我一直在设置一个kubernetes集群,并希望保护kube.example.com后面的仪表板(在bitly/oauth2_proxy上运行)(在图像example.com/oauth2上运行a5huynh/oauth2_proxy:latest),因为我想重新使用OAuth代理来运行我将运行的其他服务。身份验证工作正常但在用户登录后,即回调返回时,会将其发送到example.com,而应将其发送到启动流的原始主机kube.example.com。我怎样才能做到这一点? (我使用的是nginx-ingress-controller)。
OAuth2代理上的注释:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
仪表板上的注释:
kubernetes.io/ingress.class: "nginx",
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start",
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth",
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS",
nginx.ingress.kubernetes.io/force-ssl-redirect: "true",
nginx.ingress.kubernetes.io/secure-backends: "true",
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"
我希望在OAuth流程完成后重定向到原来的主机kube.example.com但是我被发送回OAuth2主机example.com
在搜索了一下之后,我遇到了一个关于在一个超级简单的庄园中表演的blog post。不幸的是我发现提供的yaml不能正常工作,因为nginx拦截了所有请求,oauth2_proxy从未被击中(我不确定我的工作是否因为我想要oauth-proxy url是example.com/oauth2而不是oauth2.example.com) 。为了解决这个问题,我将oauth2代理路径添加回Ingress代理,即
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: oauth2-proxy
namespace: default
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: oauth2-proxy
servicePort: 80
path: /
- backend:
serviceName: oauth2-proxy
servicePort: 4180
path: /oauth2
并确保该服务仍然暴露,即
apiVersion: v1
kind: Service
metadata:
labels:
k8s-app: oauth2-proxy
name: oauth2-proxy
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: http-proxy
port: 4180
protocol: TCP
targetPort: 4180
selector:
k8s-app: oauth2-proxy
然后,为了保护oauth代理后面的服务,我只需要在Ingress注释中添加以下内容:
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=/redirect/$http_host$request_uri"