Issues with OpenidConnect.js and openid_connect.server_conf

[sammym1982]

I am trying out this module by following tutorial and ran into several issues which indicates either this tutorial is out of date or there are issues with this module. https://www.nginx.com/blog/nginx-plus-ingress-controller-for-kubernetes-openid-connect-azure-ad/

I gave up after error 3 to confirm if I am doing something very wrong. Followed tutorial as is (with some changes as it looks there are changes in kubectl config files). We are currently evaluating this module and running in several issues getting this off the ground :(

Error 1:

2020/06/24 02:38:11 [emerg] 52#52: "resolver" directive is duplicate in /etc/nginx/conf.d/openid_connect.server_conf:3
E0624 02:38:11.981791       1 controller.go:459] Error updating endpoints for [default/cafe-ingress]: Error reloading NGINX when updating endpoints: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "nginx: [emerg] \"resolver\" directive is duplicate in /etc/nginx/conf.d/openid_connect.server_conf:3\n"
finished with error: exit status 1

Commented to resolve https://github.com/nginxinc/nginx-openid-connect/blob/9ca73aea7c0401b5e63572d5a0cbea35111880c5/openid_connect.server_conf#L3

Error 2:

I0624 03:26:02.375531       1 event.go:278] Event(v1.ObjectReference{Kind:"Secret", Namespace:"nginx-ingress", Name:"default-server-secret", UID:"e5575df7-1735-458e-86f4-e4f5abe85bad", APIVersion:"v1", ResourceVersion:"17870", FieldPath:""}): type: 'Warning' reason: 'UpdatedWithError' the special Secret nginx-ingress/default-server-secret was updated, but not applied: Error when reloading NGINX when updating the special Secrets: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "nginx: [emerg] \"subrequest_output_buffer_size\" directive is duplicate in /etc/nginx/conf.d/openid_connect.server_conf:4\n"
finished with error: exit status 1

Commented to resolve https://github.com/nginxinc/nginx-openid-connect/blob/9ca73aea7c0401b5e63572d5a0cbea35111880c5/openid_connect.server_conf#L4

Error 3:

I0624 03:27:02.109062       1 event.go:278] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"nginx-ingress", Name:"nginx-config", UID:"9590b8b7-046c-4d1a-906c-81c3de426fd9", APIVersion:"v1", ResourceVersion:"17956", FieldPath:""}): type: 'Warning' reason: 'UpdatedWithError' Configuration from nginx-ingress/nginx-config was updated but was not applied: Error when updating config from ConfigMap: nginx reload failed: Command /usr/sbin/nginx -s reload stdout: ""
stderr: "nginx: [emerg] SyntaxError: Illegal export statement in openid_connect.js:8, included in /etc/nginx/conf.d/default-cafe-ingress.conf:21\n"
finished with error: exit status 1

looks now issue at https://github.com/nginxinc/nginx-openid-connect/blob/9ca73aea7c0401b5e63572d5a0cbea35111880c5/openid_connect.js#L8

[magicalyak]

That blog is indeed outdated and I’ll see what I can do about a warning sign or updates. I’m the meantime. If you went and checked out the latest ingress (1.7.1) modified the Dockerfile so it uses R22 instead of R21 (I think 1.8 will use R22). You could use this unofficial ansible role to create the nginx-config.yaml you would need. Look at the readme for example variables.

I plan to make this more polished for kic 1.8 when released but this is not an official nginx role, all it does is convert the files here into useable files for nginx ingress to use. You can use multiple idps and please let me know feedback. I’ve been updating it quite regularly.

Thanks for trying this out. If you want to modify this manually I’d suggest running this role once and looking at the output files. Then just make your changes manually afterwards.

You still need the idp information and you’ll need to make a nginx plus ingress image that uses R22 (this will not working on earlier versions) and the njs module (the blog goes through that step). Also note the install from manifests have changed with some files so make sure you checkout 1.7.1 and use those from kubernetes-ingress

Galaxy: https://galaxy.ansible.com/magicalyak/ansible_role_nginx_ingress_oidc GitHub: https://github.com/magicalyak/ansible-role-nginx-ingress-oidc

If you haven’t used ansible you just need to install ansible on the machine you want to generate the yaml files on (I usually use the same machine I run kubectl on).

N.B. This is an unofficial role for testing purposes. The goal is to make this more useful and include in an updated blog.

[magicalyak]

@sammym1982 the ansible role should be valid now if you want to try.

[tippexs]

Closing due to inactivity. Please reopen if any more questions arise