“我的 Kubernetes Ingress 和 OAuth2 代理遇到问题。通过 Ingress 访问我的应用程序时,我希望被重定向到 Okta 身份验证页面,但我收到 500 内部服务器错误。这是我的conf
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://appli-test.kube.fr/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://appli-test.kube.fr/oauth2/auth
name: ingress
namespace: h1
spec:
ingressClassName: nginx
rules:
- host: appli-test.kube.fr
http:
paths:
- backend:
service:
name: backend
port:
number: 8800
path: /api
pathType: Prefix
- backend:
service:
name: frontend
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- appli-test.kube.fr
secretName: test-tl
我的部署配置:
spec:
containers:
- args:
- '--http-address=0.0.0.0:4180'
- '--https-address=0.0.0.0:4443'
- '--metrics-address=0.0.0.0:44180'
- '--config=/etc/oauth2_proxy/oauth2_proxy.cfg'
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: oauth2-proxy
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client-secret
name: oauth2-proxy
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
key: cookie-secret
name: oauth2-proxy
我的配置图
oauth2_proxy.cfg: >
provider = "oidc"
redirect_url = "http://appli-test.kube.fr/oauth2/callback"
oidc_issuer_url =
"https://dev-xxxx.okta.com/oauth2/xxxx"
upstreams = [
"http://appli-test.kube.fr"
]
email_domains = [
"*"
]
client_id = "xxx"
client_secret = "xxxx"
pass_access_token = true
cookie_secret = "xxx"
skip_provider_button = true
以及 oauth-proxy 服务:
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
port: 4180
protocol: TCP
targetPort: http
- appProtocol: http
name: metrics
port: 44180
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/instance: oauth2-proxy
app.kubernetes.io/name: oauth2-proxy
sessionAffinity: None
type: ClusterIP
我没有为 oauth-proxy 创建任何入口 预先感谢您的协助!
嗨,我遇到了同样的问题,并通过使用
cluster.localnginx.ingress.kubernetes.io/auth-url第二个注释看起来像
nginx.ingress.kubernetes.io/auth-url: http://<kube-service-name>.<kube-namespace>.svc.cluster.local/oauth2/auth例如,如果您使用 oauth2-proxy 的 bitnami 图表及其标准命名空间,则它看起来像这样:
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-response-headers: Authorization
nginx.ingress.kubernetes.io/auth-signin: https://appli-test.kube.fr/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth
name: ingress
验证后,您可以添加以下内容(不带特定主机 URL 的注释)以简化 Ingress 配置:
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://$host/start?rd=$escaped_request_uri
这些错误是由 SSL 问题引起的,因为证书的 CN 是针对公司的,而不是 IP 地址。
您可以检查 iness-controller 日志并看到类似的内容:
$ kubectl -n ingress logs nginx-ingress-controller-... -f
2022/02/01 20:08:24 [warn] 519#519: *30970 upstream server temporarily disabled while reading response header from upstream, client: 10.999.50.43, server: appli-test.kube.fr, request: "GET /favicon.ico HTTP/1.1", subrequest: "/_external-auth-Lw-Prefix", upstream: "https://52.7.179.999:443/oauth2/auth", host: "appli-test.kube.fr", referrer: "https://appli-test.kube.fr/"
如你所见,这里的上游看起来像
upstream: "https://52.7.179.999:443/oauth2/auth"upstream: "https://appli-test.kube.fr/oauth2/auth"这是入口控制器配置错误。