kafdrop subdomain URL