hongming 插件开发是不是要改这个源码部分,我们已经将代码编译好了,但是不知道要改哪一块的代码去适配账户关联部分,您发的这个代码链接我看到了对应的代码,但是不知道从哪一块下手去改,还望请指教一下,感谢!

    tjushilei pod 都正常运行吗,有没有什么明显的错误日志,可以把配置贴出来看看

    kubectl -n kubesphere-system get deploy ks-console -ojsonpath='{.spec.template.spec.containers[0].image}'
    kubectl -n kubesphere-system get deploy ks-apiserver -ojsonpath='{.spec.template.spec.containers[0].image}'
    kubectl -n kubesphere-system get cm kubesphere-config -ojsonpath='{.data.kubesphere\.yaml}'

      hongming 第一条命令的结果:dockerhub.kubekey.local/kubesphere/ks-console:v3.0.0

      第二条命令的结果:dockerhub.kubekey.local/kubesphere/ks-apiserver:v3.1-beta
      (镜像:dockerhub.kubekey.local/kubesphere/ks-apiserver:v3.1-beta对应的就是kubespheredev/ks-apiserver:latest)

      hongming 第三个:
      authentication:
      authenticateRateLimiterMaxTries: 10
      authenticateRateLimiterDuration: 10m0s
      loginHistoryRetentionPeriod: 168h
      maximumClockSkew: 10s
      multipleLogin: False
      kubectlImage: dockerhub.kubekey.local/kubesphere/kubectl:v1.0.0
      jwtSecret: “IKX0fOhGZ1VJonaIDWl1FFcThFedQlip”
      oauthOptions:
      accessTokenMaxAge: 1h
      accessTokenInactivityTimeout: 30m
      identityProviders:
      - name: ldap
      type: LDAPIdentityProvider
      mappingMethod: auto
      provider:
      host: 10.253.124.37:40389
      managerDN: uid=ann,cn=users,dc=hebmc,dc=com
      managerPassword: ann
      userSearchBase: cn=users,dc=hebmc,dc=com
      loginAttribute: uid
      mailAttribute: mail
      - name: oauth2
      mappingMethod: auto
      type: AliyunIDaasProvider
      provider:
      clientID: kubesphere
      clientSecret: kubesphere
      endpoint:
      authURL: http://sam-portal.dev2.ict.cmcc/oauth/authorize
      tokenURL: http://sam-portal.dev2.ict.cmcc/oauth/token
      userInfoUrl: http://sam-portal.dev2.ict.cmcc/user/me
      redirectURL: http://jira2.dev2.ict.cmcc/plugins/servlet/oauth/callback
      scopes:
      -all
      ldap:
      host: openldap.kubesphere-system.svc:389
      managerDN: cn=admin,dc=kubesphere,dc=io
      managerPassword: admin
      userSearchBase: ou=Users,dc=kubesphere,dc=io
      groupSearchBase: ou=Groups,dc=kubesphere,dc=io
      redis:
      host: redis.kubesphere-system.svc
      port: 6379
      password: ""
      db: 0
      s3:
      endpoint: http://minio.kubesphere-system.svc:9000
      region: us-east-1
      disableSSL: true
      forcePathStyle: true
      accessKeyID: openpitrixminioaccesskey
      secretAccessKey: openpitrixminiosecretkey
      bucket: s2i-binaries
      mysql:
      host: mysql.kubesphere-system.svc:3306
      username: root
      password: password
      maxIdleConnections: 100
      maxOpenConnections: 100
      maxConnectionLifeTime: 10s
      network:
      enableNetworkPolicy: true
      devops:
      host: http://ks-jenkins.kubesphere-devops-system.svc/
      username: admin
      password: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImFkbWluQGt1YmVzcGhlcmUuaW8iLCJ1c2VybmFtZSI6ImFkbWluIiwidG9rZW5fdHlwZSI6InN0YXRpY190b2tlbiJ9.X_yErokndO8OvBsiVCIre0agP_qj9PfDZcFJ4rUBkDQ
      maxConnections: 100
      servicemesh:
      istioPilotHost: http://istio-pilot.istio-system.svc:8080/version
      jaegerQueryHost: http://jaeger-query.istio-system.svc:16686
      servicemeshPrometheusHost: http://prometheus-k8s.kubesphere-monitoring-system.svc:9090
      openpitrix:
      runtimeManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9103”
      clusterManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9104”
      repoManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9101”
      appManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9102”
      categoryManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9113”
      attachmentManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9122”
      repoIndexerEndpoint: “hyperpitrix.openpitrix-system.svc:9108”
      monitoring:
      endpoint: http://prometheus-operated.kubesphere-monitoring-system.svc:9090
      logging:
      host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
      indexPrefix: ks-logstash-log
      events:
      host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
      indexPrefix: ks-logstash-events
      auditing:
      enable: true
      host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
      indexPrefix: ks-logstash-auditing
      alerting:
      endpoint: http://alerting-client-server.kubesphere-alerting-system.svc:9200/api/
      notification:
      endpoint: http://notification.kubesphere-alerting-system.svc:9200

        tjushilei

        1. 参照kubesphere/pkg/apiserver/authentication/identityprovider/github/github.go 实现 identityprovider.OAuthProviderinit时注册
        func init() {
        	identityprovider.RegisterOAuthProvider(&Github{})
        }
        1. kubesphere/pkg/apiserver/authentication/options/authenticate_options.go 中引用新的插件
        import (
        	"fmt"
        	"github.com/spf13/pflag"
        	_ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/aliyunidaas"
        	_ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/github"
        	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
        	"time"
        )
        1. 插件通过 kubesphere-config 中 authentication.oauthOptions.identityProviders 部分进行配置,其中provider是动态配置, 也就是插件中的 *oauth.DynamicOptions

          tjushilei
          正确配置后前端页面应该正常打开, 且展示oauth登录项

          另外 redirectURL 需要配置为 http(s)://<ks-console域名/IP+端口>/oauth/redirect,另外还需要在 OAuth2 Server 配置好redirectURL , 登录后需要重定向到 "http(s)://<ks-console域名/IP+端口>/oauth/redirect

            tjushilei 方向不要搞反了, kubesphere OAuth2是通过OAuth2 接入其他 OAuth2 Provider 中的账户,再 redirecrt到kubesphere,而不是把 kubesphere 作为identity provider

            hongming 您好,能提供一下配置Kubesphere使用github的oauth2协议时的配置文件吗

              nanjofan 注意用kubespheredev/ks-apiserver:latest

                  authentication:
                    authenticateRateLimiterMaxTries: 10
                    authenticateRateLimiterDuration: 10m0s
                    loginHistoryRetentionPeriod: 7d
                    maximumClockSkew: 10s
                    multipleLogin: true
                    kubectlImage: kubesphere/kubectl:v1.0.0
                    jwtSecret: "xxxxx"
                    oauthOptions:
                      accessTokenMaxAge: 1h
                      accessTokenInactivityTimeout: 30m
                      identityProviders:
                      - name: github
                        type: GitHubIdentityProvider
                        mappingMethod: mixed
                        provider:
                          clientID: 'xxx'
                          clientSecret: 'xxx'
                          endpoint:
                            authURL: 'https://github.com/login/oauth/authorize'
                            tokenURL: 'https://github.com/login/oauth/access_token'
                          redirectURL: 'http(s)://<ks-console域名/IP+端口>/oauth/redirect'
                          scopes:
                          - user

              tjushilei 看配置没啥问题, 检查一下 image 对不对

              imageID: docker-pullable://kubespheredev/ks-apiserver@sha256:40f3652c1550977d365f9bb0bf94c63d344cf51db99793678eec562e3e2d0525

                请问一下, identityProviders: type: 的名字可以随便写吗,我们公司是自己封装的oauth

                  您好,我想表达的是能直接使用 identityProviders: type=AliyunIDaasProvider,而实际endpoint配置成公司自己的oauth2 server地址,这样就不用再改源码了?这样可以吗

                    hongming 可以直接在3.0版本上添加自定义idp吗?我替换成kubespheredev/ks-apiserver:latest后,页面响应很慢

                      hongming
                      1.我们现在用的kubesphere 3.0的正式版,用您这个kubespheredev/ks-apiserver替换了之后启动不起来(登录界面只显示一对大括号“{}”),这是为什么,是替换了之后还需要设置什么吗?
                      2.因为您说的这个镜像启动不起来,所以我们现在在Kubesphere的3.0的代码上按您说的方式添加了自己的oauth2代码配置,编译后把我们的Kubesphere的ks-apiserver服务替换掉,这样虽然可以正常启动,但是登录界面仍然没有显示oauth2登录,这还需要额外配置什么东西吗?

                        tjushilei 没有额外的配置了,kubespheredev/ks-apiserver:latest只是增加了部分插件配置,登录界面只显示一对大括号“{}”这个问题不应该, 可以检查一下sha256摘要是否一致,检查下述API的返回,检查一下各组件日志,清理一下浏览器缓存

                        curl http://ks-apiserver.kubesphere-system.svc/kapis/config.kubesphere.io/v1alpha2/configs/oauth