https://www.ory.sh/ logo
Join Slack
Powered by
Edit: Solved Anyone got experience with traefik f...
# talk-oathkeeper
b
Edit: Solved Anyone got experience with traefik forward auth? I get a unsuported protocol scheme error;
Copy code
traefik-56d9bd5b6d-pffkp traefik {"level":"debug","middlewareName":"traefik-ory-auth@kubernetescrd","middlewareType":"ForwardedAuthType","msg":"Error calling oathkeeper-api.auth.svc/decisions. Cause: Get \"oathkeeper-api.auth.svc/decisions\": unsupported protocol scheme \"\"","time":"2022-09-22T17:12:30Z"}
Copy code
---
apiVersion: <http://traefik.containo.us/v1alpha1|traefik.containo.us/v1alpha1>
kind: Middleware
metadata:
  name: ory-auth
  namespace: traefik
spec:
  forwardAuth:
    address: "oathkeeper-api.auth.svc/decisions"
    authResponseHeaders:
      - X-Id-Token
      - Authorization
Had to correct the port to 
4456
Now it reaches oath but get this:
Copy code
oathkeeper-56cf5fffc-7gsxq oathkeeper time=2022-09-22T18:15:45Z level=info msg=started handling request http_request=map[headers:map[accept:*/* user-agent:curl/7.81.0] host:oathkeeper-api.auth.svc:4456 method:GET path:/decisions query:<nil> remote:10.244.1.212:32774 scheme:http]
oathkeeper-56cf5fffc-7gsxq oathkeeper time=2022-09-22T18:15:45Z level=warning msg=Access request denied audience=application error=map[message:error parsing regexp: invalid nested repetition operator in `^**$`] granted=false http_host=oathkeeper-api.auth.svc:4456 http_method=GET http_url=<http://oathkeeper-api.auth.svc:4456> http_user_agent=curl/7.81.0 service_name=ORY Oathkeeper service_version=v0.39.0
oathkeeper-56cf5fffc-7gsxq oathkeeper time=2022-09-22T18:15:45Z level=error msg=An error occurred while handling a request code=500 debug= details=map[] error=An internal server error occurred, please contact the system administrator reason= request-id= status=500 writer=JSON
oathkeeper-56cf5fffc-7gsxq oathkeeper time=2022-09-22T18:15:45Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* user-agent:curl/7.81.0] host:oathkeeper-api.auth.svc:4456 method:GET path: query:<nil> remote:10.244.1.212:32774 scheme:http] http_response=map[status:500 text_status:Internal Server Error took:2.710222ms]
m
Was it just a misconfiguration issue or is it something we could add to the docs for other users? or a gh discussion
b
Actually not solved yet. My first issue was that in the docs the address is set as 
oathkeeper-api.auth.svc/decisions
but the default k8s service runs on 4456. Second issue was that oath wasn't loading my custom config as the helm chart didn't support extraArgs, created a PR, merged, and that works now. I'm now still running against the protocol error
Copy code
traefik-56d9bd5b6d-pffkp traefik {"level":"debug","middlewareName":"traefik-ory-auth@kubernetescrd","middlewareType":"ForwardedAuthType","msg":"Error calling oathkeeper-api.auth.svc:4456/decisions. Cause: Get \"oathkeeper-api.auth.svc:4456/decisions\": unsupported protocol scheme \"oathkeeper-api.auth.svc\"","time":"2022-09-23T12:00:09Z"}
Just a curl to the decision endpoint does work
Copy code
curl oathkeeper-api.auth.svc:4456/decisions
{"error":{"code":404,"status":"Not Found","message":"Requested url does not match any rules"}}
Some progress; changed the traefik auth middleware url to 
<http://oathkeeper-api.auth.svc:4456/decisions>
Copy code
{
  "error": {
    "code": 404,
    "status": "Not Found",
    "message": "Requested url does not match any rules"
  }
}
Docs could be improved by adding a k8s section to the traefik docs
Now it's only docker compose
m
Hey @brash-cartoon-33648, sorry for the late response by docs you mean this document: https://www.ory.sh/docs/oathkeeper/guides/traefik-proxy-integration We also have an example for this: https://github.com/ory/examples/tree/master/oathkeeper/07-traefik-decision Maybe it can help 🙏
28 Views
Open in Slack
PreviousNext
Powered by