search

FusionAuth / fusionauth-containers

Container definitions for docker, kubernetes, helm, and whatever containers come next!
https://fusionauth.io/
219 stars 68 forks source link

Example: usage with Kubernetes #8

Closed lamuertepeluda closed 5 years ago

lamuertepeluda commented 5 years ago

Hi there,

great work: I was trying to use the kubernetes setup locally with minikube.

The container setup seems to work good.

However there is no way I got it working (meaning: accessing from outside the cluster) with an ingress such as traefik, except using port forward (which is a non-solution). kubectl port-forward svc/fusionauth 9011:9011

I tried adding this traefik configuration for an ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: fusionauth
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: fusionauth.minikube
      http:
        paths:
          - path: /
            backend:
              serviceName: fusionauth
              servicePort: 9011

I followed this guide and used a Deployment for the access. fusionauth.minikube is something like: clusterIp: where port was assigned to the deployment, in my case 30657

Browsing to http://fusionauth.minikube:30657 I get a nasty error

image

error_description" : "Invalid redirection uri http://fusionauth.minikube:30657:30657/login",

What I'm doing wrong here?

Thank you

robotdan commented 5 years ago

Hi, thanks for opening an issue so that we can assist you.

Make sure the configured redirect URI in the FusionAuth application is correct.

If that is correct, this is likely a proxy configuration issue. Review these issues for further context. https://github.com/FusionAuth/fusionauth-issues/issues/112#issuecomment-481724601 https://github.com/FusionAuth/fusionauth-issues/issues/114#issuecomment-482424013 https://github.com/FusionAuth/fusionauth-issues/issues/92#issuecomment-474906718

TL;DR You'll have to let FusionAuth know what the public URL is by using X-Forwarded- headers. Some of these headers may already be added, so you could use set headers to ensure the headers are not duplicated. 

appendHeaders:
        "x-forwarded-port": "30657"

If your browser sees http://fusionauth.minikube and the error says http://fusionauth.minikube:30657:30657 then the scheme and host look correct, just the port is wrong.

lamuertepeluda commented 5 years ago

@robotdan Thank you very much! You pointed me to the right solution.

I post here my solution (in case somebody else would find it useful)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: fusionauth
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/custom-request-headers: "X-Forwarded-Port:30657||X-Forwarded-Host:fusionauth.minikube"
spec:
  rules:
    - host: fusionauth.minikube
      http:
        paths:
          - path: /
            backend:
              serviceName: fusionauth
              servicePort: 9011
robotdan commented 5 years ago

Thanks @lamuertepeluda for posting your solution! I am sure someone else will find it useful.

In the next release of FusionAuth we will post a large warning on the dashboard when these headers are not set correctly when behind a proxy. We hope this will reduce how many run into this issue.

lamuertepeluda commented 5 years ago

This project rocks! 🎸