pugifat commented on issue #8017: URL: https://github.com/apache/apisix/issues/8017#issuecomment-1262625249
Sure, this is my configuration with keycloak as the idp in kubernetes: Keycloak realm configuration ([KeycloakRealmImport](https://github.com/keycloak/keycloak-k8s-resources/blob/main/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml)): ``` apiVersion: k8s.keycloak.org/v2alpha1 kind: KeycloakRealmImport metadata: name: apisix namespace: keycloak-operator labels: realm: apisix spec: keycloakCRName: keycloak realm: realm: apisix enabled: true displayName: APISIX attributes: frontendUrl: https://10.0.0.2/keycloak/ clients: - id: httpbin name: httpbin protocol: openid-connect rootUrl: https://10.0.0.2/httpbin redirectUris: - /login directAccessGrantsEnabled: true attributes: pkce.code.challenge.method: S256 post.logout.redirect.uris: / users: - username: user firstName: first lastName: last email: [email protected] enabled: true credentials: - type: password value: pass ``` notes: - basically following this: https://www.keycloak.org/2021/12/apisix - 10.0.0.2 is used as an external load balancer Keycloak APISIX route configuration ([ApisixRoute](https://github.com/apache/apisix-ingress-controller/blob/530ce52b278d7e385db3747d33e0d9fe1db0f3d1/samples/deploy/crd/v1/ApisixRoute.yaml)): ``` apiVersion: apisix.apache.org/v2beta3 kind: ApisixRoute metadata: name: keycloak-route namespace: keycloak-operator spec: http: - name: rule1 match: paths: - /keycloak/* backends: - serviceName: keycloak-service servicePort: 8080 plugins: - name: proxy-rewrite enable: true config: host: keycloak-service.keycloak-operator.svc.cluster.local - name: serverless-pre-function enable: true config: phase: rewrite functions: - return function(conf, ctx) ngx.var.var_x_forwarded_proto = "https"; ngx.var.var_x_forwarded_port = 443 end - name: rule2 match: paths: - /keycloak-internal/* backends: - serviceName: keycloak-service servicePort: 8080 plugins: - name: proxy-rewrite enable: true config: host: keycloak-service.keycloak-operator.svc.cluster.local regex_uri: - "^/keycloak-internal/(.*)" - "/$1" - name: serverless-pre-function enable: true` config: phase: rewrite functions: - return function(conf, ctx) ngx.var.var_x_forwarded_port = 8080; ngx.var.var_x_forwarded_host = "keycloak-service.keycloak-operator.svc.cluster.local" end ``` notes: - serverless pre-functions were required to satisfy keycloak's request handling for differentiating internal and external services Httpbin deployment ([httpbin](https://github.com/postmanlabs/httpbin)) ``` apiVersion: v1 kind: ServiceAccount metadata: name: httpbin --- apiVersion: v1 kind: Service metadata: name: httpbin labels: app: httpbin service: httpbin spec: ports: - name: http port: 80 targetPort: 80 selector: app: httpbin --- apiVersion: apps/v1 kind: Deployment metadata: name: httpbin spec: replicas: 1 selector: matchLabels: app: httpbin version: v1 template: metadata: labels: app: httpbin version: v1 spec: serviceAccountName: httpbin containers: - image: docker.io/kennethreitz/httpbin imagePullPolicy: IfNotPresent name: httpbin ports: - containerPort: 80 ``` Httpbin APISIX route configuration ([ApisixRoute](https://github.com/apache/apisix-ingress-controller/blob/530ce52b278d7e385db3747d33e0d9fe1db0f3d1/samples/deploy/crd/v1/ApisixRoute.yaml)): ``` apiVersion: apisix.apache.org/v2beta3 kind: ApisixRoute metadata: name: httpbin-route namespace: default spec: http: - name: rule1 match: paths: - /httpbin/* backends: - serviceName: httpbin servicePort: 80 plugins: - name: proxy-rewrite enable: true config: host: httpbin.default.svc.cluster.local regex_uri: - "^/httpbin/(.*)" - "/$1" - name: openid-connect enable: true config: client_id: httpbin client_secret: ReplaceWithKeycloakGeneratedClientSecret discovery: http://localhost:9080/keycloak-internal/keycloak/realms/apisix/.well-known/openid-configuration scope: openid profile bearer_only: false introspection_endpoint: http://keycloak-service.keycloak-operator.svc.cluster.local:8080/keycloak/realms/apisix/protocol/openid-connect/token/introspect introspection_endpoint_auth_method: client_secret_post logout_path: /httpbin/logout post_logout_redirect_uri: https://10.0.0.2/httpbin/ redirect_uri: https://10.0.0.2/httpbin/login use_pkce: true ``` notes: - actual configuration of openid-connect plugin Server-side session store patch for configmap/apisix: ``` nginx_config: genarate nginx.conf http_configuration_snippet: | lua_shared_dict redis_cluster_slot_locks 100k; http_server_configuration_snippet: | set $session_name "apisix_session"; large_client_header_buffers 4 16k; set $session_strategy regenerate; set $session_storage redis; set $session_redis_uselocking on; set $session_redis_cluster_name redis-cluster; set $session_redis_cluster_nodes 'redis-cluster-leader-headless.redis.svc.cluster.local redis-cluster-follower-headless.redis.svc.cluster.local'; ``` notes: - redis cluster deployed separately - only really tested with redis cluster but assume this impacts other server-side session stores that support locking Resulting nginx.conf sections: ``` http { # http configuration snippet starts lua_shared_dict redis_cluster_slot_locks 100k; # http configuration snippet ends server { # http server configuration snippet starts set $session_name "apisix_session"; large_client_header_buffers 4 16k; set $session_strategy regenerate; set $session_storage redis; set $session_redis_uselocking on; set $session_redis_cluster_name redis-cluster; set $session_redis_cluster_nodes 'redis-cluster-leader-headless.redis.svc.cluster.local redis-cluster-follower-headless.redis.svc.cluster.local'; # http server configuration snippet ends } } ``` Let me know if you need anything else. Thanks for a great product! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
