0

我正在尝试为部署到在 VPC 中运行的 IBM Cloud Kubernetes Service (IKS) 的应用程序配置基于 App ID 的身份验证。过去,它与IBM 自己的 Ingress配合得很好。但是,这已被弃用。现在,我正在按照这里的指南使用社区 Ingress 并讨论添加 IBM App Id

我似乎已经配置了所有内容,但无法访问主机/站点。下面是 Ingress 资源的样子:

"apiVersion": "networking.k8s.io/v1beta1",
    "kind": "Ingress",
    "metadata": {
        "annotations": {
            "kubernetes.io/ingress.class": "public-iks-k8s-nginx",
            "nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2-myappid/start?rd=$escaped_request_uri",
            "nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2-myappid",
            "nginx.ingress.kubernetes.io/configuration-snippet": "auth_request_set $access_token $upstream_http_x_auth_request_access_token;
        access_by_lua_block {
         if ngx.var.access_token ~= \"\" then
           ngx.req.set_header(\"Authorization\", \"Bearer \" .. ngx.var.access_token)
         end
        }
        "
        },
        "name": "ingress-for-mytest",
        "namespace": "sfs"
    },
    "spec": {
        "rules": [
            {
                "host": "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud",
                "http": {
                    "paths": [
                        {
                            "backend": {
                                "serviceName": "my-service",
                                "servicePort": 8081
                            },
                            "path": "/"
                        }
                    ]
                }
            }
        ],
        "tls": [
            {
                "hosts": [
                    "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud"
                ],
                "secretName": "henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000"
            }
        ]
    }
}
4

1 回答 1

1

我让它与以下定义一起工作:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-for-mytest
  annotations:
    kubernetes.io/ingress.class: "public-iks-k8s-nginx"
    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-myappid/auth
    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-myappid/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $access_token $upstream_http_x_auth_request_access_token;
      auth_request_set $id_token $upstream_http_authorization;
      access_by_lua_block {
        if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
          ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
        end
      }
spec:
  tls:
  - hosts:
    - myhost
    secretName: ingress-secret-for-mytest
  rules:
  - host: myhost
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port: 
              number: 8081

需要注意的是,OAuth2 代理(请参阅有关代理插件和 App ID 集成的步骤)只有在将(集群)入口密钥复制到该命名空间时才能成功部署到非默认 Kubernetes 命名空间。

您可以使用以下命令找到 Ingress 密钥,并在默认命名空间中查看该密钥:

ibmcloud ks ingress secret ls -c your-cluster-name

此后,在非默认命名空间中(重新)创建该密钥,复制 CRN 和该密钥的名称:

ibmcloud ks ingress secret create -c your-cluster-name -n your-namespace
    --cert-crn the-crn-shown-in-the-output-above --name the-secret-name-shown-above
于 2020-12-11T08:53:02.260 回答