使用Azure Active Directory的NGINX Ingress外部oauth

Question

我希望使用Azure Active Directory作为外部oauth2提供程序来保护我在入口级的服务。在过去，我使用基本的ouath，一切都像预期的那样工作。但是nginx提供了外部ouath方法，这听起来更舒服！

为此，我创建了一个SP：

$ az ad sp create-for-rbac  --skip-assignment --name test -o table

AppId                 DisplayName        Name               Password                   Tenant
<AZURE_CLIENT_ID>     test               http://test        <AZURE_CLIENT_SECRET>      <TENANT_ID>

我的入口资源：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: ingress-nginx
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-url: "https://\$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://\$host/oauth2/start?rd=$escaped_request_uri"
    # nginx.ingress.kubernetes.io/auth-type: basic
    # nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'

和externel-oauth：

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: oauth2-proxy
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - args:
        - --provider=azure
        - --email-domain=microsoft.com
        - --upstream=file:///dev/null
        - --http-address=0.0.0.0:4180
        - --azure-tenant=$AZURE_TENANT_ID
        env:
          - name: OAUTH2_PROXY_CLIENT_ID
            value: $API_CLIENT_ID
          - name: OAUTH2_PROXY_CLIENT_SECRET
            value: $API_CLIENT_SECRET
          - name: OAUTH2_PROXY_COOKIE_SECRET
            value: $API_COOKIE_SECRET
          # created by docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));
        image: docker.io/colemickens/oauth2_proxy:latest
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  namespace: kube-system
spec:
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
  selector:
    app: oauth2-proxy

看起来有些地方不对劲，但我不知道我错过了什么。当我试图进入页面时，它加载了长达一分钟，并以'500内部服务器错误‘结束。入口控制器的日志显示以下无限循环：

10.244.2.1 - - [16/Jan/2020:15:32:30 +0000] "GET /oauth2/auth HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/xxxxx Safari/xxxx" 727 0.003 [upstream-default-backend] [] - - - - <AZURE_CLIENT_ID>

Answer 1

因此，您还需要另一个用于oAuth部署的入口。下面是我的设置：

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: grafana-ingress-oauth
  namespace: grafana 
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: xxx
      http:
        paths:
          - path: /oauth2
            backend:
              serviceName: oauth2-proxy
              servicePort: 4180
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: grafana-ingress
  namespace: grafana
  annotations:
    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/tls-acme: "true"
    certmanager.k8s.io/cluster-issuer: letsencrypt-production
    ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
spec:
  rules:
    - host: xxx
      http:
        paths:
          - path: /
            backend:
              serviceName: grafana
              servicePort: 80

这样，第二个入口重定向到第一个入口，第一个入口执行身份验证，然后重定向回来