-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of github.com:kubernetes-sigs/aws-alb-ingress-c…
…ontroller into rails-api-examples
- Loading branch information
Showing
25 changed files
with
348 additions
and
101 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
* | ||
!server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# Requirements: | ||
# | ||
# - For this template, Cognito should have the following basic settings: | ||
# - User Pool ARN ( Cognito -> General Settings ) | ||
# `arn:aws:cognito-idp:<region>:<account-id>:userpool/<region><cognito-id>` | ||
# - User Pool Client ID ( Cognito -> App Integration -> Application Client Settings ) | ||
# `<user-pool-client-id>` | ||
# - Domain Name ( Cognito -> App Integration -> Domain Name) | ||
# `<user-pool-authentication-domain>` | ||
# - OAuth Scopes ( Cognito -> App Integration -> Application Client Settings ) | ||
# `[x] openid` | ||
# - OAuth Flows ( Cognito -> App Integration -> Application Client Settings ) | ||
# `[x] Authorization code grant` | ||
# - Callback URL(s) ( Cognito -> App Integration -> Application Client Settings ) | ||
# `https://<app-name>.<your-domain>/oauth2/idpresponse` | ||
# | ||
# - Related Kubernetes service/application | ||
# | ||
|
||
apiVersion: extensions/v1beta1 | ||
kind: Ingress | ||
metadata: | ||
name: <ingress-name> # app.example.com | ||
namespace: <placement-namespace> # default | ||
annotations: | ||
kubernetes.io/ingress.class: alb | ||
alb.ingress.kubernetes.io/scheme: internet-facing | ||
alb.ingress.kubernetes.io/tags: Environment=<environment-name>,Owner=<your-name | ||
# For each `listen-ports` object defined an ALB lister is created | ||
# For each listener created the rules defined in `spec` apply with some basic caveats | ||
# SSL redirect rule is applied only to the HTTP listener. Cognito authentication rule | ||
# is applied to the HTTPS listener | ||
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' | ||
# Detailed redirect settings | ||
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' | ||
# Authentication type must be cognito | ||
alb.ingress.kubernetes.io/auth-type: cognito | ||
# Required parameter for ALB/Cognito integration | ||
alb.ingress.kubernetes.io/auth-scope: openid | ||
# Session timeout on authentication credentials | ||
alb.ingress.kubernetes.io/auth-session-timeout: '3600' | ||
# Session cookie name | ||
alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie | ||
# Action to take when a request is not authenticated | ||
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate | ||
# Cognito parameters required for creation of authentication rules | ||
# The subdomain name only is sufficient for `UserPoolDomain` | ||
# e.g. if `FQDN=app.auth.ap-northeast-1.amazoncognito.com` then `UserPoolDomain=app` | ||
alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn": "arn:aws:cognito-idp:<region>:<account-id>:userpool/<region><cognito-id>","UserPoolClientId":"<user-pool-client-id>","UserPoolDomain":"<user-pool-authentication-domain>"}' | ||
# ACM certificate ARN for your SSL domain | ||
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:<region>:<account-id>:certificate/<certificate-id> | ||
spec: | ||
rules: | ||
# If you are using ExternalDNS, this will become your applications FQDN | ||
- host: <FQDN> | ||
http: | ||
paths: | ||
# This first path should perform an ssl-redirect as below | ||
- path: /* | ||
backend: | ||
serviceName: ssl-redirect | ||
# Configured via the redirect settings in the annotations | ||
servicePort: use-annotation | ||
- path: <html-path> | ||
backend: | ||
serviceName: <service-name> | ||
servicePort: <service-port> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
# Setup Cognito/ALB Ingress Controller | ||
|
||
This document describes how to install ALB Ingress Controller with AWS Cognito integration to minimal capacity, other options and or configurations may be required for production, and on an app to app basis. | ||
|
||
## Assumptions | ||
|
||
The following assumptions are observed regarding this procedure. | ||
|
||
* ExternalDNS is installed to the cluster and will provide a custom URL for your ALB. To setup ExternalDNS refer to the [install instructions](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/external-dns/setup/). | ||
|
||
## Cognitio Configuration | ||
|
||
Configure Cognito for use with ALB Ingress Controller using the following links with specified caveats. | ||
|
||
* [Create Cognito user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html) | ||
* [Configure application integration](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-app-integration.html) | ||
* On step 11.c for the `Callback URL` enter `https://<your-domain>/oauth2/idpresponse`. | ||
* On step 11.d for `Allowed OAuth Flows` select `authorization code grant` and for `Allowed OAuth Scopes` select `openid`. | ||
|
||
## ALB Ingress Controller Setup | ||
|
||
Install the ALB Ingress Controller using the [install instructions](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/setup/) with the following caveats. | ||
|
||
* When setting up IAM Role Permissions, add the `cognito-idp:DescribeUserPoolClient` permission to the example policy. | ||
|
||
## Deploying an Ingress | ||
|
||
Using the [cognito-ingress-template](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/examples/cognito-ingress-template.yaml) you can fill in the `<required>` variables to create an ALB ingress connected to your Cognito user pool for authentication. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.