hongmingK零SK壹S
tjushilei
需要在拓展插件的时候开启。https://github.com/kubesphere/kubesphere/pull/2997/files#diff-b423b5e9705b01b7a403ecac0045b6c717e3f6235c9551c47230fd43a96b2e40R96
idaas这个feature 最近才合并,可以用 kubespheredev/ks-apiserver:latest 这个镜像
请问Kubesphere3.0正式版如何使用第三方oauth2登录?
- hongmingK零SK壹S
tjushilei 这个就是示例配置
identityProviders:
- name: aliyunidaas
type: AliyunIDaasProvider
mappingMethod: mixed
provider:
clientID: xxxx
clientSecret: xxxx
endpoint:
userInfoUrl: "https://xxxxx.login.aliyunidaas.com/api/bff/v1.2/oauth2/userinfo"
authURL: "https://xxxx.login.aliyunidaas.com/oauth/authorize"
tokenURL: "https://xxxx.login.aliyunidaas.com/oauth/token"
redirectURL: "http://ks-console/oauth/redirect"
scopes:
- read需要用kubespheredev/ks-apiserver:latest 这个镜像或者自己build
- hongmingK零SK壹S
- 已编辑
tjushilei 要用 latest 这个tag 这个是master分支最新的代码, 注意是kubespheredev/ks-apiserver:latest 不是 kubesphere/ks-apiserver:latest
插件开发也非常简单,只用适配账户关联部分的逻辑,https://github.com/kubesphere/kubesphere/blob/master/pkg/apiserver/authentication/oauth/oauth_options.go#L37-L44
- hongmingK零SK壹S
tjushilei pod 都正常运行吗,有没有什么明显的错误日志,可以把配置贴出来看看
kubectl -n kubesphere-system get deploy ks-console -ojsonpath='{.spec.template.spec.containers[0].image}'
kubectl -n kubesphere-system get deploy ks-apiserver -ojsonpath='{.spec.template.spec.containers[0].image}'
kubectl -n kubesphere-system get cm kubesphere-config -ojsonpath='{.data.kubesphere\.yaml}'
tjushileiK零S
hongming 第三个:
authentication:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m0s
loginHistoryRetentionPeriod: 168h
maximumClockSkew: 10s
multipleLogin: False
kubectlImage: dockerhub.kubekey.local/kubesphere/kubectl:v1.0.0
jwtSecret: “IKX0fOhGZ1VJonaIDWl1FFcThFedQlip”
oauthOptions:
accessTokenMaxAge: 1h
accessTokenInactivityTimeout: 30m
identityProviders:
- name: ldap
type: LDAPIdentityProvider
mappingMethod: auto
provider:
host: 10.253.124.37:40389
managerDN: uid=ann,cn=users,dc=hebmc,dc=com
managerPassword: ann
userSearchBase: cn=users,dc=hebmc,dc=com
loginAttribute: uid
mailAttribute: mail
- name: oauth2
mappingMethod: auto
type: AliyunIDaasProvider
provider:
clientID: kubesphere
clientSecret: kubesphere
endpoint:
authURL: http://sam-portal.dev2.ict.cmcc/oauth/authorize
tokenURL: http://sam-portal.dev2.ict.cmcc/oauth/token
userInfoUrl: http://sam-portal.dev2.ict.cmcc/user/me
redirectURL: http://jira2.dev2.ict.cmcc/plugins/servlet/oauth/callback
scopes:
-all
ldap:
host: openldap.kubesphere-system.svc:389
managerDN: cn=admin,dc=kubesphere,dc=io
managerPassword: admin
userSearchBase: ou=Users,dc=kubesphere,dc=io
groupSearchBase: ou=Groups,dc=kubesphere,dc=io
redis:
host: redis.kubesphere-system.svc
port: 6379
password: ""
db: 0
s3:
endpoint: http://minio.kubesphere-system.svc:9000
region: us-east-1
disableSSL: true
forcePathStyle: true
accessKeyID: openpitrixminioaccesskey
secretAccessKey: openpitrixminiosecretkey
bucket: s2i-binaries
mysql:
host: mysql.kubesphere-system.svc:3306
username: root
password: password
maxIdleConnections: 100
maxOpenConnections: 100
maxConnectionLifeTime: 10s
network:
enableNetworkPolicy: true
devops:
host: http://ks-jenkins.kubesphere-devops-system.svc/
username: admin
password: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImFkbWluQGt1YmVzcGhlcmUuaW8iLCJ1c2VybmFtZSI6ImFkbWluIiwidG9rZW5fdHlwZSI6InN0YXRpY190b2tlbiJ9.X_yErokndO8OvBsiVCIre0agP_qj9PfDZcFJ4rUBkDQ
maxConnections: 100
servicemesh:
istioPilotHost: http://istio-pilot.istio-system.svc:8080/version
jaegerQueryHost: http://jaeger-query.istio-system.svc:16686
servicemeshPrometheusHost: http://prometheus-k8s.kubesphere-monitoring-system.svc:9090
openpitrix:
runtimeManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9103”
clusterManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9104”
repoManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9101”
appManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9102”
categoryManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9113”
attachmentManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9122”
repoIndexerEndpoint: “hyperpitrix.openpitrix-system.svc:9108”
monitoring:
endpoint: http://prometheus-operated.kubesphere-monitoring-system.svc:9090
logging:
host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
indexPrefix: ks-logstash-log
events:
host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
indexPrefix: ks-logstash-events
auditing:
enable: true
host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
indexPrefix: ks-logstash-auditing
alerting:
endpoint: http://alerting-client-server.kubesphere-alerting-system.svc:9200/api/
notification:
endpoint: http://notification.kubesphere-alerting-system.svc:9200
- hongmingK零SK壹S
- 参照
kubesphere/pkg/apiserver/authentication/identityprovider/github/github.go实现identityprovider.OAuthProvider在init时注册
func init() {
identityprovider.RegisterOAuthProvider(&Github{})
}- 在
kubesphere/pkg/apiserver/authentication/options/authenticate_options.go中引用新的插件
import (
"fmt"
"github.com/spf13/pflag"
_ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/aliyunidaas"
_ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/github"
"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
"time"
)- 插件通过 kubesphere-config 中
authentication.oauthOptions.identityProviders部分进行配置,其中provider是动态配置, 也就是插件中的*oauth.DynamicOptions
- hongmingK零SK壹S
- 已编辑
nanjofan 注意用kubespheredev/ks-apiserver:latest
authentication:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m0s
loginHistoryRetentionPeriod: 7d
maximumClockSkew: 10s
multipleLogin: true
kubectlImage: kubesphere/kubectl:v1.0.0
jwtSecret: "xxxxx"
oauthOptions:
accessTokenMaxAge: 1h
accessTokenInactivityTimeout: 30m
identityProviders:
- name: github
type: GitHubIdentityProvider
mappingMethod: mixed
provider:
clientID: 'xxx'
clientSecret: 'xxx'
endpoint:
authURL: 'https://github.com/login/oauth/authorize'
tokenURL: 'https://github.com/login/oauth/access_token'
redirectURL: 'http(s)://<ks-console域名/IP+端口>/oauth/redirect'
scopes:
- user