我正在尝试为部署到VPC中运行的IBM Cloud Kubernetes Service(IKS(的应用程序配置基于应用程序ID的身份验证。在过去,它与IBM自己的Ingress合作得很好。然而,这遭到了反对。现在,我在这里遵循使用社区Ingress的指南,并讨论如何添加IBM应用程序Id。
我似乎已经配置了所有内容,但无法访问主机/站点。以下是Ingress资源的样子:
"apiVersion": "networking.k8s.io/v1beta1",
"kind": "Ingress",
"metadata": {
"annotations": {
"kubernetes.io/ingress.class": "public-iks-k8s-nginx",
"nginx.ingress.kubernetes.io/auth-signin": "https://$host/oauth2-myappid/start?rd=$escaped_request_uri",
"nginx.ingress.kubernetes.io/auth-url": "https://$host/oauth2-myappid",
"nginx.ingress.kubernetes.io/configuration-snippet": "auth_request_set $access_token $upstream_http_x_auth_request_access_token;
access_by_lua_block {
if ngx.var.access_token ~= "" then
ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token)
end
}
"
},
"name": "ingress-for-mytest",
"namespace": "sfs"
},
"spec": {
"rules": [
{
"host": "myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud",
"http": {
"paths": [
{
"backend": {
"serviceName": "my-service",
"servicePort": 8081
},
"path": "/"
}
]
}
}
],
"tls": [
{
"hosts": [
"myhost.henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000.eu-de.containers.appdomain.cloud"
],
"secretName": "henrik-cluster-cd5d3f574d7d8057a176af82152f5-0000"
}
]
}
}
我使用了以下定义:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-for-mytest
annotations:
kubernetes.io/ingress.class: "public-iks-k8s-nginx"
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-myappid/auth
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-myappid/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/configuration-snippet: |
auth_request_set $access_token $upstream_http_x_auth_request_access_token;
auth_request_set $id_token $upstream_http_authorization;
access_by_lua_block {
if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
end
}
spec:
tls:
- hosts:
- myhost
secretName: ingress-secret-for-mytest
rules:
- host: myhost
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-service
port:
number: 8081
需要注意的是,OAuth2代理(请参阅有关代理插件和App ID集成的步骤(只有在(集群(Ingress机密复制到非默认的Kubernetes命名空间中的情况下才能成功部署到该命名空间。
您可以使用以下命令查找Ingress机密,并在默认名称空间中监视该机密:
ibmcloud ks ingress secret ls -c your-cluster-name
然后,在非默认名称空间中(重新(创建该秘密,复制该秘密的CRN和名称:
ibmcloud ks ingress secret create -c your-cluster-name -n your-namespace
--cert-crn the-crn-shown-in-the-output-above --name the-secret-name-shown-above