在Istio Ingress Gateway上实现SSO

2023-10-17 10:05:34

kubectl edit svc istio-ingressgateway -n istio-system

更改端口为 80

kubectl edit svc keycloak -nkeycloak

更改为8080

添加域

添加客户端

Keycloak上的Access Type共有三类： ◼ confidential：适用于需要执行浏览器登录的应用，客户端会通过client secret来获取access token , 多用于服务端渲染的web系统场景中； ◼ public：适用于需要执行浏览器登录的应用，多运用于使用vue和react实现的前端项目； ◼ bearer-only：适用于不需要执行浏览器登录的应用，只允许携带bearer token访问，多运用于RESTful API的使用场景；

添加*

多出凭据

root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# cat 01-deploy-oauth2.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: oauth2-proxy
  labels:
    istio-injection: enabled
---
apiVersion: v1
kind: Secret
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
stringData:
  # change this to your Keycloak Realm Client Id 
  OAUTH2_PROXY_CLIENT_ID: ingress-gateway
  # change this to your Keycloak Client Secret 
  OAUTH2_PROXY_CLIENT_SECRET: QdbO5qR5OPNcHdedX6GFZSxlOmqKDKkm
  # Generate by command: openssl rand -base64 32 | tr -- '+/' '-_'
  OAUTH2_PROXY_COOKIE_SECRET: vEBMxbw7NXfaUIJR4klhdvB678GUPxWTd7tR9hq2m8w=
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  ports:
  - name: http
    port: 4180
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
        args:
        - --provider=oidc
        - --oidc-issuer-url=http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio
        - --profile-url=http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/userinfo
        - --validate-url=http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/userinfo      
        - --set-authorization-header=true
        - --http-address=0.0.0.0:4180
        - --pass-host-header=true
        - --reverse-proxy=true
        - --auth-logging=true
        - --cookie-httponly=true
        - --cookie-refresh=4m
        - --cookie-secure=false
        - --email-domain="*"
        - --pass-access-token=true
        - --pass-authorization-header=true
        - --request-logging=true
        - --set-xauthrequest=true
        - --silence-ping-logging=true
        - --skip-provider-button=true
        - --skip-auth-strip-headers=false
        - --ssl-insecure-skip-verify=true
        - --standard-logging=true
        - --upstream="static://200"
        - --whitelist-domain=".magedu.com,.cluster.local"
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_CLIENT_ID
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_CLIENT_SECRET
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_COOKIE_SECRET
        resources:
          requests:
            cpu: 10m
            memory: 100Mi
        ports:
        - containerPort: 4180
          protocol: TCP
        readinessProbe:
          periodSeconds: 3
          httpGet:
            path: /ping
            port: 4180

root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# kubectl get deploy -noauth2-proxy
NAME           READY   UP-TO-DATE   AVAILABLE   AGE
oauth2-proxy   1/1     1            1           71s

root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# kubectl get svc -noauth2-proxy
NAME           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
oauth2-proxy   ClusterIP   10.100.183.155   <none>        4180/TCP   3m7s

root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# cat 02-istio-operator-update.yaml 
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: demo
  meshConfig:
    extensionProviders:
    - name: oauth2-proxy
      envoyExtAuthzHttp:
        service: oauth2-proxy.oauth2-proxy.svc.cluster.local
        port: 4180
        timeout: 1.5s
        includeHeadersInCheck: ["authorization", "cookie"]
        headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
        headersToDownstreamOnDeny: ["content-type", "set-cookie"]

root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# istioctl install -f 02-istio-operator-update.yaml

root@master01:/opt/istio-in-practise/Security/05-JWT-and-Keycloak# cat 03-ext-auth-ingress-gateway.yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: istio-ingressgateway
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  jwtRules:
  - issuer: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio
    jwksUri: http://keycloak.keycloak.svc.cluster.local:8080/auth/realms/istio/protocol/openid-connect/certs
    #audiences: ["ingress-gateway","istio-ingress-gateway"]
    # Forward JWT to Envoy Sidecar
    #forwardOriginalToken: true
 # - issuer: http://keycloak.magedu.com:8080/auth/realms/istio
 #   jwksUri: http://keycloak.magedu.com:8080/auth/realms/istio/protocol/openid-connect/certs
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ext-authz-oauth2-proxy
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  action: CUSTOM
  provider:
    # Extension provider configured when we installed Istio
    name: oauth2-proxy
  rules:
  - to:
    - operation:
        hosts: ["kiali.magedu.com"]
        notPaths: ["/auth/*"]

自动跳转为

码农公寓

相关文章