Fatal编程技术网
  • authentication/
  • Authentication Kibana前面的Traefik/钥匙斗篷(和门卫)问题

Authentication Kibana前面的Traefik/钥匙斗篷(和门卫)问题

authentication kibana keycloak

Authentication Kibana前面的Traefik/钥匙斗篷(和门卫)问题,authentication,kibana,keycloak,Authentication,Kibana,Keycloak,我想使用keydepate作为一种标准的方法,对运行在Kubernetes集群中的应用程序的用户进行身份验证。其中一个集群正在运行弹性ECK组件(v1.1.1),我们使用操作符部署弹性集群和Kibana作为前端。为了使事情尽可能简单,我做了以下几点 部署的Kibana apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: {{ .Values.kibana.name }} namespace: {{ .Rele

我想使用keydepate作为一种标准的方法,对运行在Kubernetes集群中的应用程序的用户进行身份验证。其中一个集群正在运行弹性ECK组件(v1.1.1),我们使用操作符部署弹性集群和Kibana作为前端。为了使事情尽可能简单,我做了以下几点

部署的Kibana

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: {{ .Values.kibana.name }}
  namespace: {{ .Release.Namespace }}
  annotations:
    traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
spec:
  version: {{ .Values.kibana.version }}
  count: {{ .Values.kibana.instances }}
  elasticsearchRef:
    name: {{ .Values.kibana.elasticCluster }}
    namespace: {{ .Release.Namespace }}
  podTemplate:
    spec:
      containers:
      - name: kibana
        env:
        - name: SERVER_BASEPATH
          value: {{ .Values.kibana.serverBasePath }}
        resources:
          requests:
            {{- if not .Values.kibana.cpu.enableBurstableQoS }}
            cpu: {{ .Values.kibana.cpu.requests }}
            {{- end }}
            memory: {{ .Values.kibana.memory.requests }}Gi
          limits:
            {{- if not .Values.kibana.cpu.enableBurstableQoS }}
            cpu: {{ .Values.kibana.cpu.limits }}
            {{- end }}
            memory: {{ .Values.kibana.memory.limits }}Gi
  http:
    tls:
      selfSignedCertificate:
        disabled: true
创建入口

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: kibana-{{ .Values.kibana.name }}-stripprefix
  namespace: {{ .Release.Namespace }}
spec:
  stripPrefix:
    prefixes: 
      - {{ .Values.kibana.serverBasePath }}
    forceSlash: true

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ .Values.kibana.name }}-ingress
  namespace: {{ .Release.Namespace }}
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: http
    traefik.ingress.kubernetes.io/router.middlewares: {{ .Release.Namespace }}-kibana-{{ .Values.kibana.name }}-stripprefix@kubernetescrd
spec:
  rules:
  - http:
      paths:
      - path: {{ .Values.kibana.serverBasePath }}
        backend:
            servicePort: {{ .Values.kibana.port }}
            serviceName: {{ .Values.kibana.name }}-kb-http
结果 部署上述功能非常好。我能够使用MetalLB组件公开的外部IP访问Kibana UI。我只要进去就行了http://external IP/service/logging/kibana和我出现在kibana登录屏幕上,我可以使用“内置”身份验证过程登录

添加KeyClope网关守卫 现在,如果我将以下内容添加到Kibana舱单中,有效地将Keyclope Gatekeeper侧车添加到Kibana吊舱中:

  - name: {{ .Values.kibana.name }}-gatekeeper
    image: "{{ .Values.kibana.keycloak.gatekeeper.repository }}/docker-r/keycloak/keycloak-gatekeeper:{{ .Values.kibana.keycloak.gatekeeper.version }}"
    args:
      - --config=/etc/keycloak-gatekeeper.conf
    ports:
      - containerPort: 3000
        name: proxyport
    volumeMounts:
    - name: gatekeeper-config
      mountPath: /etc/keycloak-gatekeeper.conf
      subPath: keycloak-gatekeeper.conf
  volumes:
    - name: gatekeeper-config
      configMap:
        name: {{ .Release.Name }}-gatekeeper-config
使用“已装载”的以下ConfigMap:

上游url指向

并增加一项中介服务: 为了明确寻址网关守护者代理,我添加了另一个服务,“KeyClope代理”:

apiVersion: v1
kind: Service
metadata:
  name: {{ .Values.kibana.name }}-keycloak-proxy
  namespace: {{ .Release.Namespace }}
spec:
  type: ClusterIP
  selector:
    common.k8s.elastic.co/type: kibana
    kibana.k8s.elastic.co/name: cap-logging
  ports:
    - name: http
      protocol: TCP
      port: 8888
      targetPort: proxyport
并将Kibana定义中的后端定义更改为:

servicePort: 8888
serviceName: {{ .Values.kibana.name }}-keycloak-proxy
然后发布与上面相同的URL,http://external IP/服务/日志记录/kibana,我被重定向到http://external IP/oauth/authorize?state=0db97b79-b980-4cdc-adbe-707a5e37df1b并获得“404未找到页面”错误

如果我重新配置“KeyClope代理”服务并将其转换为节点端口,然后在端口32767上公开它并发出http://host IP:32767我出现在KeyClope服务器上的KeyClope登录屏幕上

如果我查看Gatekeeper启动日志,我会发现以下内容:

1.6018108005048046e+09 info starting the service {"prog": "keycloak-gatekeeper", "author": "Keycloak", "version": "7.0.0 (git+sha: f66e137, built: 03-09-2019)"}
1.6018108005051787e+09 info attempting to retrieve configuration discovery url {"url": "https://.../auth/realms/...", "timeout": "30s"}
1.601810800537417e+09 info successfully retrieved openid configuration from the discovery
1.6018108005392597e+09 info enabled reverse proxy mode, upstream url {"url": "http://127.0.0.1:5601"}
1.6018108005393562e+09 info using session cookies only for access and refresh tokens
1.6018108005393682e+09 info protecting resource {"resource": "uri: /*, methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT,TRACE, required: authentication only"}
1.6018108005398147e+09 info keycloak proxy service starting {"interface": ":3000"}
这是我尝试通过Gatekeeper代理访问Kibana时得到的结果:

http://host/service/logging/kibana (gets redirected to) http://host/oauth/authorize?state=4dbde9e7-674c-4593-83f2-a8e5ba7cf6b5
和网关管理员日志:

1.601810963344485e+09 error no session found in request, redirecting for authorization {"error": "authentication session not found"}
我已经为此挣扎了一段时间,似乎被卡住了!如果这里有人“知道发生了什么”,我将非常感激

1.601810963344485e+09 error no session found in request, redirecting for authorization {"error": "authentication session not found"}