K
Q

How can I make IS4 work when deployed to a local K8s cluster alongside another service?

8/23/2019

I have IS4 deployed to a K8s cluster. On the same cluster I have a WebApp which the User is calling in to.

User (Goes to) -> WebApp (Redirects when not authed)-> IS4.

The issue I'm having is that when I set options.Authority on the WebApp to the external FQDN, then the WebApp fails to find the discovery document. When I set options.Authority to the internal service name, then the User is redirected to an authorize endpoint they cannot access.

I have tried configuring all of these in IS4: Authority, PublicOrigin & IssuerUri.

While AKS gives me the ability to resolve the external DNS and through some sort of magic it routes correctly, I'm unable to develop locally due to this resolution issue.

The options I can think of are:

  1. Update K8s to force pods to do a "full" DNS lookup.
  2. Update IS4 to have the servers communicate using one set of URLs and the users communicate using another.

I cannot find much on either of these subjects, so advice would be welcome.

Ideally, I'd like the K8s services to communicate using the internal service names, and when a user needs to authenticate, they are directed to the publicly available address.

-- Stevey
identityserver4
kubernetes
nginx

Similar Questions

Can a pod have two containers with same image?
Using kubernetes/client-node lib
How access MongoDB in Kubernetes from outside the cluster
HPA could not get CPU metric during GKE node auto-scaling
GKE Inter cluster access to a service does not work consistently changing between nodes and podip based on cluster

1 Answer

8/28/2019

It turns out that having an internal service name isn't allowed ("all parties must use the same DNS name"): https://github.com/IdentityServer/IdentityServer4/issues/3568#event-2588006001

-- Stevey
Source: StackOverflow