Authentication Kibana前面的Traefik/钥匙斗篷(和门卫)问题
我想使用keydepate作为一种标准的方法,对运行在Kubernetes集群中的应用程序的用户进行身份验证。其中一个集群正在运行弹性ECK组件(v1.1.1),我们使用操作符部署弹性集群和Kibana作为前端。为了使事情尽可能简单,我做了以下几点 部署的KibanaAuthentication Kibana前面的Traefik/钥匙斗篷(和门卫)问题,authentication,kibana,keycloak,Authentication,Kibana,Keycloak,我想使用keydepate作为一种标准的方法,对运行在Kubernetes集群中的应用程序的用户进行身份验证。其中一个集群正在运行弹性ECK组件(v1.1.1),我们使用操作符部署弹性集群和Kibana作为前端。为了使事情尽可能简单,我做了以下几点 部署的Kibana apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: {{ .Values.kibana.name }} namespace: {{ .Rele
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: {{ .Values.kibana.name }}
namespace: {{ .Release.Namespace }}
annotations:
traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
spec:
version: {{ .Values.kibana.version }}
count: {{ .Values.kibana.instances }}
elasticsearchRef:
name: {{ .Values.kibana.elasticCluster }}
namespace: {{ .Release.Namespace }}
podTemplate:
spec:
containers:
- name: kibana
env:
- name: SERVER_BASEPATH
value: {{ .Values.kibana.serverBasePath }}
resources:
requests:
{{- if not .Values.kibana.cpu.enableBurstableQoS }}
cpu: {{ .Values.kibana.cpu.requests }}
{{- end }}
memory: {{ .Values.kibana.memory.requests }}Gi
limits:
{{- if not .Values.kibana.cpu.enableBurstableQoS }}
cpu: {{ .Values.kibana.cpu.limits }}
{{- end }}
memory: {{ .Values.kibana.memory.limits }}Gi
http:
tls:
selfSignedCertificate:
disabled: true
创建入口
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: kibana-{{ .Values.kibana.name }}-stripprefix
namespace: {{ .Release.Namespace }}
spec:
stripPrefix:
prefixes:
- {{ .Values.kibana.serverBasePath }}
forceSlash: true
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: {{ .Values.kibana.name }}-ingress
namespace: {{ .Release.Namespace }}
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: http
traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-kibana-{{ .Values.kibana.name }}-stripprefix@kubernetescrd
spec:
rules:
- http:
paths:
- path: {{ .Values.kibana.serverBasePath }}
backend:
servicePort: {{ .Values.kibana.port }}
serviceName: {{ .Values.kibana.name }}-kb-http
结果
部署上述功能非常好。我能够使用MetalLB组件公开的外部IP访问Kibana UI。我只要进去就行了http://external IP/service/logging/kibana和我出现在kibana登录屏幕上,我可以使用“内置”身份验证过程登录
添加KeyClope网关守卫
现在,如果我将以下内容添加到Kibana舱单中,有效地将Keyclope Gatekeeper侧车添加到Kibana吊舱中:
- name: {{ .Values.kibana.name }}-gatekeeper
image: "{{ .Values.kibana.keycloak.gatekeeper.repository }}/docker-r/keycloak/keycloak-gatekeeper:{{ .Values.kibana.keycloak.gatekeeper.version }}"
args:
- --config=/etc/keycloak-gatekeeper.conf
ports:
- containerPort: 3000
name: proxyport
volumeMounts:
- name: gatekeeper-config
mountPath: /etc/keycloak-gatekeeper.conf
subPath: keycloak-gatekeeper.conf
volumes:
- name: gatekeeper-config
configMap:
name: {{ .Release.Name }}-gatekeeper-config
使用“已装载”的以下ConfigMap:
上游url指向
并增加一项中介服务:
为了明确寻址网关守护者代理,我添加了另一个服务,“KeyClope代理”:
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.kibana.name }}-keycloak-proxy
namespace: {{ .Release.Namespace }}
spec:
type: ClusterIP
selector:
common.k8s.elastic.co/type: kibana
kibana.k8s.elastic.co/name: cap-logging
ports:
- name: http
protocol: TCP
port: 8888
targetPort: proxyport
并将Kibana定义中的后端定义更改为:
servicePort: 8888
serviceName: {{ .Values.kibana.name }}-keycloak-proxy
然后发布与上面相同的URL,http://external IP/服务/日志记录/kibana,我被重定向到http://external IP/oauth/authorize?state=0db97b79-b980-4cdc-adbe-707a5e37df1b并获得“404未找到页面”错误
如果我重新配置“KeyClope代理”服务并将其转换为节点端口,然后在端口32767上公开它并发出http://host IP:32767我出现在KeyClope服务器上的KeyClope登录屏幕上
如果我查看Gatekeeper启动日志,我会发现以下内容:
1.6018108005048046e+09 info starting the service {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "7.0.0 (git+sha: f66e137, built: 03-09-2019)"}
1.6018108005051787e+09 info attempting to retrieve configuration discovery url {"url": "https://.../auth/realms/...", "timeout": "30s"}
1.601810800537417e+09 info successfully retrieved openid configuration from the discovery
1.6018108005392597e+09 info enabled reverse proxy mode, upstream url {"url": "http://127.0.0.1:5601"}
1.6018108005393562e+09 info using session cookies only for access and refresh tokens
1.6018108005393682e+09 info protecting resource {"resource": "uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}
1.6018108005398147e+09 info keycloak proxy service starting {"interface": ":3000"}
这是我尝试通过Gatekeeper代理访问Kibana时得到的结果:
http://host/service/logging/kibana (gets redirected to) http://host/oauth/authorize?state=4dbde9e7-674c-4593-83f2-a8e5ba7cf6b5
和网关管理员日志:
1.601810963344485e+09 error no session found in request, redirecting for authorization {"error": "authentication session not found"}
我已经为此挣扎了一段时间,似乎被卡住了!如果这里有人“知道发生了什么”,我将非常感激
1.601810963344485e+09 error no session found in request, redirecting for authorization {"error": "authentication session not found"}