How do you deploy Identity Server on Kubernetes? - McMap

About

How do you deploy Identity Server on Kubernetes?

Asked 8/1, 2018 at 11:48 Answered 9/1, 2018 at 9:5

Solved kubernetes identityserver4 azure-acs

C

1

8

I want to deploy Identity Server 4 on Kubernetes 1.8, and use this as a Federation Gateway between my web application and Azure Active Directory (to begin with).

If I call Identity Server from my web application using the local k8s service name, my users are redirected to the wrong Identity Server URL (containing the local k8s service name) during Sign in which clearly won't work. We are using an implicit flow.

I therefore setup a Azure Load balancer with dns name and configured Identity Server to be externally accessible with the domain name as the PublicOrigin URL.

However, my web application which runs in the same cluster cannot access Identity Server using the external URL of the Identity Server (discovery fails).

If I run Identity Server on another Kubernetes cluster then everything works fine.

My question is:

How do you properly deploy Identity Server in Kubernetes? Do I really need another Kubernetes cluster?

Note: I am using Kubernetes on Azure created with ACS engine (because we have mixed windows and linux containers).

Carlock answered 8/1, 2018 at 11:48 Comment(4)

I'm using AKS (Azure managed kubernetes) and have a single client asp.net core 2 web app in the same cluster as my IS4 service with no issues. Both webapps are fronted by Nginx with kube-lego for LetsEncrpyt TLS support, and DNS is provided by Azure DNS. I'm not using the PublicOrigin but instead the client app's Authority (in the openidconnect setup) uses the full (external Azure) DNS name of the IS4 service. You can use PublicOrigin if you want to use the cluster service naming from your clients. – Expeditionary 9/1, 2018 at 5:25

I'll just add that I'm using Hybrid Flow for the client but I doubt you using Implicit should make a difference here. – Expeditionary 9/1, 2018 at 5:28

I just tested this with AKS and you are right it works. It seems that the Azure ACS engine (v0.8) is configuring my kubernetes in a way that pods cannot connect to other pods using external URLs which is bizarre. If you propose your solution as the answer I will accept it. – Gaea 9/1, 2018 at 8:59

It would be interesting to know what's different in ACS just in case it helps prevent the issue occurring in the future with AKS. – Expeditionary 9/1, 2018 at 9:3

E

5

I'm using AKS (Azure managed kubernetes) and have a single client asp.net core 2 web app in the same cluster as my IS4 service with no issues. Both webapps are fronted by Nginx with kube-lego for LetsEncrpyt TLS support, and DNS is provided by Azure DNS.

I'm not using the PublicOrigin but instead the client app's Authority (in the openidconnect setup) uses the full (external Azure) DNS name of the IS4 service. You can use PublicOrigin if you want to use the cluster service naming from your clients

Expeditionary answered 9/1, 2018 at 9:5 Comment(4)

This is the accepted answer from my perspective. I had some strange issues connecting my pods using the external URL of Identity Server, but this turns out to be and issue with my cluster created using Azure ACS. I can confirm that switching over to the Azure AKS works fine as Mark describes above. – Gaea 9/1, 2018 at 9:18

@Expeditionary i was just wondering if the identity server uses its own certificate as the documentation does (x509 or something) is that possible that it can collision with LetsEncrypt that is configured in nginx? I'm currently receiving idx20803 response when trying to reach if from identityserver4.Admin -> identityserver4.sts – Satirize 31/8, 2022 at 14:2

@Satirize that cert is likely the token signing certificate. You get a dev one by default, and I think in Duende IdentityServer now it's all managed for you. NOTE: This is NOT the certificate used for securing the URL. I think the recommendation now is always to use the public facing URL no matter if the caller is public or internal, so if you can get to the well-known discovery endpoint from a browser you should be able to from a backend app too. If not, then there's perhaps some other comms issue? – Expeditionary 1/9, 2022 at 4:13

Yea i guess there is something else just blocking this. I currently use the public dns but its only identity.admin that fails. All other services work, aah well i will keep trying thanks for the help! – Satirize 2/9, 2022 at 13:44

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.