在 k8s Ingress 上重命名 vouch-proxy http 标头

发布于 2025-01-14 23:40:27 字数 1228 浏览 0 评论 0原文

我正在尝试将声明添加到 http 标头中。我有一个 k8s 入口

  annotations:
    nginx.ingress.kubernetes.io/auth-signin: "https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err"
    nginx.ingress.kubernetes.io/auth-url: https://vouch.example.com/validate
    nginx.ingress.kubernetes.io/auth-response-headers: 'X-Vouch-User, X-Vouch-Idp-Claims-Name'
    nginx.ingress.kubernetes.io/auth-snippet: |
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

和一个 vouch 配置：

vouch:
  headers:
    idtoken: X-Vouch-IdP-IdToken
    claims:
    - name

一切正常，我可以很好地进行身份验证，并且我可以在 x-vouch-user 和 x-vouch 下看到我的电子邮件和姓名-idp-claims-name 分别是 http 标头。但是，我想映射标题以使用更合适的东西。

我已经尝试过

  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Remote-User $http_x_vouch_idp_claims_name;

，但似乎不起作用。在我的 proxy_set_header 中使用的正确变量名称是什么？

原文

i'm trying to add a claim into the http header. i have an k8s ingress with

  annotations:
    nginx.ingress.kubernetes.io/auth-signin: "https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err"
    nginx.ingress.kubernetes.io/auth-url: https://vouch.example.com/validate
    nginx.ingress.kubernetes.io/auth-response-headers: 'X-Vouch-User, X-Vouch-Idp-Claims-Name'
    nginx.ingress.kubernetes.io/auth-snippet: |
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

and a vouch config with:

vouch:
  headers:
    idtoken: X-Vouch-IdP-IdToken
    claims:
    - name

everything works, and i can authenticate fine and i can see both my email and name under the x-vouch-user and x-vouch-idp-claims-name http headers respectively. However, i would like to map the headers to use something more appropriate.

I've tried

  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Remote-User $http_x_vouch_idp_claims_name;

but it doesn't seem to work. what are the correct variable name(s) to use in my proxy_set_header?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

掩于岁月 2025-01-21 23:40:27

我需要将原始 OIDC ID 令牌代理到下游服务。我能够通过此设置解决问题...

我设置 Vouch 代理配置以添加 X-Vouch-IdP-IdToken 标头：

vouch:
  headers:
    idtoken: X-Vouch-IdP-IdToken

然后在 ingress-nginx 注释中，我能够重命名通过在 configuration-snippet< /a> 注释如下：

  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken;
      proxy_set_header Authorization "Bearer $auth_resp_x_vouch_idp_idtoken";

I needed to proxy the original OIDC ID Token to the downstream service. I was able to solve the problem with this setup...

I set the Vouch Proxy config to add the X-Vouch-IdP-IdToken header:

vouch:
  headers:
    idtoken: X-Vouch-IdP-IdToken

Then in the ingress-nginx annotations, I was able rename the X-Vouch-IdP-IdToken to Authorization by adding the auth_request_header setting in the configuration-snippet annotation to the following:

  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken;
      proxy_set_header Authorization "Bearer $auth_resp_x_vouch_idp_idtoken";

回复收藏 0 原文

~没有更多了~