hongming 第三个:
authentication:
authenticateRateLimiterMaxTries: 10
authenticateRateLimiterDuration: 10m0s
loginHistoryRetentionPeriod: 168h
maximumClockSkew: 10s
multipleLogin: False
kubectlImage: dockerhub.kubekey.local/kubesphere/kubectl:v1.0.0
jwtSecret: “IKX0fOhGZ1VJonaIDWl1FFcThFedQlip”
oauthOptions:
accessTokenMaxAge: 1h
accessTokenInactivityTimeout: 30m
identityProviders:
- name: ldap
type: LDAPIdentityProvider
mappingMethod: auto
provider:
host: 10.253.124.37:40389
managerDN: uid=ann,cn=users,dc=hebmc,dc=com
managerPassword: ann
userSearchBase: cn=users,dc=hebmc,dc=com
loginAttribute: uid
mailAttribute: mail
- name: oauth2
mappingMethod: auto
type: AliyunIDaasProvider
provider:
clientID: kubesphere
clientSecret: kubesphere
endpoint:
authURL: http://sam-portal.dev2.ict.cmcc/oauth/authorize
tokenURL: http://sam-portal.dev2.ict.cmcc/oauth/token
userInfoUrl: http://sam-portal.dev2.ict.cmcc/user/me
redirectURL: http://jira2.dev2.ict.cmcc/plugins/servlet/oauth/callback
scopes:
-all
ldap:
host: openldap.kubesphere-system.svc:389
managerDN: cn=admin,dc=kubesphere,dc=io
managerPassword: admin
userSearchBase: ou=Users,dc=kubesphere,dc=io
groupSearchBase: ou=Groups,dc=kubesphere,dc=io
redis:
host: redis.kubesphere-system.svc
port: 6379
password: ""
db: 0
s3:
endpoint: http://minio.kubesphere-system.svc:9000
region: us-east-1
disableSSL: true
forcePathStyle: true
accessKeyID: openpitrixminioaccesskey
secretAccessKey: openpitrixminiosecretkey
bucket: s2i-binaries
mysql:
host: mysql.kubesphere-system.svc:3306
username: root
password: password
maxIdleConnections: 100
maxOpenConnections: 100
maxConnectionLifeTime: 10s
network:
enableNetworkPolicy: true
devops:
host: http://ks-jenkins.kubesphere-devops-system.svc/
username: admin
password: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6ImFkbWluQGt1YmVzcGhlcmUuaW8iLCJ1c2VybmFtZSI6ImFkbWluIiwidG9rZW5fdHlwZSI6InN0YXRpY190b2tlbiJ9.X_yErokndO8OvBsiVCIre0agP_qj9PfDZcFJ4rUBkDQ
maxConnections: 100
servicemesh:
istioPilotHost: http://istio-pilot.istio-system.svc:8080/version
jaegerQueryHost: http://jaeger-query.istio-system.svc:16686
servicemeshPrometheusHost: http://prometheus-k8s.kubesphere-monitoring-system.svc:9090
openpitrix:
runtimeManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9103”
clusterManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9104”
repoManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9101”
appManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9102”
categoryManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9113”
attachmentManagerEndpoint: “hyperpitrix.openpitrix-system.svc:9122”
repoIndexerEndpoint: “hyperpitrix.openpitrix-system.svc:9108”
monitoring:
endpoint: http://prometheus-operated.kubesphere-monitoring-system.svc:9090
logging:
host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
indexPrefix: ks-logstash-log
events:
host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
indexPrefix: ks-logstash-events
auditing:
enable: true
host: http://elasticsearch-logging-data.kubesphere-logging-system.svc:9200
indexPrefix: ks-logstash-auditing
alerting:
endpoint: http://alerting-client-server.kubesphere-alerting-system.svc:9200/api/
notification:
endpoint: http://notification.kubesphere-alerting-system.svc:9200

    tjushilei

    1. 参照kubesphere/pkg/apiserver/authentication/identityprovider/github/github.go 实现 identityprovider.OAuthProviderinit时注册
    func init() {
    	identityprovider.RegisterOAuthProvider(&Github{})
    }
    1. kubesphere/pkg/apiserver/authentication/options/authenticate_options.go 中引用新的插件
    import (
    	"fmt"
    	"github.com/spf13/pflag"
    	_ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/aliyunidaas"
    	_ "kubesphere.io/kubesphere/pkg/apiserver/authentication/identityprovider/github"
    	"kubesphere.io/kubesphere/pkg/apiserver/authentication/oauth"
    	"time"
    )
    1. 插件通过 kubesphere-config 中 authentication.oauthOptions.identityProviders 部分进行配置,其中provider是动态配置, 也就是插件中的 *oauth.DynamicOptions

      tjushilei
      正确配置后前端页面应该正常打开, 且展示oauth登录项

      另外 redirectURL 需要配置为 http(s)://<ks-console域名/IP+端口>/oauth/redirect,另外还需要在 OAuth2 Server 配置好redirectURL , 登录后需要重定向到 "http(s)://<ks-console域名/IP+端口>/oauth/redirect

        tjushilei 方向不要搞反了, kubesphere OAuth2是通过OAuth2 接入其他 OAuth2 Provider 中的账户,再 redirecrt到kubesphere,而不是把 kubesphere 作为identity provider

        hongming 您好,能提供一下配置Kubesphere使用github的oauth2协议时的配置文件吗

          nanjofan 注意用kubespheredev/ks-apiserver:latest

              authentication:
                authenticateRateLimiterMaxTries: 10
                authenticateRateLimiterDuration: 10m0s
                loginHistoryRetentionPeriod: 7d
                maximumClockSkew: 10s
                multipleLogin: true
                kubectlImage: kubesphere/kubectl:v1.0.0
                jwtSecret: "xxxxx"
                oauthOptions:
                  accessTokenMaxAge: 1h
                  accessTokenInactivityTimeout: 30m
                  identityProviders:
                  - name: github
                    type: GitHubIdentityProvider
                    mappingMethod: mixed
                    provider:
                      clientID: 'xxx'
                      clientSecret: 'xxx'
                      endpoint:
                        authURL: 'https://github.com/login/oauth/authorize'
                        tokenURL: 'https://github.com/login/oauth/access_token'
                      redirectURL: 'http(s)://<ks-console域名/IP+端口>/oauth/redirect'
                      scopes:
                      - user

          tjushilei 看配置没啥问题, 检查一下 image 对不对

          imageID: docker-pullable://kubespheredev/ks-apiserver@sha256:40f3652c1550977d365f9bb0bf94c63d344cf51db99793678eec562e3e2d0525

            请问一下, identityProviders: type: 的名字可以随便写吗,我们公司是自己封装的oauth

              您好,我想表达的是能直接使用 identityProviders: type=AliyunIDaasProvider,而实际endpoint配置成公司自己的oauth2 server地址,这样就不用再改源码了?这样可以吗

                hongming 可以直接在3.0版本上添加自定义idp吗?我替换成kubespheredev/ks-apiserver:latest后,页面响应很慢

                  hongming
                  1.我们现在用的kubesphere 3.0的正式版,用您这个kubespheredev/ks-apiserver替换了之后启动不起来(登录界面只显示一对大括号“{}”),这是为什么,是替换了之后还需要设置什么吗?
                  2.因为您说的这个镜像启动不起来,所以我们现在在Kubesphere的3.0的代码上按您说的方式添加了自己的oauth2代码配置,编译后把我们的Kubesphere的ks-apiserver服务替换掉,这样虽然可以正常启动,但是登录界面仍然没有显示oauth2登录,这还需要额外配置什么东西吗?

                    tjushilei 没有额外的配置了,kubespheredev/ks-apiserver:latest只是增加了部分插件配置,登录界面只显示一对大括号“{}”这个问题不应该, 可以检查一下sha256摘要是否一致,检查下述API的返回,检查一下各组件日志,清理一下浏览器缓存

                    curl http://ks-apiserver.kubesphere-system.svc/kapis/config.kubesphere.io/v1alpha2/configs/oauth

                    hongming 你好我这边配置oauth2显示出来了,显示大括号“{}”的原因找到了,是因为ldap和oauth2同时配置的问题,那么请问ldap和oauth2不能同时配置吗?只能生效一个吗?


                    oauth2认证请求token授权获取到code后,apiserver后台总报这个错,这个什么原因?