如何解决在 Keycloak-Gatekeeper 配置中找不到身份验证会话
我正在尝试使用 keycloak 作为我的身份提供者来访问 k8s 仪表板。我使用 keycloak-gatekeeper 进行身份验证。
我的 pod 上的 keycloak 配置文件如下 pod1
apiVersion: apps/v1
kind: Deployment
Metadata:
name: db
namespace: kubernetes-dashboard
spec:
replicas: 1
selector:
matchLabels:
app: db
template:
Metadata:
labels:
app: db
spec:
containers:
- name: gatekeeper
image: carlosedp/keycloak-gatekeeper:latest
args:
- --config=/etc/keycloak-gatekeeper.conf
ports:
- containerPort: 3000
name: service
volumeMounts:
- name: gatekeeper-config
mountPath: /etc/keycloak-gatekeeper.conf
subPath: keycloak-gatekeeper.conf
- name: gatekeeper-files
mountPath: /html
volumes:
- name : gatekeeper-config
configMap:
name: gatekeeper-config
- name : gatekeeper-files
configMap:
name: gatekeeper-files
---
apiVersion: v1
kind: ConfigMap
Metadata:
name: gatekeeper-config
namespace: kubernetes-dashboard
creationTimestamp: null
data:
keycloak-gatekeeper.conf: |+
discovery-url: http://keycloak.<IP>.nip.io:8080/auth/realms/k8s-realm
skip-openid-provider-tls-verify: true
client-id: k8s-client
client-secret: <SECRET>
listen: 0.0.0.0:3000
debug: true
ingress.enabled: true
enable-refresh-tokens: true
enable-logging: true
enable-json-logging: true
redirection-url: http://k8s.dashboard.com/dashboard/
secure-cookie: false
encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa
enable-encrypted-token: false
upstream-url: http://127.0.0.0:80
forbidden-page: /html/access-forbidden.html
headers:
Bearer : <bearer token>
resources:
- uri: /*
groups:
- k8s-group
---
apiVersion: v1
kind: ConfigMap
Metadata:
name: gatekeeper-files
namespace: kubernetes-dashboard
creationTimestamp: null
data:
access-forbidden.html: html file
---
apiVersion: v1
kind: Service
Metadata:
labels:
app: db
name: db
namespace: kubernetes-dashboard
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: service
selector:
app: db
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
Metadata:
name: db
namespace: kubernetes-dashboard
annotations:
kubernetes.io/ingress.class: "Nginx"
Nginx.ingress.kubernetes.io/rewrite-target: /
Nginx.ingress.kubernetes.io/proxy-buffer-size: "64k"
spec:
rules:
- host: k8s.dashboard.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: db
port:
number: 80
当我访问 k8s.dashboard.com
时,我得到了这个 URL,它引导我到 keycloak 页面进行身份验证。
http://keycloak.<IP>.nip.io:8080/auth/realms/k8s-realm/protocol/openid-connect/auth?client_id=k8s-client&redirect_uri=http%3A%2F%2Fk8s.dashboard.com%2Fdashboard%2Foauth%2Fcallback&response_type=code&scope=openid+email+profile&state=23c4b0ff-259f-45c0-934a-98fc780363e6
登录keycloak后,它向我抛出404页面,重定向的URL是
http://k8s.dashboard.com/dashboard/oauth/callback?state=23c4b0ff-259f-45c0-934a-98fc780363e6&session_state=4c698f90-4e03-44a9-b231-01a418f0d569&code=9ab6a309-98ad-4d61-989f-116f0b151522.4c698f90-4e03-44a9-b231-01a418f0d569.520395c1-d601-4502-981a-b1c08861ab3d
如您所见,在 k8s.dashboard.com/dashboard 之后添加了额外的 /oauth/callback 端点。如果我删除 /oauth/callback 那么它会将我重定向到 k8s 仪表板登录页面。
我的pod日志文件如下:
{"level":"info","ts":1626074166.8771496,"msg":"client request","latency":0.000162174,"status":307,"bytes":95,"client_ip":"172.17.0.8:43276","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1626074166.9270697,"latency":0.000054857,"bytes":330,"path":"/oauth/authorize"}
{"level":"error","ts":1626074176.2642884,"msg":"no session found in request,redirecting for authorization","error":"authentication session not found"}
{"level":"info","ts":1626074176.264481,"latency":0.000197256,"path":"/"}
{"level":"info","ts":1626074176.2680361,"latency":0.000041917,"ts":1626074185.140641,"ts":1626074185.1407247,"latency":0.000091046,"ts":1626074185.1444902,"latency":0.000042129,"ts":1626074202.1827211,"ts":1626074202.182838,"latency":0.000122802,"ts":1626074202.1899397,"latency":0.000032541,"path":"/oauth/authorize"}
这里有什么问题?任何帮助将不胜感激!
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。