powerful-dusk-18309
04/07/2022, 5:53 AMdamp-sunset-69236
04/07/2022, 6:10 AMdamp-sunset-69236
04/07/2022, 6:11 AMdamp-sunset-69236
04/07/2022, 6:11 AMpowerful-dusk-18309
04/07/2022, 6:33 AMdamp-sunset-69236
04/07/2022, 6:38 AMpowerful-dusk-18309
04/07/2022, 6:46 AMdamp-sunset-69236
04/07/2022, 6:58 AM<http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://oathkeeper>.<NameSpace>.svc.cluster.local/decisions$request_uri
damp-sunset-69236
04/07/2022, 6:59 AMpowerful-dusk-18309
04/08/2022, 6:49 AM$ k get svc -n oath-ns
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ory-oathkeeper-api ClusterIP 10.43.97.53 <none> 4456/TCP 23h
ory-oathkeeper-metrics ClusterIP 10.43.61.175 <none> 80/TCP 23h
ory-oathkeeper-proxy ClusterIP 10.43.164.197 <none> 4455/TCP 23h
then I have created a ingress to connect to this service as follows. I hope the service name which I need to use is ory-oathkeeper-api?
kind: Ingress
metadata:
name: oath-ingress
namespace: oath-ns
annotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
spec:
rules:
- host: "<http://oathkeeper-test.com|oathkeeper-test.com>"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: ory-oathkeeper-api
port:
number: 80
Could you please confirm the next step is to add the annotation (nginx.ingress.kubernetes.io/auth-url: http://oathkeeper.oath-ns.svc.cluster.local/decisions$request_uri) to my Nginx ingress controller ?damp-sunset-69236
04/08/2022, 7:16 AMpowerful-dusk-18309
04/08/2022, 9:22 AMtall-angle-41306
04/08/2022, 10:59 AM500
The auth-url should be <http://ory-oathkeeper-api.oath-ns.svc.cluster.local:4456/decisions$request_uri>
based on your svc
outputpowerful-dusk-18309
04/10/2022, 5:38 AMannotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
<http://nginx.ingress.kubernetes.io/auth-url|nginx.ingress.kubernetes.io/auth-url>: <http://ory-oathkeeper-api.oathkeeper.svc.cluster.local:4456/decisions$request_uri>
rules:
- host: "<http://oathkeeper-test.com|oathkeeper-test.com>"
http:
paths:
- pathType: Prefix
# - pathType: ImplementationSpecific
path: "/"
backend:
service:
name: ory-oathkeeper-api
port:
number: 4456
But still getting 500 internal server error, added the log snippet from pods
time=2022-04-10T05:36:20Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 x-forwarded-for:172.27.219.58 x-request-id:74f1d6ca85353588962696772cae841b] host:ory-oathkeeper-api.oathkeeper.svc.cluster.local method:GET path:/decisions/ query:<nil> remote:10.42.0.0:48711 scheme:http]
time=2022-04-10T05:36:20Z level=warning msg=Access request denied audience=application error=map[debug: message:Requested url does not match any rules reason: status:Not Found status_code:404] granted=false http_host=ory-oathkeeper-api.oathkeeper.svc.cluster.local http_method=GET http_url=<http://ory-oathkeeper-api.oathkeeper.svc.cluster.local/> http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36 service_name=ORY Oathkeeper service_version=v0.38.19-beta.1
time=2022-04-10T05:36:20Z level=error msg=An error occurred while handling a request code=404 debug= details=map[] error=The requested resource could not be found reason= request-id=74f1d6ca85353588962696772cae841b status=404 writer=JSON
lively-beard-47107
04/10/2022, 11:37 PMnginx.conf
I configured oathkeeper as a proxy_pass
. This was the only way I managed to have it workinglively-beard-47107
04/10/2022, 11:40 PM<http://nginx.ingress.kubernetes.io/auth-proxy-set-headers|nginx.ingress.kubernetes.io/auth-proxy-set-headers>: my-namespace/custom-auth-headers
and then inside a configmap my-namespace/custom-auth-headers
try adding the data:
Host: <http://your-app-host.com|your-app-host.com>
powerful-dusk-18309
04/11/2022, 9:36 AM{
"id": "rule-1",
"version": "v0.38.19-beta.1",
"description": "",
"match": {
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH"
],
"url": "http://<[^/]+>/authenticator/noop/authorizer/allow/mutator/noop"
},
"authenticators": [
{
"handler": "noop",
"config": null
}
],
"authorizer": {
"handler": "allow",
"config": null
},
"mutators": [
{
"handler": "noop",
"config": null
}
],
"errors": null,
"upstream": {
"preserve_host": false,
"strip_path": "",
"url": "<https://httpbin.org/anything>"
}
}
If I access the URL http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop it should be redirected to https://httpbin.org/anything to display the content from it, right? or here am missing something.
When I access the URL http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop am getting below output
$ curl <http://oathkeeper-proxy.com/authenticator/noop/authorizer/allow/mutator/noop>
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Accept-Encoding": "gzip",
"Host": "<http://httpbin.org|httpbin.org>",
"User-Agent": "curl/7.78.0",
"X-Amzn-Trace-Id": "Root=1-6253c622-75ff250c2f8e7d5e111f23fd",
"X-Forwarded-Host": "<http://oathkeeper-proxy.com|oathkeeper-proxy.com>",
"X-Forwarded-Scheme": "http",
"X-Scheme": "http"
},
"json": null,
"method": "GET",
"origin": "172.27.219.64, 10.42.0.0, 2.23.93.13",
"url": "<https://oathkeeper-proxy.com/anything/authenticator/noop/authorizer/allow/mutator/noop>"
}
Is my configuration is correct? can somebody help me here?damp-sunset-69236
04/12/2022, 7:52 AMdamp-sunset-69236
04/12/2022, 7:52 AMpowerful-dusk-18309
04/14/2022, 9:51 AMdamp-sunset-69236
04/14/2022, 10:51 AM