HackMD
Integrating Keycloak and LDAP in a Monitok Stack with NGINX
Purpose: 為Monitor Stack Component 加上認證(Keycloak)授權(Authorization)
Follow Need to know
Monitor Stack component: Kibana, Prometheus, AlertManager … any have UI
Architecture
nginx add on keycloak and LDAP
nginx ->
Kibana ( Elasticsearch +fluenbit+Kibana ),
Prometheus, Alertmanager, Grafana
Deploy by Helm Chart
- Platform Chart ( Logic )
- DevOps value ( Setting )
DevOps value Setting
ngnix and keycloak for 認證(authentication)
nginx's URL 為對外expose 服務的進入點,經由ngnix可統一做認證授權,使得特定使用者才能使用。
再做完認證授權後,由ngnix再轉送到k8s內部服務。
可以是一至多組Virtual Service host代表不同服務的入口點。
- ngnix's keycloak set client id, private key
- keycloak set redirect URI/URL use {nginx's URL for Kibana,Prometheus,Alertmanager}
(驗證) 設定完後,實際運作順序:
user(人)->(input)nginx's URL at browser->keyclock(login)->{nginx's URL for Kibana,Prometheus,Alertmanager}
ngnix and LDAP for 授權(authorization)
LDAP: Lightweight Directory Access Protocol
nginx 設定與LDAP的連線資訊:
- LDAP's URL
- LDAP's port
- LDAP SSL true or false
- LDAP's account
- LDAP's password
Note: LDAP's port & SSL & certification
port 設 389 , SSL 就會設 false, 不用加 certification -> 由這點可以知道排除憑證的情況下,LDAP帳密或是帳號在LDAP的啟用狀態影響了LDAP連線的結果(Bind to LDAP result)
port 設 636 , SSL 就會設 true, 需加對應LDAP URL(網域)的正確 certification -> 憑證正確與否預先測試可用 openSSL command 憑證connect LDAP URL
nginx 設定與LDAP的連線結果
Argo CD Log | Kube Dashboard Pod's Log | End to End check by nginx's URLs
LDAP Bind Error 可能情況:
(1)密碼錯誤
(2)帳密正確但是LDAP Account 狀態為Disabled
(3)使用LDAP port 636 SSL true 時憑證放錯
(1)(2) Error Msg Format
"The exception is [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data <HEX>, vece ]."
(1) Code 49 Hex 52e : ERROR_LOGON_FAILURE, Returns when username is valid but password/credential is invalid.
(2) Code 49 Hex 533 : ERROR_ACCOUNT_DISABLED, Administratively Disabled: LDAP User-Account-Control Attribute - ACCOUNTDISABLE, NOTE: Returns only when presented with valid username and password/credential.
(3) Error Msg contain issuer or same as run openSSL XXX {cert} XXX {LDAP URL} result(Command to Verify LDAP Connection via OpenSSL) for more info.(SSL handshake bytes and verification result/code)
Trouble Shooting
ldap.wiki.com:Common Active Directory Bind Errors
ngnix link to actual upstream service(s)
How ngnix link to actual upstream service ?
use k8s internal service (internal endpoint). (由 kube dahshboard service section可找到)
Tool
openSSL command x 2
- 將源頭憑證(cer/crt)轉成(pem)
- 由 pem 來測試 LDAP URL 是否成功進行 SSL Handshake
Note: 由Deply to ENV**(Stage)**來決定下載哪一個憑證,最後由openSSL command XXX pem XXX connect LDAP URL 來確認憑證可否與設置的LDAP URL 進行連線
延伸: 原本服務可以連線後來用Nginx也可連線,如何關閉原本服務入口? 只保留有加認證授權的入口?
keyword: K8s Virtual Service and Service
取消(註解掉)原服務的Virtual Service配置,把原Virtual Service host 設的值,貼到nginx's URL, 使得原User無痛轉換
或是 Virtual Service 路由到另外一個 service port 非原服務,當Service有開不同的port出來for不同用途
Ex: 只保留首頁(8080),不保留詳細頁面(5000) -> Virtual Service 只路由到首頁(8080)
Base on traffic inside or outside K8s
(1) expose to outside cluster -> inner cluster
(2) inner cluster only
