Oauth2-proxy和Traefik:太多重定向

Question

我已经尝试了几天和无数个小时来让这个东西在Traefik上工作，然而无论我尝试了什么，到目前为止都没有成功。

我首先尝试了Nginx入口控制器，并设法让它工作，所以我确信我的提供者(Cognito)和oauth2-proxy pod工作正常。

所以，我使用的是EKS 1.20集群，我们已经通过helm chart安装了Traefik

replicas: 1

rbac:
  enabled: true

accessLogs:
  enabled: false

service:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "my-certs"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"

externalTrafficPolicy: Local

ssl:
  enabled: true
  enforced: true
  upstream: true

helm upgrade -i traefik traefik/traefik -f traefik-values.yaml

这是我的oauth代理的配置，它与Nginx一起工作。在Oauth-proxy中没有提到Traefik，所以我猜这也应该是可行的：

config:
  clientID: "xxxxx"
  clientSecret: "xxxxxx"
  cookieSecret: "xxxx"
  configFile: |-
    email_domains = [ "*" ]
    upstreams = [ "file:///dev/null" ]

extraArgs:
  oidc-issuer-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>"
  oidc-jwks-url: "https://cognito-idp.<region>.amazonaws.com/<pool_id>/.well-known/jwks.json"
  provider: oidc
  provider-display-name: "Cognito SSO"
  cookie-secure: false
  cookie-name: "_oauth2_proxy"
  skip-provider-button: true
  scope: openid
  reverse-proxy: true
  real-client-ip-header: X-Forwarded-For
  whitelist-domain: mycompany.com
  cookie-domain: mycompany.com
  set-authorization-header: true

这些是他们的文档中建议的配置，转换为Kubernetes：https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#configuring-for-use-with-the-traefik-v2-forwardauth-middleware

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth-headers
spec:
  headers:
    sslRedirect: true
    stsSeconds: 315360000
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    stsIncludeSubdomains: true
    stsPreload: true
    frameDeny: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth-auth
spec:
  forwardAuth:
    address: https://mycompany.com/oauth2/auth
    trustForwardHeader: true

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: oauth-errors
spec:
  errors:
    status:
      - "401-403"
    service:
      name: oauth2-proxy
      port: 80
    query: "/oauth2/sign_in"

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: oauth2-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`mycompany.com`) && PathPrefix(`/oauth2/`)"
      kind: Rule
      services:
        - kind: Service
          name: oauth2-proxy
          port: 80
      middlewares:
        - name: auth-headers

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: linkerd-dashboard-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: "Host(`mycompany.com`)"
      kind: Rule
      services:
        - name: nginx-service
          kind: Service
          port: 8080
      priority: 1
      middlewares:
        - name: oauth-auth
        - name: oauth-errors

有了这个配置，它将被重定向，但是它进入循环，我有ERR_TOO_MANY_REDIRECTS

如果我跟上curl，它就会循环：

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84

HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: https://mycompany.com/oauth2/auth
Date: Wed, 08 Sep 2021 10:12:04 GMT
Content-Length: 84

...

Answer 1

我通过简单地不使用oauth2-proxy来解决这个问题，它显然不能与Traefik一起工作，相反，我找到了另一个项目：https://github.com/thomseddon/traefik-forward-auth

再简单一点，它就能工作了。

Answer 2

我已经设法让Oauth-Proxy与Treafik一起工作。查看此练习。

OAuth2 Proxy with k8s Treafik to protect Kafdrop subdomain URL