Skip to content
Integration of lua-resty-openidc to ingress-nginx using ingress-nginx's plugin system
Lua Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
rootfs working image and complete readme Nov 23, 2019
LICENSE Initial commit Nov 21, 2019
README.md

README.md

ingress-nginx-openidc

This is a demonstration of ingress-nginx's plugin system and its extensibility in general. Vanilla ingress-nginx does not have a support for OpenID Connect. However we can extend it and add OpenID Connect support using https://github.com/zmartzone/lua-resty-openidc.

We achieve this by creating an ingress-nginx plugin called openidc and installing it to /etc/nginx/lua/plugins/ directory in the image.

In order to build the image use following command:

docker build -t ingress-nginx-openidc rootfs/

For further understanding of the plugin you can inspect rootfs/etc/nginx/lua/plugins/openidc/main.lua file.

You will see that the plugin requires OPENIDC_CLIENT_ID and OPENIDC_CLIENT_SECRET environment variables to be set. You can store these variables in a K8s secret and then configure that in the deployment manifest so that the environment variables are available within ingress-nginx containers.

Finally we need to make changes to /etc/nginx/template/nginx.tmpl and configure the openidc plugin:

plugins.init({ "openidc" })

https://github.com/zmartzone/lua-resty-openidc also requires us to define following Nginx directives:

lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;

# cache for discovery metadata documents
lua_shared_dict discovery 1m;
# cache for JWKs
lua_shared_dict jwks 1m;

This has last been tested with ingress-nginx 0.26.1.

You can’t perform that action at this time.