Hi @srgbnd
Yes, NGINX is integrated with keycloak. The users are not stored in the SG internal database ,we are sending only proxy headers to Kibana.
Below is the NGINX configuration.
kind: Ingress
metadata:
annotations:
XXXX/platform-shared-addresses: |
{"PLATFORM_LOGS_EXTERNAL_ADDRESS": "https://IP/XXXX"}
ingress.citm.XXXX.com/sticky-route-services: $cookie_JSESSIONID|JSESSIONID ip_cookie
kubernetes.io/ingress.class: oam
nginx.ingress.kubernetes.io/configuration-snippet: |
more_clear_headers 'X-Frame-Options';
access_by_lua_block {
local paas = require "paas"
local res = paas.checkAuth()
local roles = ""
local cluster = os.getenv("DOMAIN_NAME"):gsub("^oam", ""):match("([%w%-]+)%..+$")
local compaasAdmin = "c:admin:"..cluster
cluster = string.gsub(cluster, "%-", "%%-")
for i,v in ipairs(res.id_token.groups) do
if v == compaasAdmin then
roles = roles .. "compaas:admin,"
else
local tenant = v:match("n:[a-z]+:"..cluster.."%.[%w%-]+%.([%w%-]+)")
if tenant then
local tenant_type = v:match("n:([a-z]+):")
if tenant_type == "monitor" then
roles = roles .. tenant .. "_monitor,"
else
roles = roles .. tenant .. ","
end
end
end
end
ngx.req.set_header("x-proxy-user", res.id_token.preferred_username)
-- remove last comma from string
ngx.req.set_header("x-proxy-roles", roles:sub(1, -2))
}
nginx.ingress.kubernetes.io/limit-connections: "50"
nginx.ingress.kubernetes.io/limit-rpm: "600"
nginx.ingress.kubernetes.io/limit-rps: "50"
nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
creationTimestamp: "2020-12-16T17:15:45Z"
generation: 1
name: Namespace.XXXX.5601
namespace: XXXX
resourceVersion: "206623"
selfLink: /apis/extensions/v1beta1/namespaces/xxxx/ingresses/Namespace.XXXX.5601
uid: 26393be3-a51c-4bbd-b7a4-76398a4e6d5a
spec:
rules:
- host: XXXX
http:
paths:
- backend:
serviceName: kibana
servicePort: 5601
path: /xxxx/?(.*)
Approximately after 1 hour of time the session getting time out.
Thanks.